working

author: hc <hc@email.ch> 2024-11-20 12:51:33 +0800
committer: hc <hc@email.ch> 2024-11-20 12:51:33 +0800
commit: 853b82126baa1e8e408a10f91053c52626ffad29 (patch)
tree: 2fc1de9695810681ba654aab3c2a4867aacc1ac7 /docs
parent: b1f88b682624e85b4b743343dfaaeed113b69413 (diff)
1 files changed, 43 insertions, 54 deletions
diff --git a/docs b/docs
index 68ced06..6cd4500 100644
--- a/docs
+++ b/docs
@@ -1,31 +1,10 @@
-nginx handles mtls, and allows connection to local gunicorn instance. If mTLS fails, connection fails and event is logged
-    ubuntu
-sudo pip install Flask gunicorn  # to install for all users, especially www-data so that the service runs
-  nginx
-install nginx
-sudo systemctl enable --now nginx
-  # cat /var/log/nginx/access.log
-  # /etc/nginx/nginx.conf
-  gunicorn
-gunicorn --bind localhost:5000 app:app           # for testing
-sudo nano /etc/systemd/system/gunicorn1.service  # as a service
-sudo systemctl enable --now gunicorn1            # as a service
-  python
-app1.py
-sudo mkdir /var/www
-sudo chown -R www-data:www-data /var/www
-sudo cp app1.py /var/www
-  test
 # private key
 openssl genrsa -out ca.key 2048
 # public certificate
 openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.pem -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=YourCA"
 # server private key
 openssl genrsa -out server.key 2048
 # generate certificate signing request
@@ -39,46 +18,56 @@ openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out c
 openssl genrsa -out wrong_client.key 2048
 openssl req -new -x509 -key wrong_client.key -out wrong_client.crt -days 365 -subj "/C=US/ST=State/L=City/O=Organization/CN=incorrectclient"
 curl https://127.0.0.1 --cacert ca.pem --cert wrong_client.crt --key wrong_client.key -k
 curl https://127.0.0.1 --cacert ca.pem --cert client.crt --key client.key -k
-  untested
+# Allow nginx to connect to any network port for nginx to go through selinux
-sudo cp /path/to/ca.pem /usr/local/share/ca-certificates/your-ca.crt
+also turn off selinux permanently
-sudo update-ca-certificates
+sudo setsebool -P httpd_can_network_connect 1  
-  nginx configuration
+sudo mkdir -p /etc/nginx/certs
-    ocsp server to check that the server is valid
+sudo cp /flask/v1/keys/* /etc/nginx/certs/
-    crl to check if a client is revoked
+sudo chown -R nginx:nginx /etc/nginx/certs
-server {
-    listen 443 ssl;
+# no yubikey verification
-    server_name yourdomain.com;
+curl https://127.0.0.1/v/0ty2 --cacert ca.pem --cert client.crt --key client.key -k  
+# to activate hsm, move these over
+cat server.crt ../intermediate/certs/intermediate.crt ../certs/root.crt > fullchain.crt
+cp fullchain.crt /etc/nginx/certs/hsm_chain.crt
+cp server.crt /etc/nginx/certs/hsm_server.crt
+sudo pkcs11-tool -L  # for denk serial number
+openssl version -d
+edit the openssl.conf file
+/etc/nginx/nginx.conf
+then edit the nginx service file
+Environment="OPENSSL_CONF=/etc/pki/tls/openssl.pkcs11.cnf"
+add under service
+ systemctl daemon-reload
+ sudo systemctl restart nginx
+ openssl s_client -connect localhost:443 -cert client.crt -key client.key -CAfile /etc/nginx/certs/hsm_chain.crt
+ curl --cert client.crt --key client.key --cacert /etc/nginx/certs/hsm_chain.crt https://localhost:443/ -k
-    ssl_certificate /path/to/your/server.crt;
+ sudo -u nginx pkcs11-tool --module /usr/lib64/opensc-pkcs11.so --list-objects --login
-    ssl_certificate_key /path/to/your/server.key;
-    # Client certificate verification
+tail -f /var/log/nginx/error.log  # to see ssl errors
-    ssl_client_certificate /path/to/your/ca.pem;
-    ssl_verify_client on;
-    # Enable OCSP stapling and strict verification
+/usr/share/polkit-1/actions/org.debian.pcsc-lite.policy
-    ssl_stapling on;
+change all to yes then restart systemctl pcscd
-    ssl_stapling_verify on;
+if nginx cannot access pcscd(can also prove this by doing a pkcs11-tool list), systemctl pcscd will have error logs)
-    ssl_trusted_certificate /path/to/your/ca.pem;
-    # Specify resolver for OCSP stapling
-    resolver 8.8.8.8 8.8.4.4 valid=300s;
-    resolver_timeout 10s;
-    # Enforce OCSP response checking strictly
-    ssl_ocsp on;
-    ssl_ocsp_fail closed;
-    # Specify CRL file for client certificate revocation checking
+  https://www.redhat.com/en/blog/controlling-access-smart-cards
-    ssl_crl /etc/nginx/ssl/crl.pem;
-    location / {
-        try_files $uri $uri/ =404;
-    }
-}
+sudo curl -vvv  -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=user2;pin-value=123456' --cacert fullchain2.crt https://p.0nom.ch/c
author	hc <hc@email.ch>	2024-11-20 12:51:33 +0800
committer	hc <hc@email.ch>	2024-11-20 12:51:33 +0800
commit	853b82126baa1e8e408a10f91053c52626ffad29 (patch)
tree	2fc1de9695810681ba654aab3c2a4867aacc1ac7 /docs
parent	b1f88b682624e85b4b743343dfaaeed113b69413 (diff)

diff --git a/docs b/docs index 68ced06..6cd4500 100644 --- a/docs +++ b/docs
@@ -1,31 +1,10 @@
1		1
