proxy_http_version 1.1; proxy_ssl_server_name on; proxy_ssl_protocols TLSv1.2 TLSv1.3; proxy_cache_bypass $http_upgrade; map $http_upgrade $conn_upgrade_unset { volatile; default upgrade; "" ""; } map $http_upgrade $conn_upgrade_keepalive { volatile; default upgrade; "" keep-alive; } ## ref: ## - https://www.digitalocean.com/community/tools/nginx?domains.0.reverseProxy.reverseProxy=true map $remote_addr $proxy_forwarded_elem { ## IPv4 addresses can be sent as-is ~^[0-9.]+$ "for=$remote_addr"; ## IPv6 addresses need to be bracketed and quoted ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\""; ## Unix domain socket names cannot be represented in RFC 7239 syntax default "for=unknown"; } ## ref: ## - https://www.digitalocean.com/community/tools/nginx?domains.0.reverseProxy.reverseProxy=true ## - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded map $http_forwarded $proxy_add_forwarded { volatile; ## if the incoming Forwarded header is syntactically valid, append to it "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem"; ## otherwise, replace it default "$proxy_forwarded_elem"; } include snip.d/proxy-common-headers; include snip.d/proxy-accept-encoding; include snip.d/proxy-connection-upgrade; include snip.d/proxy-early-data;