certidude/certidude/templates/server/nginx.conf

# To set up SSL certificates using Let's Encrypt run:
#
#   apt install letsencrypt
#   certbot certonly -d {{common_name}} --webroot /var/www/html/
#
# Also uncomment URL rewriting and SSL configuration below

limit_req_zone $binary_remote_addr  zone=api:10m rate=30r/m;
limit_conn_zone $binary_remote_addr zone=addr:10m;

server {
    server_name {{ common_name }};
    listen 80 default_server;
#    rewrite ^ https://$server_name$request_uri? permanent;
#}

#server {
#    server_name {{ common_name }};
#    listen 443 ssl http2 default_server;
#    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
#    ssl_certificate /etc/letsencrypt/live/{{common_name}}/fullchain.pem;
#    ssl_certificate_key /etc/letsencrypt/live/{{common_name}}/privkey.pem;

    root {{static_path}};

    # Basic DoS prevention measures
    limit_conn addr 10;
    client_body_timeout 5s;
    client_header_timeout 5s;

    location /api/ {
        proxy_pass http://127.0.1.1:8080/api/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_connect_timeout 600;
        proxy_send_timeout 600;
        proxy_read_timeout 600;
        send_timeout 600;
        limit_req zone=api burst=5;
    }

    # This is for Let's Encrypt
    location /.well-known/ {
        alias /var/www/html/.well-known/;
    }

    # Rewrite /cgi-bin/pkiclient.exe to /api/scep for SCEP protocol
    location /cgi-bin/pkiclient.exe {
        rewrite /cgi-bin/pkiclient.exe /api/scep/ last;
    }

{% if not push_server %}
    # This only works with nchan, for Debian 9 just apt install libnginx-mod-nchan
    # For Ubuntu and older Debian releases install nchan from https://nchan.io/

    location ~ "^/lp/sub/(.*)" {
        nchan_channel_id $1;
        nchan_subscriber longpoll;
    }

    location ~ "^/ev/sub/(.*)" {
        nchan_channel_id $1;
        nchan_subscriber eventsource;
    }
{% endif %}

}

{% if not push_server %}
server {
    # Allow publishing only from localhost to prevent abuse
    server_name localhost;
    listen 127.0.0.1:80;

    location ~ "^/lp/pub/(.*)" {
        nchan_publisher;
        nchan_channel_id $1;
        nchan_message_buffer_length 0;
    }

    location ~ "^/ev/pub/(.*)" {
        nchan_publisher;
        nchan_channel_id $1;
        nchan_message_buffer_length 0;
    }
}
{% endif %}
Various fixes 2017-04-13 20:30:28 +00:00			`# To set up SSL certificates using Let's Encrypt run:`
			`#`
			`# apt install letsencrypt`
			`# certbot certonly -d {{common_name}} --webroot /var/www/html/`
			`#`
			`# Also uncomment URL rewriting and SSL configuration below`
Released 0.1.17 2015-08-13 08:11:08 +00:00
Add basic DoS prevention measures 2017-07-29 20:19:37 +00:00			`limit_req_zone $binary_remote_addr zone=api:10m rate=30r/m;`
			`limit_conn_zone $binary_remote_addr zone=addr:10m;`

Merge authority setup and production setup 2016-03-29 19:03:27 +00:00			`server {`
			`server_name {{ common_name }};`
			`listen 80 default_server;`
Various fixes 2017-04-13 20:30:28 +00:00			`# rewrite ^ https://$server_name$request_uri? permanent;`
			`#}`

			`#server {`
			`# server_name {{ common_name }};`
			`# listen 443 ssl http2 default_server;`
			`# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";`
			`# ssl_certificate /etc/letsencrypt/live/{{common_name}}/fullchain.pem;`
			`# ssl_certificate_key /etc/letsencrypt/live/{{common_name}}/privkey.pem;`

Merge authority setup and production setup 2016-03-29 19:03:27 +00:00			`root {{static_path}};`

Add basic DoS prevention measures 2017-07-29 20:19:37 +00:00			`# Basic DoS prevention measures`
			`limit_conn addr 10;`
			`client_body_timeout 5s;`
			`client_header_timeout 5s;`

