diff options
| -rw-r--r-- | docs | 84 | ||||
| -rw-r--r-- | gunicorn1.service | 14 | ||||
| -rw-r--r-- | hsm.conf | 22 | ||||
| -rw-r--r-- | nginx.conf | 63 |
4 files changed, 183 insertions, 0 deletions
@@ -0,0 +1,84 @@ + +nginx handles mtls, and allows connection to local gunicorn instance. If mTLS fails, connection fails and event is logged + + + ubuntu +sudo pip install Flask gunicorn # to install for all users, especially www-data so that the service runs + nginx +install nginx +sudo systemctl enable --now nginx + # cat /var/log/nginx/access.log + # /etc/nginx/nginx.conf + gunicorn +gunicorn --bind localhost:5000 app:app # for testing +sudo nano /etc/systemd/system/gunicorn1.service # as a service +sudo systemctl enable --now gunicorn1 # as a service + python +app1.py +sudo mkdir /var/www +sudo chown -R www-data:www-data /var/www +sudo cp app1.py /var/www + + + test +# private key +openssl genrsa -out ca.key 2048 +# public certificate +openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.pem -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=YourCA" + +# server private key +openssl genrsa -out server.key 2048 +# generate certificate signing request +openssl req -new -key server.key -out server.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=localhost" +# use public and private key of the ca to sign the cert signing request +openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 + +openssl genrsa -out client.key 2048 +openssl req -new -key client.key -out client.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client" +openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256 + +openssl genrsa -out wrong_client.key 2048 +openssl req -new -x509 -key wrong_client.key -out wrong_client.crt -days 365 -subj "/C=US/ST=State/L=City/O=Organization/CN=incorrectclient" + +curl https://127.0.0.1 --cacert ca.pem --cert wrong_client.crt --key wrong_client.key -k +curl https://127.0.0.1 --cacert ca.pem --cert client.crt --key client.key -k + + + untested +sudo cp /path/to/ca.pem /usr/local/share/ca-certificates/your-ca.crt +sudo update-ca-certificates + nginx configuration + ocsp server to check that the server is valid + crl to check if a client is revoked +server { + listen 443 ssl; + server_name yourdomain.com; + + ssl_certificate /path/to/your/server.crt; + ssl_certificate_key /path/to/your/server.key; + + # Client certificate verification + ssl_client_certificate /path/to/your/ca.pem; + ssl_verify_client on; + + # Enable OCSP stapling and strict verification + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /path/to/your/ca.pem; + + # Specify resolver for OCSP stapling + resolver 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 10s; + + # Enforce OCSP response checking strictly + ssl_ocsp on; + ssl_ocsp_fail closed; + + # Specify CRL file for client certificate revocation checking + ssl_crl /etc/nginx/ssl/crl.pem; + + location / { + try_files $uri $uri/ =404; + } +} + diff --git a/gunicorn1.service b/gunicorn1.service new file mode 100644 index 0000000..425c453 --- /dev/null +++ b/gunicorn1.service @@ -0,0 +1,14 @@ + +[Unit] +Description=gunicorn1 +After=network.target + +[Service] +User=www-data +Group=www-data +WorkingDirectory=/var/www +ExecStart=/usr/local/bin/gunicorn --workers 3 --bind 0.0.0.0:5000 app1:app + +[Install] +WantedBy=multi-user.target + diff --git a/hsm.conf b/hsm.conf new file mode 100644 index 0000000..af27cf0 --- /dev/null +++ b/hsm.conf @@ -0,0 +1,22 @@ +# PKCS11 engine config +openssl_conf = openssl_def + +[openssl_def] +engines = engine_section + +[req] +distinguished_name = req_distinguished_name + +[req_distinguished_name] +# empty. + +[engine_section] +pkcs11 = pkcs11_section + +[pkcs11_section] +engine_id = pkcs11 +dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so +MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so #ubuntu +#MODULE_PATH = /usr/lib64/pkcs11/opensc-pkcs11.so #fedora/rocky +PIN = 648219 +init = 0 diff --git a/nginx.conf b/nginx.conf new file mode 100644 index 0000000..fc11627 --- /dev/null +++ b/nginx.conf @@ -0,0 +1,63 @@ + +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for" ' + 'ssl_protocol:$ssl_protocol ssl_cipher:$ssl_cipher ' + 'ssl_client_verify:$ssl_client_verify ' + 'ssl_client_s_dn:$ssl_client_s_dn'; + access_log /var/log/nginx/access.log main; + + sendfile on; + #tcp_nopush on; + + keepalive_timeout 65; + + #gzip on; + +# include /etc/nginx/conf.d/*.conf; + + server { + location / { + return 301 https://$host$request_uri; + #root /data/www; + #autoindex on; + #autoindex_exact_size off; + } + } + server { + listen 443 ssl; + server_name localhost; + + ssl_certificate /home/x/auths1/server.crt; + ssl_certificate_key /home/x/auths1/server.key; + ssl_client_certificate /home/x/auths1/ca.pem; + ssl_verify_client on; + + location / { + proxy_pass http://localhost:5000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + } + } + +} |