blob: 68ced063a290dfdc74803a8c9f4a402694073369 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
nginx handles mtls, and allows connection to local gunicorn instance. If mTLS fails, connection fails and event is logged
ubuntu
sudo pip install Flask gunicorn # to install for all users, especially www-data so that the service runs
nginx
install nginx
sudo systemctl enable --now nginx
# cat /var/log/nginx/access.log
# /etc/nginx/nginx.conf
gunicorn
gunicorn --bind localhost:5000 app:app # for testing
sudo nano /etc/systemd/system/gunicorn1.service # as a service
sudo systemctl enable --now gunicorn1 # as a service
python
app1.py
sudo mkdir /var/www
sudo chown -R www-data:www-data /var/www
sudo cp app1.py /var/www
test
# private key
openssl genrsa -out ca.key 2048
# public certificate
openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.pem -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=YourCA"
# server private key
openssl genrsa -out server.key 2048
# generate certificate signing request
openssl req -new -key server.key -out server.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=localhost"
# use public and private key of the ca to sign the cert signing request
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client"
openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256
openssl genrsa -out wrong_client.key 2048
openssl req -new -x509 -key wrong_client.key -out wrong_client.crt -days 365 -subj "/C=US/ST=State/L=City/O=Organization/CN=incorrectclient"
curl https://127.0.0.1 --cacert ca.pem --cert wrong_client.crt --key wrong_client.key -k
curl https://127.0.0.1 --cacert ca.pem --cert client.crt --key client.key -k
untested
sudo cp /path/to/ca.pem /usr/local/share/ca-certificates/your-ca.crt
sudo update-ca-certificates
nginx configuration
ocsp server to check that the server is valid
crl to check if a client is revoked
server {
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate /path/to/your/server.crt;
ssl_certificate_key /path/to/your/server.key;
# Client certificate verification
ssl_client_certificate /path/to/your/ca.pem;
ssl_verify_client on;
# Enable OCSP stapling and strict verification
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/your/ca.pem;
# Specify resolver for OCSP stapling
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
# Enforce OCSP response checking strictly
ssl_ocsp on;
ssl_ocsp_fail closed;
# Specify CRL file for client certificate revocation checking
ssl_crl /etc/nginx/ssl/crl.pem;
location / {
try_files $uri $uri/ =404;
}
}
|
