diff options
| author | hc <hc@email.ch> | 2024-11-20 12:51:33 +0800 |
|---|---|---|
| committer | hc <hc@email.ch> | 2024-11-20 12:51:33 +0800 |
| commit | 853b82126baa1e8e408a10f91053c52626ffad29 (patch) | |
| tree | 2fc1de9695810681ba654aab3c2a4867aacc1ac7 /docs | |
| parent | b1f88b682624e85b4b743343dfaaeed113b69413 (diff) | |
working
Diffstat (limited to 'docs')
| -rw-r--r-- | docs | 97 |
1 files changed, 43 insertions, 54 deletions
@@ -1,31 +1,10 @@ -nginx handles mtls, and allows connection to local gunicorn instance. If mTLS fails, connection fails and event is logged - - - ubuntu -sudo pip install Flask gunicorn # to install for all users, especially www-data so that the service runs - nginx -install nginx -sudo systemctl enable --now nginx - # cat /var/log/nginx/access.log - # /etc/nginx/nginx.conf - gunicorn -gunicorn --bind localhost:5000 app:app # for testing -sudo nano /etc/systemd/system/gunicorn1.service # as a service -sudo systemctl enable --now gunicorn1 # as a service - python -app1.py -sudo mkdir /var/www -sudo chown -R www-data:www-data /var/www -sudo cp app1.py /var/www - - - test + + # private key openssl genrsa -out ca.key 2048 # public certificate openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.pem -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=YourCA" - # server private key openssl genrsa -out server.key 2048 # generate certificate signing request @@ -39,46 +18,56 @@ openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out c openssl genrsa -out wrong_client.key 2048 openssl req -new -x509 -key wrong_client.key -out wrong_client.crt -days 365 -subj "/C=US/ST=State/L=City/O=Organization/CN=incorrectclient" - curl https://127.0.0.1 --cacert ca.pem --cert wrong_client.crt --key wrong_client.key -k curl https://127.0.0.1 --cacert ca.pem --cert client.crt --key client.key -k - untested -sudo cp /path/to/ca.pem /usr/local/share/ca-certificates/your-ca.crt -sudo update-ca-certificates - nginx configuration - ocsp server to check that the server is valid - crl to check if a client is revoked -server { - listen 443 ssl; - server_name yourdomain.com; +# Allow nginx to connect to any network port for nginx to go through selinux +also turn off selinux permanently +sudo setsebool -P httpd_can_network_connect 1 +sudo mkdir -p /etc/nginx/certs +sudo cp /flask/v1/keys/* /etc/nginx/certs/ +sudo chown -R nginx:nginx /etc/nginx/certs + +# no yubikey verification +curl https://127.0.0.1/v/0ty2 --cacert ca.pem --cert client.crt --key client.key -k + +# to activate hsm, move these over +cat server.crt ../intermediate/certs/intermediate.crt ../certs/root.crt > fullchain.crt +cp fullchain.crt /etc/nginx/certs/hsm_chain.crt +cp server.crt /etc/nginx/certs/hsm_server.crt +sudo pkcs11-tool -L # for denk serial number + + +openssl version -d + +edit the openssl.conf file +/etc/nginx/nginx.conf + +then edit the nginx service file +Environment="OPENSSL_CONF=/etc/pki/tls/openssl.pkcs11.cnf" + +add under service + systemctl daemon-reload + sudo systemctl restart nginx + + + openssl s_client -connect localhost:443 -cert client.crt -key client.key -CAfile /etc/nginx/certs/hsm_chain.crt + + curl --cert client.crt --key client.key --cacert /etc/nginx/certs/hsm_chain.crt https://localhost:443/ -k + - ssl_certificate /path/to/your/server.crt; - ssl_certificate_key /path/to/your/server.key; + sudo -u nginx pkcs11-tool --module /usr/lib64/opensc-pkcs11.so --list-objects --login - # Client certificate verification - ssl_client_certificate /path/to/your/ca.pem; - ssl_verify_client on; +tail -f /var/log/nginx/error.log # to see ssl errors - # Enable OCSP stapling and strict verification - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate /path/to/your/ca.pem; +/usr/share/polkit-1/actions/org.debian.pcsc-lite.policy +change all to yes then restart systemctl pcscd +if nginx cannot access pcscd(can also prove this by doing a pkcs11-tool list), systemctl pcscd will have error logs) - # Specify resolver for OCSP stapling - resolver 8.8.8.8 8.8.4.4 valid=300s; - resolver_timeout 10s; - # Enforce OCSP response checking strictly - ssl_ocsp on; - ssl_ocsp_fail closed; - # Specify CRL file for client certificate revocation checking - ssl_crl /etc/nginx/ssl/crl.pem; + https://www.redhat.com/en/blog/controlling-access-smart-cards - location / { - try_files $uri $uri/ =404; - } -} +sudo curl -vvv -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=user2;pin-value=123456' --cacert fullchain2.crt https://p.0nom.ch/c |