pushing configs, no automated setup yet

4 files changed, 183 insertions, 0 deletions

diff --git a/docs b/docs
new file mode 100644
index 0000000..68ced06
--- /dev/null
+++ b/docs
@@ -0,0 +1,84 @@
+
+nginx handles mtls, and allows connection to local gunicorn instance. If mTLS fails, connection fails and event is logged
+
+
+    ubuntu
+sudo pip install Flask gunicorn  # to install for all users, especially www-data so that the service runs
+  nginx
+install nginx
+sudo systemctl enable --now nginx
+  # cat /var/log/nginx/access.log
+  # /etc/nginx/nginx.conf
+  gunicorn
+gunicorn --bind localhost:5000 app:app           # for testing
+sudo nano /etc/systemd/system/gunicorn1.service  # as a service
+sudo systemctl enable --now gunicorn1            # as a service
+  python
+app1.py
+sudo mkdir /var/www
+sudo chown -R www-data:www-data /var/www
+sudo cp app1.py /var/www
+
+
+  test
+# private key
+openssl genrsa -out ca.key 2048
+# public certificate
+openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.pem -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=YourCA"
+
+# server private key
+openssl genrsa -out server.key 2048
+# generate certificate signing request
+openssl req -new -key server.key -out server.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=localhost"
+# use public and private key of the ca to sign the cert signing request
+openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256
+
+openssl genrsa -out client.key 2048
+openssl req -new -key client.key -out client.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client"
+openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256
+
+openssl genrsa -out wrong_client.key 2048
+openssl req -new -x509 -key wrong_client.key -out wrong_client.crt -days 365 -subj "/C=US/ST=State/L=City/O=Organization/CN=incorrectclient"
+
+curl https://127.0.0.1 --cacert ca.pem --cert wrong_client.crt --key wrong_client.key -k
+curl https://127.0.0.1 --cacert ca.pem --cert client.crt --key client.key -k
+
+
+  untested
+sudo cp /path/to/ca.pem /usr/local/share/ca-certificates/your-ca.crt
+sudo update-ca-certificates
+  nginx configuration
+    ocsp server to check that the server is valid
+    crl to check if a client is revoked
+server {
+    listen 443 ssl;
+    server_name yourdomain.com;
+
+    ssl_certificate /path/to/your/server.crt;
+    ssl_certificate_key /path/to/your/server.key;
+
+    # Client certificate verification
+    ssl_client_certificate /path/to/your/ca.pem;
+    ssl_verify_client on;
+
+    # Enable OCSP stapling and strict verification
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /path/to/your/ca.pem;
+
+    # Specify resolver for OCSP stapling
+    resolver 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 10s;
+
+    # Enforce OCSP response checking strictly
+    ssl_ocsp on;
+    ssl_ocsp_fail closed;
+
+    # Specify CRL file for client certificate revocation checking
+    ssl_crl /etc/nginx/ssl/crl.pem;
+
+    location / {
+        try_files $uri $uri/ =404;
+    }
+}
+
diff --git a/gunicorn1.service b/gunicorn1.service
new file mode 100644
index 0000000..425c453
--- /dev/null
+++ b/gunicorn1.service
@@ -0,0 +1,14 @@
+
+[Unit]
+Description=gunicorn1
+After=network.target
+
+[Service]
+User=www-data
+Group=www-data
+WorkingDirectory=/var/www
+ExecStart=/usr/local/bin/gunicorn --workers 3 --bind 0.0.0.0:5000 app1:app
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/hsm.conf b/hsm.conf
new file mode 100644
index 0000000..af27cf0
--- /dev/null
+++ b/hsm.conf
@@ -0,0 +1,22 @@
+# PKCS11 engine config
+openssl_conf = openssl_def
+
+[openssl_def]
+engines = engine_section
+
+[req]
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+# empty.
+
+[engine_section]
+pkcs11 = pkcs11_section
+
+[pkcs11_section]
+engine_id = pkcs11
+dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so
+MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so  #ubuntu
+#MODULE_PATH = /usr/lib64/pkcs11/opensc-pkcs11.so  #fedora/rocky
+PIN = 648219
+init = 0
diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 0000000..fc11627
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,63 @@
+
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                        '$status $body_bytes_sent "$http_referer" '
+                        '"$http_user_agent" "$http_x_forwarded_for" '
+                        'ssl_protocol:$ssl_protocol ssl_cipher:$ssl_cipher '
+                        'ssl_client_verify:$ssl_client_verify '
+                        'ssl_client_s_dn:$ssl_client_s_dn';
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+#    include /etc/nginx/conf.d/*.conf;
+
+    server {
+        location / {
+	    return 301 https://$host$request_uri;
+            #root /data/www;
+            #autoindex on;
+            #autoindex_exact_size off;
+        }
+    }
+    server {
+    listen 443 ssl;
+    server_name localhost;
+
+    ssl_certificate /home/x/auths1/server.crt;
+    ssl_certificate_key /home/x/auths1/server.key;
+    ssl_client_certificate /home/x/auths1/ca.pem;
+    ssl_verify_client on;
+
+    location / {
+        proxy_pass http://localhost:5000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+    }
+    }
+
+}