jenkins-docker/nginx-proxy/jenkins-cert-auth.conf - gerrit-ci-scripts - Git at Google

 map $ssl_client_s_dn $ssl_client_s_dn_cn {
     default "anonymous";
     ~CN=(?<CN>[^/]+) $CN;
 }

 server {
     listen 443 ssl;
     server_name gerrit-ci-secure.gerritforge.com;

     ssl_certificate /etc/ssl/certs/cert.crt;
     ssl_certificate_key /etc/ssl/certs/cert.key;

     ssl_session_cache builtin:1000 shared:SSL:10m;
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
     ssl_prefer_server_ciphers on;

     ssl_client_certificate /etc/ssl/certs/auth_ca.crt;
     ssl_verify_client on;

     ssl_session_timeout 5m;

     location / {
         sendfile off;
         proxy_http_version 1.1;

         proxy_pass http://jenkins:38080;
         proxy_redirect http://jenkins:38080 https://gerrit-ci.gerritforge.com;

         proxy_set_header Authorization "";
         proxy_set_header X-Forwarded-User $ssl_client_s_dn_cn;

         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Host $host:$server_port;
         proxy_set_header X-Forwarded-Server $host;
         proxy_set_header X-Forwarded-Proto $scheme;

         proxy_max_temp_file_size 0;

         proxy_connect_timeout 90;
         proxy_send_timeout 90;
         proxy_read_timeout 90;

         proxy_buffer_size 4k;
         proxy_buffers 4 32k;
         proxy_busy_buffers_size 64k;
         proxy_temp_file_write_size 64k;

         # Set maximum upload size
         client_max_body_size 10m;
         client_body_buffer_size 128k;

         # Required for new HTTP-based CLI
         proxy_request_buffering off;
     }
 }
	map $ssl_client_s_dn $ssl_client_s_dn_cn {
	default "anonymous";
	~CN=(?<CN>[^/]+) $CN;
	}

	server {
	listen 443 ssl;
	server_name gerrit-ci-secure.gerritforge.com;

	ssl_certificate /etc/ssl/certs/cert.crt;
	ssl_certificate_key /etc/ssl/certs/cert.key;

	ssl_session_cache builtin:1000 shared:SSL:10m;
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
	ssl_prefer_server_ciphers on;

	ssl_client_certificate /etc/ssl/certs/auth_ca.crt;
	ssl_verify_client on;

	ssl_session_timeout 5m;

	location / {
	sendfile off;
	proxy_http_version 1.1;

	proxy_pass http://jenkins:38080;
	proxy_redirect http://jenkins:38080 https://gerrit-ci.gerritforge.com;

	proxy_set_header Authorization "";
	proxy_set_header X-Forwarded-User $ssl_client_s_dn_cn;

	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $host:$server_port;
	proxy_set_header X-Forwarded-Server $host;
	proxy_set_header X-Forwarded-Proto $scheme;

	proxy_max_temp_file_size 0;

	proxy_connect_timeout 90;
	proxy_send_timeout 90;
	proxy_read_timeout 90;

	proxy_buffer_size 4k;
	proxy_buffers 4 32k;
	proxy_busy_buffers_size 64k;
	proxy_temp_file_write_size 64k;

	# Set maximum upload size
	client_max_body_size 10m;
	client_body_buffer_size 128k;

	# Required for new HTTP-based CLI
	proxy_request_buffering off;
	}
	}