nginx.conf

load_module /usr/lib/nginx/modules/ngx_stream_module.so;

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
  worker_connections 768;
}

stream {
  server {
      listen 9343;
      ssl_certificate     /app/ela/.setup/keys/nginx.crt; # The certificate file
      ssl_certificate_key /app/ela/.setup/keys/nginx.key; # The private key file
      proxy_pass localhost:9300;
  }
}

http {
       
  # some HTTP boilerplate
  # No static files to serve
  sendfile off;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 65s;
  send_timeout           40s;
  client_header_timeout  40s;
  client_body_timeout    40s;
  keepalive_requests     1000;
  reset_timedout_connection on;
  types_hash_max_size 2048;
  server_tokens off;

  include /etc/nginx/mime.types;
  default_type application/json;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;


  # No logging by default
  access_log off;
  error_log off;
  log_not_found off;
  #access_log /var/log/nginx/example.com;
  #error_log /var/log/nginx/error.log;

  # Use Compression for most text mime-types
  gzip              on;
  gzip_disable      "msie6";
  gzip_min_length   512;
  gzip_vary         on;
  gzip_proxied      any;
  gzip_comp_level   6; #max=9
  gzip_http_version 1.1;
  gzip_buffers      16 8k;
  gzip_types        text/plain text/css application/json application/javascript
                    text/xml application/xml application/xml+rss text/javascript;

  # Sizes
  client_body_buffer_size   8k;
  client_header_buffer_size 1k;
  client_max_body_size      8m;
  large_client_header_buffers 4 8k;

  map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
  }

  limit_conn_zone TOTAL zone=CONLIMITALL:8m;

  # server on port 80 for HTTP -> HTTPS redirect
  server {
    listen 80;
    listen [::]:80;
    server_name _;
    return 301 https://$host$request_uri;
  } 

  # The letsencrypt-secured HTTPS server, which proxies our requests
  server {
    listen 443 ssl;

    # Accept any hostname
    server_name _;
    # server_name example.com;

    # ssl_protocols TLSv1.1 TLSv1.2;
    # letsencrypt certificate
    ssl_certificate /app/ela/.setup/keys/nginx.crt;
    ssl_certificate_key /app/ela/.setup/keys/nginx.key;
    ssl_session_timeout 1d;
    ssl_session_cache   shared:SSL-MS:4m;
    ssl_session_tickets off;
    ssl_protocols       TLSv1.2;
    ssl_ciphers         'ECDHE-RSA-AES128-GCM-SHA256';
    ssl_prefer_server_ciphers on;
    
    # client certificate
    ssl_client_certificate /app/ela/.setup/keys/rootCa.crt;
    # make verification optional, so we can display a 403 message to those
    # who fail authentication
    ssl_verify_client optional;

    location @error503 {
      default_type text/plain;
      add_header Retry-After 1 always;
      return 503 "Try again. Maximum clients reached on this node.";
    }

    location = /ping {
      default_type text/plain;
      return 200 "";
    }

    location ~ / {
      # if the client-side certificate failed to authenticate, show a 403
      # message to the client
      if ($ssl_client_verify != SUCCESS) {
        return 403;
      }

      limit_conn CONLIMITALL 8192;

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
      #proxy_set_header        Upgrade $http_upgrade;
      #proxy_set_header        Connection 'upgrade';

      # Fix the "It appears that your reverse proxy set up is broken" error.
      proxy_pass          http://localhost:9200;
      proxy_read_timeout  90;

      # web sockets
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;

      #proxy_redirect      http://localhost:8080 https://example.com;
    }
  }
}