fleet/tools/test-orbit-mtls/nginx.conf

server {
    listen 8888;
    ssl on;
    server_name proxy;
    proxy_ssl_server_name on;

    # Use the same TLS certificate as the Fleet server as server certificate.
    ssl_certificate /etc/nginx/certificates/fleet.crt;
    ssl_certificate_key /etc/nginx/certificates/fleet.key;

    # This server enforces all clients to use client certificates.
    ssl_client_certificate /etc/nginx/certificates/client-ca.crt;
    ssl_verify_client on;

    # Fleet requests are routed to a Fleet server.
    location / {
        proxy_pass https://host.docker.internal:8080;
        # Configure TLS server certificate to use to verify the Fleet server.
        proxy_ssl_verify on;
        proxy_ssl_trusted_certificate /etc/nginx/certificates/fleet.crt;
    }

    # TUF requests are routed to a TUF server.
    location /tuf/ {
        proxy_pass http://host.docker.internal:8081/;
    }
}