Facilitate easy use of Let's Encrypt certificates
This commit is contained in:
parent
67e1cf6849
commit
b774eaacc9
@ -11,5 +11,8 @@ COPY templates templates
|
||||
RUN nunjucks-precompile --include snippets --include views templates >> js/bundle.js
|
||||
RUN bash -c 'cat /usr/lib/node_modules/{jquery/dist/jquery.min.js,tether/dist/js/tether.min.js,bootstrap/dist/js/bootstrap.min.js,node-forge/dist/forge.all.min.js,qrcode-svg/dist/qrcode.min.js,timeago/jquery.timeago.js,nunjucks/browser/nunjucks-slim.min.js,xterm/lib/xterm.js} >> js/bundle.js'
|
||||
RUN bash -c 'cat /usr/lib/node_modules/{tether/dist/css/tether.min.css,bootstrap/dist/css/bootstrap.min.css,font-awesome/css/font-awesome.min.css,xterm/css/xterm.css} >> css/bundle.css'
|
||||
RUN mkdir /frontend-secrets
|
||||
RUN ln -s ../server-secrets/self_cert.pem /frontend-secrets/cert.pem
|
||||
RUN ln -s ../server-secrets/self_key.pem /frontend-secrets/key.pem
|
||||
COPY entrypoint.sh /entrypoint.sh
|
||||
ENTRYPOINT /entrypoint.sh
|
||||
|
12
nginx.conf
12
nginx.conf
@ -61,10 +61,6 @@ http {
|
||||
proxy_read_timeout 600;
|
||||
send_timeout 600;
|
||||
|
||||
# To use CA-s own certificate for frontend and mutually authenticated connections
|
||||
ssl_certificate /server-secrets/self_cert.pem;
|
||||
ssl_certificate_key /server-secrets/self_key.pem;
|
||||
|
||||
server {
|
||||
# Section for serving insecure HTTP, note that this is suitable for
|
||||
# OCSP, CRL-s etc which is already covered by PKI protection mechanisms.
|
||||
@ -97,6 +93,10 @@ http {
|
||||
# once it has been configured
|
||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
||||
|
||||
# Bind mount this directory to use Let's Encrypt keypair for frontend
|
||||
ssl_certificate /frontend-secrets/cert.pem;
|
||||
ssl_certificate_key /frontend-secrets/key.pem;
|
||||
|
||||
#proxy pass event
|
||||
location /api/event/ {
|
||||
proxy_buffering off;
|
||||
@ -147,6 +147,10 @@ http {
|
||||
ssl_verify_client optional;
|
||||
ssl_client_certificate /server-secrets/ca_cert.pem;
|
||||
|
||||
# Use same keypair used by IPSec, OpenVPN
|
||||
ssl_certificate /server-secrets/self_cert.pem;
|
||||
ssl_certificate_key /server-secrets/self_key.pem;
|
||||
|
||||
# Proxy pass to backend
|
||||
location /api/ {
|
||||
proxy_pass http://read-write;
|
||||
|
Loading…
Reference in New Issue
Block a user