"localhost", , :

# This configuration provides strong SSL security on the nginx webserver. We do
# this by disabling SSL Compression to mitigate the CRIME attack, disable SSLv3
# and because of vulnerabilities in the protocol and we will set up a strong
# ciphersuite that enables Forward Secrecy when possible. We also enable HSTS and
# HPKP. This way we have a strong and future proof ssl configuration and we get
# an A on the Qually Labs SSL Test.
#
# This configuration passes all the requests to a Meteor server.  In order for
# this to work you have to ensure that Meteor does NOT implement force-ssl.

# Enables or disables emitting nginx version in error messages and in the Server
# response header field.
server_tokens off;

# This turns a connection between a client and server from HTTP/1.1 into a WebSocket,
# the protocol switch mechanism available in HTTP/1.1 is used.  In this implementation
# the Connection header field in a request to the proxied server depends on the
# presence of the Upgrade field in the client request header.
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

# Nginx upstream services.  Nginx connects to nodejs on the IPv6 loopback [::1] and so
# you must specify the IP address here or nodejs will just listen on IPv4.
upstream meteor-server {
    server 127.0.0.1:8080;
}

# HTTP.  This is not the default server and will redirect all the calls
# to the https server.
server {
    # Listen on port 80 for ipv4 traffic and on [::]:80 for ipv6 traffic
    listen 80;
    listen [::]:80 ipv6only=on;

    # File paths - these are ignored.  The path is specific for nginx on Ubuntu.
    root /usr/share/nginx/html/;
    index index.html index.htm;

    # The domain on which we want to host the application.
    server_name <your server>;

    # Redirect non-SSL to SSL
    location / {
        rewrite     ^ https://$server_name$request_uri? permanent;
    }
}

# HTTPS.  This is the default server.
server {
    # Listen on port 443 for ipv4 traffic and on [::]:443 for ipv6 traffic.
    # This is the default server
    listen 443 ssl spdy;
    listen [::]:443 ssl spdy ipv6only=on;

    # File paths - these are ignored.  The path is specific for nginx on Ubuntu.
    root /usr/share/nginx/html/;
    index index.html index.htm;

    # The domain on which we want to host the application.
    server_name <your server>;

    # Full path to SSL Certificate and CA Certificate concatenated together
    ssl_certificate /etc/nginx/ssl/server.crt;

    # Full path to SSL Key
    ssl_certificate_key /etc/nginx/ssl/server.key;

    # When choosing a cipher during an SSLv3 or TLSv1 handshake, normally the
    # client preference is used. If this directive is enabled, the server's
    # preference will be used instead.
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    # The ciphers
    ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';

    # This is for backwards compatibility with IE6/WinXP
    #ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';

    # SSL Protocols
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # Online Certificate Status Protocol (OCSP) stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # Enforce the use of the Google DNS servers to resolve addresses
    resolver 8.8.4.4 8.8.8.8 valid=300s;
    resolver_timeout 10s;

    # Forward Secrecy & Diffie Hellman Ephemeral Parameters
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    # HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS)
    # connections to the server. This reduces impact of bugs in web applications
    # leaking session data through cookies and external links and  defends against
    # Man-in-the-middle attacks. HSTS also disables the ability for user to ignore
    # SSL negotiation warnings (ssl stripping). See: https://developer.mozilla.org/en-US/docs/Security/
    # and https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
    add_header Strict-Transport-Security max-age=63072000;

    # Provides for Clickjacking protection by denying the ability of the browser to
    # render a page in a <frame>, <iframe> or <object>.
    add_header X-Frame-Options DENY;

    # This prevents Internet Explorer and Google Chrome from MIME-sniffing a response
    # away from the declared content-type.
    add_header X-Content-Type-Options nosniff;

    # This header enables the Cross-site scripting (XSS) filter built into most
    # recent web browsers. It usually enabled by default anyway.
    add_header X-XSS-Protection 1;

    # If your application is not compatible with IE <= 10, this will redirect visitors to
    # a page advising a browser update. This works because IE 11 does not present itself as
    # MSIE anymore
    if ($http_user_agent ~ "MSIE" ) {
        return 303 https://browser-update.org/update.html;
    }

    # Handle the root route.  This will pass everything onto the Meteor
    # server.
    location / {
        # Pass upstream
        proxy_pass http://meteor-server;

        # Socket.IO Support (WebSockets)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_upgrade;

        # This ensure that the Host header that the client sent nginx is
        # sent on to the backend
        proxy_set_header Host $host;

        # Defines conditions under which the response will not be taken from a cache.
        proxy_cache_bypass $http_upgrade;

        # This provides the real client IP rather than the one from the nginx proxy system.
        # This is very useful for logging etc.
        proxy_set_header X-Real-IP $remote_addr;

        # This is similar to X-Real-IP, but provides added connection source entries
        # for the entire chain of proxies the connection passed through.
        proxy_set_header X-Forwarded-For $remote_addr;

        # A de facto standard for identifying the originating protocol of an HTTP request,
        # since a reverse proxy may communicate with a web server using HTTP even if the
        # request to the reverse proxy is HTTPS.
        proxy_set_header X-Forwarded-Proto $scheme;

        # This simply acts as as a marker that the proxy is used.  It not really needed.
        proxy_set_header X-NginX-Proxy true;

        # Sets the text that should be changed in the Location and Refresh header
        # fields of a proxied server response.
        proxy_redirect off;

        # This setting allows the browser to cache the application in a way compatible with Meteor
        # on every application update the name of CSS and JS file is different, so they can be cache
        # infinitely (here: 30 days). The root path (/) MUST NOT be cached
        if ($uri != '/') {
            expires 30d;
        }
    }
}