Merge authority setup and production setup 2016-03-29 19:03:27 +00:00			`location /api/ {`
Several changes * OCSP workaround for StrongSwan * Machine attributes framework * Scripting support * Default to nginx frontend 2017-07-05 15:22:03 +00:00			`proxy_pass http://127.0.1.1:8080/api/;`
Refactor codebase * Replace PyOpenSSL with cryptography.io * Rename constants to const * Drop support for uwsgi * Use systemd to launch certidude server * Signer automatically spawned as part of server * Update requirements.txt * Clean up certidude client configuration handling * Add automatic enroll with Kerberos machine cerdentials 2016-09-17 21:00:14 +00:00			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_connect_timeout 600;`
			`proxy_send_timeout 600;`
			`proxy_read_timeout 600;`
			`send_timeout 600;`
Add basic DoS prevention measures 2017-07-29 20:19:37 +00:00			`limit_req zone=api burst=5;`
Released 0.1.17 2015-08-13 08:11:08 +00:00			`}`

Various fixes 2017-04-13 20:30:28 +00:00			`# This is for Let's Encrypt`
			`location /.well-known/ {`
			`alias /var/www/html/.well-known/;`
			`}`

Bugfixes and test for SCEP 2017-07-05 21:22:02 +00:00			`# Rewrite /cgi-bin/pkiclient.exe to /api/scep for SCEP protocol`
			`location /cgi-bin/pkiclient.exe {`
			`rewrite /cgi-bin/pkiclient.exe /api/scep/ last;`
			`}`
Various fixes 2017-04-13 20:30:28 +00:00
			`{% if not push_server %}`
			`# This only works with nchan, for Debian 9 just apt install libnginx-mod-nchan`
			`# For Ubuntu and older Debian releases install nchan from https://nchan.io/`
Merge authority setup and production setup 2016-03-29 19:03:27 +00:00
Refactor * Remove given name and surname attributes because of issues with OpenVPN Connect * Remove e-mail attribute because of no reliable method of deriving usable address * Remove organizational unit attribute * Don't overwrite Kerberos cronjob during certidude setup authority * Enforce path_length=0 for disabling intermediate CA-s * Remove SAN attributes * Add configuration options for outbox sender name and address * Use common name attribute to derive signature flags * Use distinct pub/sub URL-s for long poll and event source 2017-02-07 22:07:21 +00:00			`location ~ "^/lp/sub/(.*)" {`
Merge authority setup and production setup 2016-03-29 19:03:27 +00:00			`nchan_channel_id $1;`
Refactor * Remove given name and surname attributes because of issues with OpenVPN Connect * Remove e-mail attribute because of no reliable method of deriving usable address * Remove organizational unit attribute * Don't overwrite Kerberos cronjob during certidude setup authority * Enforce path_length=0 for disabling intermediate CA-s * Remove SAN attributes * Add configuration options for outbox sender name and address * Use common name attribute to derive signature flags * Use distinct pub/sub URL-s for long poll and event source 2017-02-07 22:07:21 +00:00			`nchan_subscriber longpoll;`
			`}`

			`location ~ "^/ev/sub/(.*)" {`
			`nchan_channel_id $1;`
			`nchan_subscriber eventsource;`
Merge authority setup and production setup 2016-03-29 19:03:27 +00:00			`}`
Various fixes 2017-04-13 20:30:28 +00:00			`{% endif %}`
Merge authority setup and production setup 2016-03-29 19:03:27 +00:00
Released 0.1.17 2015-08-13 08:11:08 +00:00			`}`

Configuration generation fixes for nchan 2017-04-14 11:06:09 +00:00			`{% if not push_server %}`
			`server {`
			`# Allow publishing only from localhost to prevent abuse`
			`server_name localhost;`
			`listen 127.0.0.1:80;`

			`location ~ "^/lp/pub/(.*)" {`
			`nchan_publisher;`
			`nchan_channel_id $1;`
			`nchan_message_buffer_length 0;`
			`}`

			`location ~ "^/ev/pub/(.*)" {`
			`nchan_publisher;`
			`nchan_channel_id $1;`
			`nchan_message_buffer_length 0;`
			`}`
			`}`
			`{% endif %}`