template.conf

upstream routers.${SERVER_NAME} {
    # Nodes 1 and 2 both run HA-Proxy
    server node01.openshift.develop.com:443 fail_timeout=0;
    server node02.openshift.develop.com:443 fail_timeout=0;
}


server {
    listen 8443 ssl default_server;
    listen [::]:8443 ssl default_server;

    server_name  ${SERVER_NAME};

    ssl on;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_certificate    /etc/nginx/certs/${SERVER_NAME}.crt;
    ssl_certificate_key /etc/nginx/certs/${SERVER_NAME}.key;
    ssl_session_cache shared:SSL:10m;
    ssl_client_certificate /etc/nginx/certs/trusted-ca-signers.pem;
    ssl_verify_client on;
    ssl_verify_depth 2;

    location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-SSL-CERT $ssl_client_cert;

        proxy_redirect off;
        proxy_connect_timeout      240;
        proxy_send_timeout         240;
        proxy_read_timeout         240;

        proxy_pass       https://routers.${SERVER_NAME};

        ## commented out these two configes because we do not have a client cert between nginx and openshift (yet)
        # proxy_ssl_certificate    /etc/nginx/certs/cert.crt;
        # proxy_ssl_certificate_key /etc/nginx/certs/cert.key;

        proxy_ssl_trusted_certificate /etc/nginx/certs/ha-proxy-cert.cer;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_ssl_session_reuse on;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location /test/ {
        root /www;
    }

}