ssl_server_node.conf

#
# Handle all requests to (non SSL) http.
#
server {
        server_name <load balancer API domain name> default_server;
        listen 80;
        root /var/www/html;

        location ~ ^/.well-known/acme-challenge* {
#               try_files $uri @go2https;
                access_log /var/log/nginx/acme_access_log;
                error_log /var/log/nginx/acme_error_log;
        }

        # Default location match - will drop all connections
        # immediately if not an acme request.  Comment this,
        # uncomment tri_files above and location block below
        # if you want to forward all  non-acme  requests  to
        # SSL port.
        location / {
                return 444;
        }

        # Mutually exclusive location to above. Redirects to SSL https
#       location @go2https {
#               rewrite ^ https://$server_name$request_uri? permanent;
#       }
}

#
# Local websocket server (ws not wss; same as rpc_endpoint of witness)
#
upstream local_ws_svr {
    server localhost:<port>;
}

#
# SSL listener for bts_tools web interface (require authentication)
#              and local public API
#
server {
	listen 443 ssl;
	server_name <node domain name>;

	ssl on;
	ssl_certificate /etc/nginx/ssl/certs/server.crt;
	ssl_certificate_key /etc/nginx/ssl/private/server.key;
        ssl_session_cache shared:SSL:1m;
	ssl_session_timeout 5m;

#	ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
#	ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
#	ssl_prefer_server_ciphers on;
#
        charset utf-8;

        # Provided to verify https certificate is working
	location ~ ^/.well-known/acme-challenge* {
#	location /index.html {
		root /var/www/html;
		access_log /var/log/nginx/acme_access_log;
		error_log /var/log/nginx/acme_error_log;
		break;
	}

        # Matches secure websocket URL address
        location ~ ^/wss$ {
                limit_req zone=ws burst=5;

                proxy_http_version 1.1;
                #proxy_connect_timeout 2;
                proxy_pass http://local_ws_svr;

                proxy_set_header Host $host;
                proxy_set_header Connection "upgrade";
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

                #proxy_next_upstream error timeout invalid_header http_500;
        }

	location / { try_files $uri @bts_tools; }	
        location @bts_tools {
                auth_basic "No Access Here!";
                auth_basic_user_file <your password list file>;
                include uwsgi_params;
                uwsgi_pass unix:<path to bts_tools uwsgi socket>;
	}
}