server {
root /var/www/html/opentakserver;
index index.html index.htm index.nginx-debian.html;
server_name opentakserver_443;
# Do not allow calls to the Marti API on port 443. Only allow them to port 8443 where
# SSL client certificate verification is enabled
location ~ ^/Marti {
return 404;
}
# Proxy WebRTC requests to MediaMTX
location ~ ^/webrtc(/?)(.*)$ {
proxy_pass https://127.0.0.1:8889/$2$is_args$args;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# Proxy HLS requests to MediaMTX
location ~ ^/hls(/?)(.*)$ {
proxy_pass https://127.0.0.1:8888/$2$is_args$args;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /api {
proxy_pass http://127.0.0.1:8081;
proxy_http_version 1.1;
proxy_set_header Host $host:443;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /socket.io {
include proxy_params;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://127.0.0.1:8081/socket.io;
}
try_files $uri /index.html;
client_max_body_size 100M;
listen 443 ssl;
ssl_certificate SERVER_CERT_FILE;
ssl_certificate_key SERVER_KEY_FILE;
}
server {
root /var/www/html/opentakserver;
index index.html index.htm index.nginx-debian.html;
server_name opentakserver_8443;
# Do not allow certificate enrollment on port 8443
location /Marti/api/tls {
return 404;
}
# Only allow requests to the Marti API on port 8443
location /Marti {
proxy_pass http://127.0.0.1:8081;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
}
location /api {
proxy_pass http://127.0.0.1:8081;
proxy_http_version 1.1;
proxy_set_header Host $host:8443;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
}
client_max_body_size 100M;
# listen [::]:8443 ssl ipv6only=on;
listen 8443 ssl;
ssl_certificate SERVER_CERT_FILE;
ssl_certificate_key SERVER_KEY_FILE;
# Require client certificate verification to access the Marti API
ssl_verify_client on;
ssl_client_certificate CA_CERT_FILE;
}