worker_processes  1;

daemon off;

events {
  multi_accept        on;
}

http {
  sendfile           on;
  tcp_nopush         on;
  tcp_nodelay        on;

  error_log stderr info;

  # Gateway
  server {
    listen 8080;
    server_name _;

    location / {
      proxy_pass                https://127.0.0.1:8443;
      proxy_ssl_certificate     certs/client.crt;
      proxy_ssl_certificate_key certs/client.key;

      proxy_ssl_trusted_certificate certs/ca.crt;
      
      proxy_ssl_verify off;
      proxy_ssl_verify_depth 2;
      proxy_ssl_session_reuse on;

      # proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      # proxy_ssl_ciphers   HIGH:!aNULL:!MD5;
    }
  }

  # Upstream
  server {
    listen 8443 ssl;
    server_name _;

    ssl_certificate         certs/server.crt;
    ssl_certificate_key     certs/server.key;
   # ssl_password_file       certs/password_file;

    ssl_client_certificate  certs/ca.crt;
    # ssl_verify_client optional_no_ca; # | optional | off | on
    ssl_verify_client on;

    location / {
      return 200 "\rhello!";
    }
  }
}