nginx-deployed.conf

user                gitstream gitstream;
worker_processes    auto;
error_log           /var/log/nginx/gitstream_error.log;

events {
    worker_connections 1024;
}

http {
    include mime.types;
    default_type text/html;

    gzip on;
    gzip_types *;


    # redirect to https
    server {
        listen          80;
        location /repos {
            proxy_pass  http://node;
        }

        location /go {
            proxy_pass http://node;
        }

        location /hooks {
            proxy_pass http://node;
        }

        location / {
            return      301 https://$server_name$request_uri;
        }
    }

    ssl_certificate /etc/letsencrypt/live/gitstream.mit.edu/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/gitstream.mit.edu/privkey.pem; # managed by Certbot

    ###
    ### the SSL configuration below was generated by
    ### https://mozilla.github.io/server-side-tls/ssl-config-generator/
    ### with settings Nginx, Intermediate
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    #ssl_dhparam /etc/ssl/certs/dhparam.pem;

        # modern configuration. tweak to your needs.
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;
   
    server {
        listen 443          ssl;
        server_name         gitstream.mit.edu;
        keepalive_timeout   70;
        access_log          /var/log/nginx/gitstream_access.log;


        # no longer using client certs to authenticate 
        # ssl_client_certificate /etc/ssl/certs/mit-client.pem;
        # ssl_verify_client on;
        # proxy_set_header X-SSL-Client-S-DN   $ssl_client_s_dn;

        root    /opt/gitstream/dist/client;
        index   index.html;

        location /auth {
            proxy_pass http://node;
        }

        location /login {
            proxy_pass http://node;
        }
        
        location /user {
            proxy_pass http://node;
        }

        location /events {
            proxy_pass http://node;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
    ssl_certificate /etc/letsencrypt/live/gitstream.mit.edu/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/gitstream.mit.edu/privkey.pem; # managed by Certbot

}

    upstream node {
        server localhost:4242;
    }
}