2	nginx handles mtls, and allows connection to local gunicorn instance. If mTLS fails, connection fails and event is logged	2
3		3
4
5	ubuntu
6	sudo pip install Flask gunicorn # to install for all users, especially www-data so that the service runs
7	nginx
8	install nginx
9	sudo systemctl enable --now nginx
10	# cat /var/log/nginx/access.log
11	# /etc/nginx/nginx.conf
12	gunicorn
13	gunicorn --bind localhost:5000 app:app # for testing
14	sudo nano /etc/systemd/system/gunicorn1.service # as a service
15	sudo systemctl enable --now gunicorn1 # as a service
16	python
17	app1.py
18	sudo mkdir /var/www
19	sudo chown -R www-data:www-data /var/www
20	sudo cp app1.py /var/www
21
22
23	test
24	# private key	4	# private key
25	openssl genrsa -out ca.key 2048	5	openssl genrsa -out ca.key 2048
26	# public certificate	6	# public certificate
27	openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.pem -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=YourCA"	7	openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.pem -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=YourCA"
28
29	# server private key	8	# server private key
30	openssl genrsa -out server.key 2048	9	openssl genrsa -out server.key 2048
31	# generate certificate signing request	10	# generate certificate signing request
@@ -39,46 +18,56 @@ openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out c
39		18
40	openssl genrsa -out wrong_client.key 2048	19	openssl genrsa -out wrong_client.key 2048
41	openssl req -new -x509 -key wrong_client.key -out wrong_client.crt -days 365 -subj "/C=US/ST=State/L=City/O=Organization/CN=incorrectclient"	20	openssl req -new -x509 -key wrong_client.key -out wrong_client.crt -days 365 -subj "/C=US/ST=State/L=City/O=Organization/CN=incorrectclient"
42
43	curl https://127.0.0.1 --cacert ca.pem --cert wrong_client.crt --key wrong_client.key -k	21	curl https://127.0.0.1 --cacert ca.pem --cert wrong_client.crt --key wrong_client.key -k
44	curl https://127.0.0.1 --cacert ca.pem --cert client.crt --key client.key -k	22	curl https://127.0.0.1 --cacert ca.pem --cert client.crt --key client.key -k
45		23
46		24
47	untested	25	# Allow nginx to connect to any network port for nginx to go through selinux
48	sudo cp /path/to/ca.pem /usr/local/share/ca-certificates/your-ca.crt	26	also turn off selinux permanently
49	sudo update-ca-certificates	27	sudo setsebool -P httpd_can_network_connect 1
50	nginx configuration	28	sudo mkdir -p /etc/nginx/certs
51	ocsp server to check that the server is valid	29	sudo cp /flask/v1/keys/* /etc/nginx/certs/
52	crl to check if a client is revoked	30	sudo chown -R nginx:nginx /etc/nginx/certs
53	server {	31
54	listen 443 ssl;	32	# no yubikey verification
55	server_name yourdomain.com;	33	curl https://127.0.0.1/v/0ty2 --cacert ca.pem --cert client.crt --key client.key -k
		34
		35	# to activate hsm, move these over
		36	cat server.crt ../intermediate/certs/intermediate.crt ../certs/root.crt > fullchain.crt
		37	cp fullchain.crt /etc/nginx/certs/hsm_chain.crt
		38	cp server.crt /etc/nginx/certs/hsm_server.crt
		39	sudo pkcs11-tool -L # for denk serial number
		40
		41
		42	openssl version -d
		43
		44	edit the openssl.conf file
		45	/etc/nginx/nginx.conf
		46
		47	then edit the nginx service file
		48	Environment="OPENSSL_CONF=/etc/pki/tls/openssl.pkcs11.cnf"
		49
		50	add under service
		51	systemctl daemon-reload
		52	sudo systemctl restart nginx
		53
		54
		55	openssl s_client -connect localhost:443 -cert client.crt -key client.key -CAfile /etc/nginx/certs/hsm_chain.crt
		56
		57	curl --cert client.crt --key client.key --cacert /etc/nginx/certs/hsm_chain.crt https://localhost:443/ -k
		58
56		59
57	ssl_certificate /path/to/your/server.crt;	60	sudo -u nginx pkcs11-tool --module /usr/lib64/opensc-pkcs11.so --list-objects --login
58	ssl_certificate_key /path/to/your/server.key;
59		61
60	# Client certificate verification	62	tail -f /var/log/nginx/error.log # to see ssl errors
61	ssl_client_certificate /path/to/your/ca.pem;
62	ssl_verify_client on;
63		63
64	# Enable OCSP stapling and strict verification	64	/usr/share/polkit-1/actions/org.debian.pcsc-lite.policy
65	ssl_stapling on;	65	change all to yes then restart systemctl pcscd
66	ssl_stapling_verify on;	66	if nginx cannot access pcscd(can also prove this by doing a pkcs11-tool list), systemctl pcscd will have error logs)
67	ssl_trusted_certificate /path/to/your/ca.pem;
68		67
69	# Specify resolver for OCSP stapling
70	resolver 8.8.8.8 8.8.4.4 valid=300s;
71	resolver_timeout 10s;
72		68
73	# Enforce OCSP response checking strictly
74	ssl_ocsp on;
75	ssl_ocsp_fail closed;
76		69
77	# Specify CRL file for client certificate revocation checking	70	https://www.redhat.com/en/blog/controlling-access-smart-cards
78	ssl_crl /etc/nginx/ssl/crl.pem;
79		71
80	location / {
81	try_files $uri $uri/ =404;
82	}
83	}
84		72
		73	sudo curl -vvv -E 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=user2;pin-value=123456' --cacert fullchain2.crt https://p.0nom.ch/c