From b9c1dd419c4121da4e0b3f7cc8e8b4e6cc4c7755 Mon Sep 17 00:00:00 2001
From: Vasile Popescu <elisescu@elisescu.com>
Date: Wed, 4 Nov 2020 22:51:40 +0100
Subject: [PATCH] Add an nginx config snippet

---
 README.md      |  4 ++++
 doc/nginx.conf | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+)
 create mode 100644 doc/nginx.conf

diff --git a/README.md b/README.md
index bf68ecf..5cd520e 100644
--- a/README.md
+++ b/README.md
@@ -57,3 +57,7 @@ In the above command, `:3456` is the default port where `tty-proxy` listens for
 connections (i.e. `tty-share` clients), and 5000 is the port of the web interface through which
 remote users can connect. You can override the defaults by specifying a different port mapping on
 the command line, e.g.  `-p 4567:3456 -p 80:8080` to listen on `4567` and serve on `80`.
+
+## nginx
+
+Take a look at [this snippet](doc/nginx.conf) to see how I configured my nginx installation for TLS termination.
diff --git a/doc/nginx.conf b/doc/nginx.conf
new file mode 100644
index 0000000..96112f2
--- /dev/null
+++ b/doc/nginx.conf
@@ -0,0 +1,62 @@
+# This is not a complete nginx config file, but only some snippets to show how I configured my
+# installation.
+
+# If the stream module is dynamic (nginx -V), then you have to load it manually with
+load_module /usr/lib64/nginx/modules/ngx_stream_module.so;
+# Also, you will probably have to install the stream module separately, if the line above fails when
+# nginx starts. On Fedora, you can do it with `dnf install nginx-mod-stream` and then see its
+# location with `rpm -ql nginx-mod-stream`.
+
+stream {
+    # https://nginx.org/en/docs/stream/ngx_stream_core_module.html#server
+    # the tty-server tcp connection ssl proxy
+    server {
+        listen 4567 ssl so_keepalive=30m::10;
+        proxy_pass localhost:3456;
+        ssl_certificate /etc/letsencrypt/live/on.tty-share.com/fullchain.pem; # managed by Certbot
+        ssl_certificate_key /etc/letsencrypt/live/on.tty-share.com/privkey.pem;
+    }
+}
+
+
+http {
+    # the tty-proxy server (tty-proxy) address
+    upstream tty-proxy {
+        server localhost:9000;
+        keepalive 12; # number of connections to keep alive even if idle, if they are opened
+    }
+
+    # on.tty-share.com
+    server {
+        listen 80;
+        server_name on.tty-share.com;
+        return 301 https://$host$request_uri;
+    }
+
+    server {
+        listen 443 ssl;
+        server_name on.tty-share.com;
+        access_log /var/log/nginx/tty-proxy.access.log proxy_log_format;
+
+        # https://stackoverflow.com/questions/19769072/nginx-times-out-exactly-after-60-seconds?rq=1
+        # https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout
+        proxy_send_timeout 1600;
+        proxy_read_timeout 1600;
+
+        location / {
+            proxy_pass http://tty-proxy;
+            proxy_redirect off;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $server_name;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "Upgrade";
+        }
+
+        # TODO: use the rigth certificates here
+        ssl_certificate /etc/letsencrypt/live/on.tty-share.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/on.tty-share.com/privkey.pem;
+    }
+}