diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs | 84 |
1 files changed, 84 insertions, 0 deletions
@@ -0,0 +1,84 @@ + +nginx handles mtls, and allows connection to local gunicorn instance. If mTLS fails, connection fails and event is logged + + + ubuntu +sudo pip install Flask gunicorn # to install for all users, especially www-data so that the service runs + nginx +install nginx +sudo systemctl enable --now nginx + # cat /var/log/nginx/access.log + # /etc/nginx/nginx.conf + gunicorn +gunicorn --bind localhost:5000 app:app # for testing +sudo nano /etc/systemd/system/gunicorn1.service # as a service +sudo systemctl enable --now gunicorn1 # as a service + python +app1.py +sudo mkdir /var/www +sudo chown -R www-data:www-data /var/www +sudo cp app1.py /var/www + + + test +# private key +openssl genrsa -out ca.key 2048 +# public certificate +openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.pem -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=YourCA" + +# server private key +openssl genrsa -out server.key 2048 +# generate certificate signing request +openssl req -new -key server.key -out server.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=localhost" +# use public and private key of the ca to sign the cert signing request +openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 + +openssl genrsa -out client.key 2048 +openssl req -new -key client.key -out client.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client" +openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256 + +openssl genrsa -out wrong_client.key 2048 +openssl req -new -x509 -key wrong_client.key -out wrong_client.crt -days 365 -subj "/C=US/ST=State/L=City/O=Organization/CN=incorrectclient" + +curl https://127.0.0.1 --cacert ca.pem --cert wrong_client.crt --key wrong_client.key -k +curl https://127.0.0.1 --cacert ca.pem --cert client.crt --key client.key -k + + + untested +sudo cp /path/to/ca.pem /usr/local/share/ca-certificates/your-ca.crt +sudo update-ca-certificates + nginx configuration + ocsp server to check that the server is valid + crl to check if a client is revoked +server { + listen 443 ssl; + server_name yourdomain.com; + + ssl_certificate /path/to/your/server.crt; + ssl_certificate_key /path/to/your/server.key; + + # Client certificate verification + ssl_client_certificate /path/to/your/ca.pem; + ssl_verify_client on; + + # Enable OCSP stapling and strict verification + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /path/to/your/ca.pem; + + # Specify resolver for OCSP stapling + resolver 8.8.8.8 8.8.4.4 valid=300s; + resolver_timeout 10s; + + # Enforce OCSP response checking strictly + ssl_ocsp on; + ssl_ocsp_fail closed; + + # Specify CRL file for client certificate revocation checking + ssl_crl /etc/nginx/ssl/crl.pem; + + location / { + try_files $uri $uri/ =404; + } +} + |