lauri
/
certidude
mirror of https://github.com/laurivosandi/certidude
1
0
Fork 0
Code Issues Activity
certidude/certidude/templates/server/nginx.conf

211 lines
5.7 KiB
Nginx Configuration File
Raw Blame History

# Basic DoS prevention measures
limit_conn addr 10;
client_body_timeout 5s;
client_header_timeout 5s;
limit_conn_zone $binary_remote_addr zone=addr:10m;
# Backend configuration
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-SSL-CERT $ssl_client_cert;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
# Don't buffer any messages
nchan_message_buffer_length 0;
# To use CA-s own certificate for frontend and mutually authenticated connections
ssl_certificate {{ directory }}/signed/{{ common_name }}.pem;
ssl_certificate_key {{ directory }}/self_key.pem;
server {
# Uncomment following to automatically redirect to HTTPS
#rewrite ^/$ https://$server_name$request_uri? permanent;
# Section for serving insecure HTTP, note that this is suitable for
# OCSP, SCEP, CRL-s etc which is already covered by PKI protection mechanisms.
# This also solves the chicken-and-egg problem of deploying the certificates
server_name {{ common_name }};
listen 80 default_server;
# Proxy pass CRL server
location /api/revoked/ {
proxy_pass http://127.0.1.1:8082/api/revoked/;
}
# Proxy pass OCSP responder
location /api/ocsp/ {
proxy_pass http://127.0.1.1:8081/api/ocsp/;
}
# Proxy pass to backend
location /api/ {
proxy_pass http://127.0.1.1:8080/api/;
}
# Path to compiled assets
location /assets/ {
alias {{ assets_dir }}/;
}
# Rewrite /cgi-bin/pkiclient.exe to /api/scep for SCEP protocol
location /cgi-bin/pkiclient.exe {
rewrite /cgi-bin/pkiclient.exe /api/scep/ last;
}
{% if not push_server %}
# Long poll for CSR submission
location ~ "^/lp/sub/(.*)" {
nchan_channel_id $1;
nchan_subscriber longpoll;
}
{% endif %}
# Comment everything below in this server definition if you're using HTTPS
{% if not push_server %}
# Event source for web interface
location ~ "^/ev/sub/(.*)" {
nchan_channel_id $1;
nchan_subscriber eventsource;
}
{% endif %}
# Path to static files
root {{static_path}};
error_page 502 /502.json;
access_log /var/log/nginx/certidude-plaintext-access.log;
error_log /var/log/nginx/certidude-plaintext-error.log;
}
server {
# Section for accessing web interface over HTTPS
listen 443 ssl http2 default_server;
server_name {{ common_name }};
# To use Let's Encrypt certificates
{% if not letsencrypt %}#{% endif %}ssl_certificate {{ letsencrypt_fullchain }};
{% if not letsencrypt %}#{% endif %}ssl_certificate_key {{ letsencrypt_privkey }};
# Also run the following to set up Let's Encrypt certificates:
#
# apt install letsencrypt
# certbot certonly -d {{common_name}} --webroot /var/www/html/
# HSTS header below should make sure web interface will be accessed over HTTPS only
# once it has been configured
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
# Proxy pass image builder
location /api/log/ {
proxy_pass http://127.0.1.1:8084/api/log/;
}
# Proxy pass image builder
location /api/builder/ {
proxy_pass http://127.0.1.1:8083/api/builder/;
}
# Proxy pass to backend
location /api/ {
proxy_pass http://127.0.1.1:8080/api/;
}
# Path to compiled assets
location /assets/ {
alias {{ assets_dir }}/;
}
# This is for Let's Encrypt enroll/renewal
location /.well-known/ {
alias /var/www/html/.well-known/;
}
{% if not push_server %}
# Event stream for pushing events to web browsers
location ~ "^/ev/sub/(.*)" {
nchan_channel_id $1;
nchan_subscriber eventsource;
}
# Long poll for CSR submission
location ~ "^/lp/sub/(.*)" {
nchan_channel_id $1;
nchan_subscriber longpoll;
}
{% endif %}
# Path to static files
root {{static_path}};
error_page 502 /502.json;
access_log /var/log/nginx/certidude-frontend-access.log;
error_log /var/log/nginx/certidude-frontend-error.log;
}
server {
# Section for certificate authenticated HTTPS clients,
# for submitting information to CA eg. leases,
# requesting/renewing certificates and
# for delivering scripts to clients
server_name {{ common_name }};
listen 8443 ssl http2;
# Enforce OCSP stapling for the server certificate
# Note that even nginx 1.14.0 doesn't immideately populate the OCSP cache
# You need to run separate cronjob to populate the OCSP response cache
ssl_stapling on;
ssl_stapling_verify on;
# Allow client authentication with certificate,
# backend must still check if certificate was used for TLS handshake
ssl_verify_client optional;
ssl_client_certificate {{ authority_path }};
# Proxy pass to backend
location /api/ {
proxy_pass http://127.0.1.1:8080/api/;
}
# Long poll
location ~ "^/lp/sub/(.*)" {
nchan_channel_id $1;
nchan_subscriber longpoll;
}
# Path to static files
root {{static_path}};
error_page 502 /502.json;
access_log /var/log/nginx/certidude-mutual-auth-access.log;
error_log /var/log/nginx/certidude-mutual-auth-error.log;
}
{% if not push_server %}
server {
# Allow publishing only from localhost to prevent abuse
server_name localhost;
listen 127.0.0.1:80;
location ~ "^/lp/pub/(.*)" {
nchan_publisher;
nchan_channel_id $1;
}
location ~ "^/ev/pub/(.*)" {
nchan_publisher;
nchan_channel_id $1;
}
access_log /var/log/nginx/certidude-push-access.log;
error_log /var/log/nginx/certidude-push-error.log;
}
{% endif %}
Reference in New Issue View Git Blame Copy Permalink