mirror of
https://github.com/laurivosandi/certidude
synced 2025-09-07 06:01:03 +00:00
Lauri Võsandi
ce93fbb58b
* Improved offline install docs * Migrated token mechanism backend to SQL * Preliminary token mechanism frontend integration * Add clock skew tolerance for OCSP * Add 'ldap computer filter' support for Kerberized machine enroll * Include OCSP and CRL URL-s in certificates, controlled by profile.conf * Better certificate extension handling * Place DH parameters file in /etc/ssl/dhparam.pem * Always talk to CA over port 8443 for 'certidude enroll' * Hardened frontend nginx config * Separate log files for frontend nginx * Better provisioning heuristics * Add sample site.sh config for LEDE image builder * Add more device profiles for LEDE image builder * Various bugfixes and improvements
180 lines
4.8 KiB
Nginx Configuration File
180 lines
4.8 KiB
Nginx Configuration File
# Basic DoS prevention measures
|
|
limit_conn addr 10;
|
|
client_body_timeout 5s;
|
|
client_header_timeout 5s;
|
|
limit_conn_zone $binary_remote_addr zone=addr:10m;
|
|
|
|
# Backend configuration
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-SSL-CERT $ssl_client_cert;
|
|
proxy_connect_timeout 600;
|
|
proxy_send_timeout 600;
|
|
proxy_read_timeout 600;
|
|
send_timeout 600;
|
|
|
|
# Don't buffer any messages
|
|
nchan_message_buffer_length 0;
|
|
|
|
# To use CA-s own certificate for frontend and mutually authenticated connections
|
|
ssl_certificate {{ directory }}/signed/{{ common_name }}.pem;
|
|
ssl_certificate_key {{ directory }}/self_key.pem;
|
|
|
|
server {
|
|
# Section for serving insecure HTTP, note that this is suitable for
|
|
# OCSP, SCEP, CRL-s etc which is already covered by PKI protection mechanisms.
|
|
# This also solves the chicken-and-egg problem of deploying the certificates
|
|
|
|
server_name {{ common_name }};
|
|
listen 80 default_server;
|
|
|
|
# Proxy pass to backend
|
|
location /api/ {
|
|
proxy_pass http://127.0.1.1:8080/api/;
|
|
}
|
|
|
|
# Path to static files
|
|
root {{static_path}};
|
|
|
|
# Path to compiled assets
|
|
location /assets/ {
|
|
alias {{ assets_dir }}/;
|
|
}
|
|
|
|
# Rewrite /cgi-bin/pkiclient.exe to /api/scep for SCEP protocol
|
|
location /cgi-bin/pkiclient.exe {
|
|
rewrite /cgi-bin/pkiclient.exe /api/scep/ last;
|
|
}
|
|
|
|
{% if not push_server %}
|
|
# Long poll for CSR submission
|
|
location ~ "^/lp/sub/(.*)" {
|
|
nchan_channel_id $1;
|
|
nchan_subscriber longpoll;
|
|
}
|
|
{% endif %}
|
|
|
|
# Comment everything below in this server definition if you're using HTTPS
|
|
|
|
{% if not push_server %}
|
|
# Event source for web interface
|
|
location ~ "^/ev/sub/(.*)" {
|
|
nchan_channel_id $1;
|
|
nchan_subscriber eventsource;
|
|
}
|
|
{% endif %}
|
|
|
|
# Uncomment following to enable HTTPS
|
|
#rewrite ^/$ https://$server_name$request_uri? permanent;
|
|
|
|
access_log /var/log/nginx/certidude-plaintext-access.log;
|
|
error_log /var/log/nginx/certidude-plaintext-error.log;
|
|
}
|
|
|
|
server {
|
|
# Section for accessing web interface over HTTPS
|
|
listen 443 ssl http2 default_server;
|
|
server_name {{ common_name }};
|
|
|
|
# To use Let's Encrypt certificates
|
|
{% if not letsencrypt %}#{% endif %}ssl_certificate {{ letsencrypt_fullchain }};
|
|
{% if not letsencrypt %}#{% endif %}ssl_certificate_key {{ letsencrypt_privkey }};
|
|
|
|
# Also run the following to set up Let's Encrypt certificates:
|
|
#
|
|
# apt install letsencrypt
|
|
# certbot certonly -d {{common_name}} --webroot /var/www/html/
|
|
|
|
# HSTS header below should make sure web interface will be accessed over HTTPS only
|
|
# once it has been configured
|
|
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
|
|
|
# Proxy pass to backend
|
|
location /api/ {
|
|
proxy_pass http://127.0.1.1:8080/api/;
|
|
}
|
|
|
|
# Path to static files
|
|
root {{static_path}};
|
|
|
|
# Path to compiled assets
|
|
location /assets/ {
|
|
alias {{ assets_dir }}/;
|
|
}
|
|
|
|
# This is for Let's Encrypt enroll/renewal
|
|
location /.well-known/ {
|
|
alias /var/www/html/.well-known/;
|
|
}
|
|
|
|
{% if not push_server %}
|
|
# Event stream for pushing events to web browsers
|
|
location ~ "^/ev/sub/(.*)" {
|
|
nchan_channel_id $1;
|
|
nchan_subscriber eventsource;
|
|
}
|
|
|
|
# Long poll for CSR submission
|
|
location ~ "^/lp/sub/(.*)" {
|
|
nchan_channel_id $1;
|
|
nchan_subscriber longpoll;
|
|
}
|
|
{% endif %}
|
|
|
|
access_log /var/log/nginx/certidude-frontend-access.log;
|
|
error_log /var/log/nginx/certidude-frontend-error.log;
|
|
}
|
|
|
|
|
|
server {
|
|
# Section for certificate authenticated HTTPS clients,
|
|
# for submitting information to CA eg. leases,
|
|
# requesting/renewing certificates and
|
|
# for delivering scripts to clients
|
|
|
|
server_name {{ common_name }};
|
|
listen 8443 ssl http2;
|
|
|
|
# Allow client authentication with certificate,
|
|
# backend must still check if certificate was used for TLS handshake
|
|
ssl_verify_client optional;
|
|
ssl_client_certificate {{ directory }}/ca_cert.pem;
|
|
|
|
# Proxy pass to backend
|
|
location /api/ {
|
|
proxy_pass http://127.0.1.1:8080/api/;
|
|
}
|
|
|
|
# Long poll
|
|
location ~ "^/lp/sub/(.*)" {
|
|
nchan_channel_id $1;
|
|
nchan_subscriber longpoll;
|
|
}
|
|
|
|
access_log /var/log/nginx/certidude-mutual-auth-access.log;
|
|
error_log /var/log/nginx/certidude-mutual-auth-error.log;
|
|
}
|
|
|
|
{% if not push_server %}
|
|
server {
|
|
# Allow publishing only from localhost to prevent abuse
|
|
server_name localhost;
|
|
listen 127.0.0.1:80;
|
|
|
|
location ~ "^/lp/pub/(.*)" {
|
|
nchan_publisher;
|
|
nchan_channel_id $1;
|
|
}
|
|
|
|
location ~ "^/ev/pub/(.*)" {
|
|
nchan_publisher;
|
|
nchan_channel_id $1;
|
|
}
|
|
|
|
access_log /var/log/nginx/certidude-push-access.log;
|
|
error_log /var/log/nginx/certidude-push-error.log;
|
|
|
|
}
|
|
{% endif %}
|
|
|