lauri
/
certidude
mirror of https://github.com/laurivosandi/certidude
1
0
Fork 0
Code Issues Activity
certidude/certidude/templates/server/nginx.conf

169 lines
4.3 KiB
Nginx Configuration File
Raw Blame History

# To set up SSL certificates using Let's Encrypt run:
#
#
# Also uncomment URL rewriting and SSL configuration below
# Basic DoS prevention measures
limit_conn addr 10;
client_body_timeout 5s;
client_header_timeout 5s;
limit_req_zone $binary_remote_addr zone=api:10m rate=30r/m;
limit_conn_zone $binary_remote_addr zone=addr:10m;
# Backend configuration
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-SSL-CERT $ssl_client_cert;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
# Don't buffer any messages
nchan_message_buffer_length 0;
# To use CA-s own certificate for HTTPS
ssl_certificate /var/lib/certidude/{{ common_name }}/signed/{{ common_name }}.pem;
ssl_certificate_key /var/lib/certidude/{{common_name}}/self_key.pem;
# To use Let's Encrypt certificates
#ssl_certificate /etc/letsencrypt/live/{{common_name}}/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/{{common_name}}/privkey.pem;
# Also run the following to set up Let's Encrypt certificates:
#
# apt install letsencrypt
# certbot certonly -d {{common_name}} --webroot /var/www/html/
server {
# Section for serving insecure HTTP, note that this is suitable for
# OCSP, SCEP, CRL-s etc which is already covered by PKI protection mechanisms.
# This also solves the chicken-and-egg problem of deploying the certificates
server_name {{ common_name }};
listen 80 default_server;
# Proxy pass to backend
location /api/ {
proxy_pass http://127.0.1.1:8080/api/;
limit_req zone=api burst=5;
}
# Path to static files
root {{static_path}};
# Path to compiled assets
location /assets/ {
alias {{ assets_dir }}/;
}
# Rewrite /cgi-bin/pkiclient.exe to /api/scep for SCEP protocol
location /cgi-bin/pkiclient.exe {
rewrite /cgi-bin/pkiclient.exe /api/scep/ last;
}
{% if not push_server %}
# Long poll for CSR submission
location ~ "^/lp/sub/(.*)" {
nchan_channel_id $1;
nchan_subscriber longpoll;
}
{% endif %}
# Comment everything below in this server definition if you're using HTTPS
{% if not push_server %}
# Event source for web interface
location ~ "^/ev/sub/(.*)" {
nchan_channel_id $1;
nchan_subscriber eventsource;
}
{% endif %}
# Uncomment following to enable HTTPS
#rewrite ^/$ https://$server_name$request_uri? permanent;
}
server {
# Section for accessing web interface over HTTPS
listen 443 ssl http2 default_server;
server_name {{ common_name }};
# HSTS header below should make sure web interface will be accessed over HTTPS only
# once it has been configured
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
# Proxy pass to backend
location /api/ {
proxy_pass http://127.0.1.1:8080/api/;
limit_req zone=api burst=5;
}
# Path to static files
root {{static_path}};
# Path to compiled assets
location /assets/ {
alias {{ assets_dir }}/;
}
# This is for Let's Encrypt enroll/renewal
location /.well-known/ {
alias /var/www/html/.well-known/;
}
{% if not push_server %}
# Event stream for pushing events to web browsers
location ~ "^/ev/sub/(.*)" {
nchan_channel_id $1;
nchan_subscriber eventsource;
}
{% endif %}
}
server {
# Section for certificate authenticated HTTPS clients,
# for submitting information to CA eg. leases
# and for delivering scripts to clients
server_name {{ common_name }};
listen 8443 ssl http2;
# Require client authentication with certificate
ssl_verify_client on;
ssl_client_certificate /var/lib/certidude/{{ common_name }}/ca_cert.pem;
# Proxy pass to backend
location /api/ {
proxy_pass http://127.0.1.1:8080/api/;
limit_req zone=api burst=5;
}
# Long poll
location ~ "^/lp/sub/(.*)" {
nchan_channel_id $1;
nchan_subscriber longpoll;
}
}
{% if not push_server %}
server {
# Allow publishing only from localhost to prevent abuse
server_name localhost;
listen 127.0.0.1:80;
location ~ "^/lp/pub/(.*)" {
nchan_publisher;
nchan_channel_id $1;
}
location ~ "^/ev/pub/(.*)" {
nchan_publisher;
nchan_channel_id $1;
}
}
{% endif %}
Reference in New Issue View Git Blame Copy Permalink