# To set up SSL certificates using Let's Encrypt run: # # # Also uncomment URL rewriting and SSL configuration below # Basic DoS prevention measures limit_conn addr 10; client_body_timeout 5s; client_header_timeout 5s; limit_req_zone $binary_remote_addr zone=api:10m rate=30r/m; limit_conn_zone $binary_remote_addr zone=addr:10m; # Backend configuration proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-SSL-CERT $ssl_client_cert; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600; # Don't buffer any messages nchan_message_buffer_length 0; # To use CA-s own certificate for HTTPS ssl_certificate /var/lib/certidude/{{ common_name }}/signed/{{ common_name }}.pem; ssl_certificate_key /var/lib/certidude/{{common_name}}/self_key.pem; # To use Let's Encrypt certificates #ssl_certificate /etc/letsencrypt/live/{{common_name}}/fullchain.pem; #ssl_certificate_key /etc/letsencrypt/live/{{common_name}}/privkey.pem; # Also run the following to set up Let's Encrypt certificates: # # apt install letsencrypt # certbot certonly -d {{common_name}} --webroot /var/www/html/ server { # Section for serving insecure HTTP, note that this is suitable for # OCSP, SCEP, CRL-s etc which is already covered by PKI protection mechanisms. # This also solves the chicken-and-egg problem of deploying the certificates server_name {{ common_name }}; listen 80 default_server; # Proxy pass to backend location /api/ { proxy_pass http://127.0.1.1:8080/api/; limit_req zone=api burst=5; } # Path to static files root {{static_path}}; # Path to compiled assets location /assets/ { alias {{ assets_dir }}/; } # Rewrite /cgi-bin/pkiclient.exe to /api/scep for SCEP protocol location /cgi-bin/pkiclient.exe { rewrite /cgi-bin/pkiclient.exe /api/scep/ last; } {% if not push_server %} # Long poll for CSR submission location ~ "^/lp/sub/(.*)" { nchan_channel_id $1; nchan_subscriber longpoll; } {% endif %} # Comment everything below in this server definition if you're using HTTPS {% if not push_server %} # Event source for web interface location ~ "^/ev/sub/(.*)" { nchan_channel_id $1; nchan_subscriber eventsource; } {% endif %} # Uncomment following to enable HTTPS #rewrite ^/$ https://$server_name$request_uri? permanent; } server { # Section for accessing web interface over HTTPS listen 443 ssl http2 default_server; server_name {{ common_name }}; # HSTS header below should make sure web interface will be accessed over HTTPS only # once it has been configured add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; # Proxy pass to backend location /api/ { proxy_pass http://127.0.1.1:8080/api/; limit_req zone=api burst=5; } # Path to static files root {{static_path}}; # Path to compiled assets location /assets/ { alias {{ assets_dir }}/; } # This is for Let's Encrypt enroll/renewal location /.well-known/ { alias /var/www/html/.well-known/; } {% if not push_server %} # Event stream for pushing events to web browsers location ~ "^/ev/sub/(.*)" { nchan_channel_id $1; nchan_subscriber eventsource; } {% endif %} } server { # Section for certificate authenticated HTTPS clients, # for submitting information to CA eg. leases # and for delivering scripts to clients server_name {{ common_name }}; listen 8443 ssl http2; # Require client authentication with certificate ssl_verify_client on; ssl_client_certificate /var/lib/certidude/{{ common_name }}/ca_cert.pem; # Proxy pass to backend location /api/ { proxy_pass http://127.0.1.1:8080/api/; limit_req zone=api burst=5; } # Long poll location ~ "^/lp/sub/(.*)" { nchan_channel_id $1; nchan_subscriber longpoll; } } {% if not push_server %} server { # Allow publishing only from localhost to prevent abuse server_name localhost; listen 127.0.0.1:80; location ~ "^/lp/pub/(.*)" { nchan_publisher; nchan_channel_id $1; } location ~ "^/ev/pub/(.*)" { nchan_publisher; nchan_channel_id $1; } } {% endif %}