Facilitate easy use of Let's Encrypt certificates

This commit is contained in:
Lauri Võsandi 2021-06-04 09:25:25 +03:00
parent 67e1cf6849
commit b774eaacc9
2 changed files with 11 additions and 4 deletions

View File

@ -11,5 +11,8 @@ COPY templates templates
RUN nunjucks-precompile --include snippets --include views templates >> js/bundle.js
RUN bash -c 'cat /usr/lib/node_modules/{jquery/dist/jquery.min.js,tether/dist/js/tether.min.js,bootstrap/dist/js/bootstrap.min.js,node-forge/dist/forge.all.min.js,qrcode-svg/dist/qrcode.min.js,timeago/jquery.timeago.js,nunjucks/browser/nunjucks-slim.min.js,xterm/lib/xterm.js} >> js/bundle.js'
RUN bash -c 'cat /usr/lib/node_modules/{tether/dist/css/tether.min.css,bootstrap/dist/css/bootstrap.min.css,font-awesome/css/font-awesome.min.css,xterm/css/xterm.css} >> css/bundle.css'
RUN mkdir /frontend-secrets
RUN ln -s ../server-secrets/self_cert.pem /frontend-secrets/cert.pem
RUN ln -s ../server-secrets/self_key.pem /frontend-secrets/key.pem
COPY entrypoint.sh /entrypoint.sh
ENTRYPOINT /entrypoint.sh

View File

@ -61,10 +61,6 @@ http {
proxy_read_timeout 600;
send_timeout 600;
# To use CA-s own certificate for frontend and mutually authenticated connections
ssl_certificate /server-secrets/self_cert.pem;
ssl_certificate_key /server-secrets/self_key.pem;
server {
# Section for serving insecure HTTP, note that this is suitable for
# OCSP, CRL-s etc which is already covered by PKI protection mechanisms.
@ -97,6 +93,10 @@ http {
# once it has been configured
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
# Bind mount this directory to use Let's Encrypt keypair for frontend
ssl_certificate /frontend-secrets/cert.pem;
ssl_certificate_key /frontend-secrets/key.pem;
#proxy pass event
location /api/event/ {
proxy_buffering off;
@ -147,6 +147,10 @@ http {
ssl_verify_client optional;
ssl_client_certificate /server-secrets/ca_cert.pem;
# Use same keypair used by IPSec, OpenVPN
ssl_certificate /server-secrets/self_cert.pem;
ssl_certificate_key /server-secrets/self_key.pem;
# Proxy pass to backend
location /api/ {
proxy_pass http://read-write;