From d041df11bb8ee18471b3077cbc7d0dca2774ab71 Mon Sep 17 00:00:00 2001
From: Julien Riou <julien@riou.xyz>
Date: Sat, 21 Dec 2019 09:33:46 +0100
Subject: [PATCH] Add deprecation note

---
 README.md        |  5 +++++
 extra/nginx.conf | 38 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 extra/nginx.conf

diff --git a/README.md b/README.md
index 4c55ff8..c7331fa 100644
--- a/README.md
+++ b/README.md
@@ -3,6 +3,11 @@
 
 [Patroni](https://github.com/zalando/patroni) uses the built-in Python HTTP server to expose database states. It's perfect to be used by a load balancer like HAProxy to achieve high-availability. But, sometimes, this interface freezes. There's an [open issue](https://github.com/zalando/patroni/issues/857) we are trying to close actively. As production doesn't wait, `patroniglue` was created to offload those checks and release pressure by adding a little response cache.
 
+## Deprecated
+
+We now use **nginx**. See [configuration example](extra/nginx.conf).
+
+
 ## Usage
 Start process using a configuration file:
 ```
diff --git a/extra/nginx.conf b/extra/nginx.conf
new file mode 100644
index 0000000..3d1b73b
--- /dev/null
+++ b/extra/nginx.conf
@@ -0,0 +1,38 @@
+server {
+  listen       *:<nginx-port> ssl;
+
+  server_name  _;
+
+  ssl on;
+  ssl_certificate           /etc/ssl/certs/ssl-cert-snakeoil.pem;
+  ssl_certificate_key       /etc/ssl/private/ssl-cert-snakeoil.key;
+  ssl_session_cache         shared:SSL:10m;
+  ssl_session_timeout       5m;
+  ssl_protocols             TLSv1.2;
+  ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA;
+  ssl_prefer_server_ciphers on;
+
+  location ~ /\. {
+    # Protection against versioning tools parsing
+    return 404;
+  }
+
+  location ~ /(LICENSE|INSTALL|README|CHANGELOG|LASTGEN|MAINTAINERS|UPGRADE|AUTHORS|COPYRIGHT) {
+    # Protection against auto generation
+    return 404;
+  }
+
+  location / {
+    limit_except GET {
+        deny all;
+    }
+    proxy_pass            https://127.0.0.1:<patroni-api-port>/;
+    proxy_read_timeout    10s;
+    proxy_connect_timeout 30s;
+    proxy_send_timeout    30s;
+    proxy_set_header      Host $http_host;
+    proxy_set_header      X-Real-IP $remote_addr;
+    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header      X-Forwarded-Proto https;
+  }
+}