From 469fcbcbe8a007140be8c8708529bb07da900a17 Mon Sep 17 00:00:00 2001 From: fruchti Date: Fri, 4 Jul 2025 09:21:57 +0200 Subject: [PATCH] TLS SNI: Use proxy protocol --- hosts/tls_sni.nix | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/hosts/tls_sni.nix b/hosts/tls_sni.nix index be9ce62..b870e92 100644 --- a/hosts/tls_sni.nix +++ b/hosts/tls_sni.nix @@ -9,7 +9,7 @@ } upstream rupert { - server rupert.gvfr.de:443; + server rupert.gvfr.de:4431; } upstream localserv { @@ -18,16 +18,42 @@ server { listen 443; + ssl_preread on; # proxy_connect_timeout 1s; # proxy_timeout 3s; # resolver 1.1.1.1; proxy_pass $target_backend; - ssl_preread on; + proxy_next_upstream off; + + proxy_protocol on; } ''; - defaultSSLListenPort = 4431; + defaultListen = [ + { + addr = "0.0.0.0"; + port = 80; + ssl = false; + } + { + addr = "[::0]"; + port = 80; + ssl = false; + } + { + addr = "0.0.0.0"; + port = 4431; + ssl = true; + proxyProtocol = true; + } + { + addr = "[::0]"; + port = 4431; + ssl = true; + proxyProtocol = true; + } + ]; }; }