mirror of
https://github.com/laurivosandi/certidude
synced 2024-09-28 21:11:42 +00:00
Lauri Võsandi
59bedc1f16
* Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets
169 lines
4.3 KiB
Nginx Configuration File
169 lines
4.3 KiB
Nginx Configuration File
# To set up SSL certificates using Let's Encrypt run:
|
|
#
|
|
|
|
#
|
|
# Also uncomment URL rewriting and SSL configuration below
|
|
|
|
# Basic DoS prevention measures
|
|
limit_conn addr 10;
|
|
client_body_timeout 5s;
|
|
client_header_timeout 5s;
|
|
limit_req_zone $binary_remote_addr zone=api:10m rate=30r/m;
|
|
limit_conn_zone $binary_remote_addr zone=addr:10m;
|
|
|
|
# Backend configuration
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-SSL-CERT $ssl_client_cert;
|
|
proxy_connect_timeout 600;
|
|
proxy_send_timeout 600;
|
|
proxy_read_timeout 600;
|
|
send_timeout 600;
|
|
|
|
# Don't buffer any messages
|
|
nchan_message_buffer_length 0;
|
|
|
|
# To use CA-s own certificate for HTTPS
|
|
ssl_certificate /var/lib/certidude/{{ common_name }}/signed/{{ common_name }}.pem;
|
|
ssl_certificate_key /var/lib/certidude/{{common_name}}/self_key.pem;
|
|
|
|
# To use Let's Encrypt certificates
|
|
#ssl_certificate /etc/letsencrypt/live/{{common_name}}/fullchain.pem;
|
|
#ssl_certificate_key /etc/letsencrypt/live/{{common_name}}/privkey.pem;
|
|
|
|
# Also run the following to set up Let's Encrypt certificates:
|
|
#
|
|
# apt install letsencrypt
|
|
# certbot certonly -d {{common_name}} --webroot /var/www/html/
|
|
|
|
server {
|
|
# Section for serving insecure HTTP, note that this is suitable for
|
|
# OCSP, SCEP, CRL-s etc which is already covered by PKI protection mechanisms.
|
|
# This also solves the chicken-and-egg problem of deploying the certificates
|
|
|
|
server_name {{ common_name }};
|
|
listen 80 default_server;
|
|
|
|
# Proxy pass to backend
|
|
location /api/ {
|
|
proxy_pass http://127.0.1.1:8080/api/;
|
|
limit_req zone=api burst=5;
|
|
}
|
|
|
|
# Path to static files
|
|
root {{static_path}};
|
|
|
|
# Path to compiled assets
|
|
location /assets/ {
|
|
alias {{ assets_dir }}/;
|
|
}
|
|
|
|
# Rewrite /cgi-bin/pkiclient.exe to /api/scep for SCEP protocol
|
|
location /cgi-bin/pkiclient.exe {
|
|
rewrite /cgi-bin/pkiclient.exe /api/scep/ last;
|
|
}
|
|
|
|
{% if not push_server %}
|
|
# Long poll for CSR submission
|
|
location ~ "^/lp/sub/(.*)" {
|
|
nchan_channel_id $1;
|
|
nchan_subscriber longpoll;
|
|
}
|
|
{% endif %}
|
|
|
|
# Comment everything below in this server definition if you're using HTTPS
|
|
|
|
{% if not push_server %}
|
|
# Event source for web interface
|
|
location ~ "^/ev/sub/(.*)" {
|
|
nchan_channel_id $1;
|
|
nchan_subscriber eventsource;
|
|
}
|
|
{% endif %}
|
|
|
|
# Uncomment following to enable HTTPS
|
|
#rewrite ^/$ https://$server_name$request_uri? permanent;
|
|
}
|
|
|
|
server {
|
|
# Section for accessing web interface over HTTPS
|
|
listen 443 ssl http2 default_server;
|
|
server_name {{ common_name }};
|
|
|
|
# HSTS header below should make sure web interface will be accessed over HTTPS only
|
|
# once it has been configured
|
|
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
|
|
|
# Proxy pass to backend
|
|
location /api/ {
|
|
proxy_pass http://127.0.1.1:8080/api/;
|
|
limit_req zone=api burst=5;
|
|
}
|
|
|
|
# Path to static files
|
|
root {{static_path}};
|
|
|
|
# Path to compiled assets
|
|
location /assets/ {
|
|
alias {{ assets_dir }}/;
|
|
}
|
|
|
|
# This is for Let's Encrypt enroll/renewal
|
|
location /.well-known/ {
|
|
alias /var/www/html/.well-known/;
|
|
}
|
|
|
|
{% if not push_server %}
|
|
# Event stream for pushing events to web browsers
|
|
location ~ "^/ev/sub/(.*)" {
|
|
nchan_channel_id $1;
|
|
nchan_subscriber eventsource;
|
|
}
|
|
{% endif %}
|
|
}
|
|
|
|
|
|
server {
|
|
# Section for certificate authenticated HTTPS clients,
|
|
# for submitting information to CA eg. leases
|
|
# and for delivering scripts to clients
|
|
|
|
server_name {{ common_name }};
|
|
listen 8443 ssl http2;
|
|
|
|
# Require client authentication with certificate
|
|
ssl_verify_client on;
|
|
ssl_client_certificate /var/lib/certidude/{{ common_name }}/ca_cert.pem;
|
|
|
|
# Proxy pass to backend
|
|
location /api/ {
|
|
proxy_pass http://127.0.1.1:8080/api/;
|
|
limit_req zone=api burst=5;
|
|
}
|
|
|
|
# Long poll
|
|
location ~ "^/lp/sub/(.*)" {
|
|
nchan_channel_id $1;
|
|
nchan_subscriber longpoll;
|
|
}
|
|
}
|
|
|
|
{% if not push_server %}
|
|
server {
|
|
# Allow publishing only from localhost to prevent abuse
|
|
server_name localhost;
|
|
listen 127.0.0.1:80;
|
|
|
|
location ~ "^/lp/pub/(.*)" {
|
|
nchan_publisher;
|
|
nchan_channel_id $1;
|
|
}
|
|
|
|
location ~ "^/ev/pub/(.*)" {
|
|
nchan_publisher;
|
|
nchan_channel_id $1;
|
|
}
|
|
}
|
|
{% endif %}
|
|
|