@@ -0,0 +1,70 @@
http {
include mime.types;
# application/octet-stream is chosen as a safe default here but many systems
# are likely to expect text/plain or similar.
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# Sample Reverse proxy without any TLS support
server {
listen 80;
server_name localhost;
location / {
# The root directive here should have no effect given all requests
# will be forwarded to the verse sever via the unix (or http) socket
# with the uwsgi_pass directive. It's included here as an example
# and as a defensive directive to prevent unintentional disclosures.
root /srv/http/verse/public_html;
# The params are required by verse and are documented in that file
include uwsgi_params;
uwsgi_pass unix:///tmp/verse.sock;
}
# Using verse with a unix socket via the uwsgi protocol and zwsgi (built
# into verse) is the recommended way, but using an http proxy is also an
# option.
# location / {
# proxy_pass http://localhost:8080;
# }
# Verse can serve static files; but it's often better to serve them
# directly from a reverse proxy when it's avalible.
location /static {
root /srv/http/verse/public_html/static;
}
}
# HTTPS and mTLS example
# Important note: this configuration is an example and makes no direct
# recommendation. It's important to understand and consider the security
# implications of the TLS configuration choices here.
server {
listen 443 ssl;
server_name localhost;
# This is the ssl cert used to identify the server to the client. If
# you're using a self signed cert (i.e. for localhost) it can be the
# same cert/key used to verify clients. If you're using publicly signed
# keys (e.g. from an ACME provider like Let's Encrypt) this may be
# different from the cert/key used to sign and verfiy clients.
ssl_certificate server-mtls-cert.pem;
ssl_certificate_key server-mtls-key.pem;
# mTLS cert used to sign and verify clients.
ssl_client_certificate server-mtls-cert.pem;
# There are other mTLS verification modes available. Care must be
# taken to select the correct one for a given use case when being used
# as a security control. The least restrictive option is used here as an
# example to be compatable with a localhost with self-signed cert.
ssl_verify_client optional_no_ca;
location / {
root /srv/http/verse/public_html;
include uwsgi_params;
uwsgi_pass unix:///tmp/verse.sock;
}
location /static {
root /srv/http/verse/public_html/static;
}
}
}