diff options
Diffstat (limited to 'docs')
| -rw-r--r-- | docs | 84 |
1 files changed, 84 insertions, 0 deletions
| @@ -0,0 +1,84 @@ | |||
| 1 | |||
| 2 | nginx handles mtls, and allows connection to local gunicorn instance. If mTLS fails, connection fails and event is logged | ||
| 3 | |||
| 4 | |||
| 5 | ubuntu | ||
| 6 | sudo pip install Flask gunicorn # to install for all users, especially www-data so that the service runs | ||
| 7 | nginx | ||
| 8 | install nginx | ||
| 9 | sudo systemctl enable --now nginx | ||
| 10 | # cat /var/log/nginx/access.log | ||
| 11 | # /etc/nginx/nginx.conf | ||
| 12 | gunicorn | ||
| 13 | gunicorn --bind localhost:5000 app:app # for testing | ||
| 14 | sudo nano /etc/systemd/system/gunicorn1.service # as a service | ||
| 15 | sudo systemctl enable --now gunicorn1 # as a service | ||
| 16 | python | ||
| 17 | app1.py | ||
| 18 | sudo mkdir /var/www | ||
| 19 | sudo chown -R www-data:www-data /var/www | ||
| 20 | sudo cp app1.py /var/www | ||
| 21 | |||
| 22 | |||
| 23 | test | ||
| 24 | # private key | ||
| 25 | openssl genrsa -out ca.key 2048 | ||
| 26 | # public certificate | ||
| 27 | openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out ca.pem -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=YourCA" | ||
| 28 | |||
| 29 | # server private key | ||
| 30 | openssl genrsa -out server.key 2048 | ||
| 31 | # generate certificate signing request | ||
| 32 | openssl req -new -key server.key -out server.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=localhost" | ||
| 33 | # use public and private key of the ca to sign the cert signing request | ||
| 34 | openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 | ||
| 35 | |||
| 36 | openssl genrsa -out client.key 2048 | ||
| 37 | openssl req -new -key client.key -out client.csr -subj "/C=US/ST=YourState/L=YourCity/O=YourOrg/CN=client" | ||
| 38 | openssl x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256 | ||
| 39 | |||
| 40 | openssl genrsa -out wrong_client.key 2048 | ||
| 41 | openssl req -new -x509 -key wrong_client.key -out wrong_client.crt -days 365 -subj "/C=US/ST=State/L=City/O=Organization/CN=incorrectclient" | ||
| 42 | |||
| 43 | curl https://127.0.0.1 --cacert ca.pem --cert wrong_client.crt --key wrong_client.key -k | ||
| 44 | curl https://127.0.0.1 --cacert ca.pem --cert client.crt --key client.key -k | ||
| 45 | |||
| 46 | |||
| 47 | untested | ||
| 48 | sudo cp /path/to/ca.pem /usr/local/share/ca-certificates/your-ca.crt | ||
| 49 | sudo update-ca-certificates | ||
| 50 | nginx configuration | ||
| 51 | ocsp server to check that the server is valid | ||
| 52 | crl to check if a client is revoked | ||
| 53 | server { | ||
| 54 | listen 443 ssl; | ||
| 55 | server_name yourdomain.com; | ||
| 56 | |||
| 57 | ssl_certificate /path/to/your/server.crt; | ||
| 58 | ssl_certificate_key /path/to/your/server.key; | ||
| 59 | |||
| 60 | # Client certificate verification | ||
| 61 | ssl_client_certificate /path/to/your/ca.pem; | ||
| 62 | ssl_verify_client on; | ||
| 63 | |||
| 64 | # Enable OCSP stapling and strict verification | ||
| 65 | ssl_stapling on; | ||
| 66 | ssl_stapling_verify on; | ||
| 67 | ssl_trusted_certificate /path/to/your/ca.pem; | ||
| 68 | |||
| 69 | # Specify resolver for OCSP stapling | ||
| 70 | resolver 8.8.8.8 8.8.4.4 valid=300s; | ||
| 71 | resolver_timeout 10s; | ||
| 72 | |||
| 73 | # Enforce OCSP response checking strictly | ||
| 74 | ssl_ocsp on; | ||
| 75 | ssl_ocsp_fail closed; | ||
| 76 | |||
| 77 | # Specify CRL file for client certificate revocation checking | ||
| 78 | ssl_crl /etc/nginx/ssl/crl.pem; | ||
| 79 | |||
| 80 | location / { | ||
| 81 | try_files $uri $uri/ =404; | ||
| 82 | } | ||
| 83 | } | ||
| 84 | |||