Created
November 1, 2021 10:02
-
-
Save Ran-Xing/e09f7852ea29a23cd2d3041a7cb1095d to your computer and use it in GitHub Desktop.
Nginx two-way authentication
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
Echo_c(){ | |
echo "\033[1;33m\n$1\n\033[0m" | |
} | |
Rand_Name(){ | |
openssl rand -base64 8 | md5sum | cut -c1-8 | |
} | |
Gen_Cert(){ | |
mkdir /etc/ssl/xrsec/ | |
Echo_c "Generate /etc/ssl/xrsec/.rnd random file" | |
openssl rand -writerand /etc/ssl/xrsec/.rnd | |
Echo_c "Generate random name" | |
rndca=$(Rand_Name) | |
rndserver=$(Rand_Name) | |
rndclient=$(Rand_Name) | |
Echo_c "Generate CA certificate" | |
openssl genrsa -out /etc/ssl/xrsec/ca.key 4096 | |
openssl req -new -x509 -days 3650 -key /etc/ssl/xrsec/ca.key -out /etc/ssl/xrsec/ca.crt -subj /C=CN/ST=$rndca/L=$rndca/O=$rndca/OU=$rndca/CN=$rndca | |
Echo_c "Generate Server certificate" | |
openssl genrsa -out /etc/ssl/xrsec/server.key 4096 | |
openssl req -new -key /etc/ssl/xrsec/server.key -out /etc/ssl/xrsec/server.csr -subj /C=CN/ST=$rndserver/L=$rndserver/O=$rndserver/OU=$rndserver/CN=$rndserver | |
Echo_c "Use CA certificate to issue server certificate" | |
openssl x509 -req -in /etc/ssl/xrsec/server.csr -CA /etc/ssl/xrsec/ca.crt -CAkey /etc/ssl/xrsec/ca.key -CAcreateserial -out /etc/ssl/xrsec/server.crt -days 3650 | |
Echo_c "Generate Client Certificate" | |
openssl genrsa -out /etc/ssl/xrsec/client.key 4096 | |
openssl req -new -key /etc/ssl/xrsec/client.key -out /etc/ssl/xrsec/client.csr -subj /C=CN/ST=$rndclient/L=$rndclient/O=$rndclient/OU=$rndclient/CN=$rndclient | |
Echo_c "Use CA certificate to issue Client certificate" | |
openssl x509 -req -in /etc/ssl/xrsec/client.csr -CA /etc/ssl/xrsec/ca.crt -CAkey /etc/ssl/xrsec/ca.key -CAcreateserial -out /etc/ssl/xrsec/client.crt -days 3650 | |
Echo_c "Export the pfx certificate, please remember the password" | |
openssl pkcs12 -export -inkey /etc/ssl/xrsec/client.key -in /etc/ssl/xrsec/client.crt -out /etc/ssl/xrsec/client.pfx | |
} | |
Gen_Cert | |
Echo_c "Configuration complete" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# map $http_upgrade $connection_upgrade { | |
# default upgrade; | |
# '' close; | |
# } | |
server { | |
# include /etc/nginx/conf.d/viper.conf; | |
ssl on; | |
listen 3389; | |
ssl_client_certificate /etc/ssl/xrsec/ca.crt; | |
ssl_verify_client on; | |
ssl_certificate /etc/ssl/xrsec/server.crt; | |
ssl_certificate_key /etc/ssl/xrsec/server.key; | |
ssl_session_timeout 60m; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
server_name webhost; | |
gzip on; | |
gzip_min_length 1k; | |
gzip_comp_level 9; | |
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png; | |
gzip_vary on; | |
gzip_disable "MSIE [1-6]\."; | |
client_max_body_size 200m; | |
error_page 497 https://$host:$server_port$uri; | |
access_log /var/log/nginx/access.log; | |
error_log /var/log/nginx/error.log; | |
location / { | |
root /usr/share/nginx/html; | |
try_files $uri $uri/ /index.html; | |
} | |
# location /api { | |
# uwsgi_connect_timeout 3000; | |
# uwsgi_read_timeout 3000; | |
# uwsgi_send_timeout 3000; | |
# uwsgi_pass unix:/root/viper/uwsgi.sock; | |
# include /etc/nginx/uwsgi_params; | |
# proxy_set_header Host $host; | |
# proxy_set_header X-Real-IP $remote_addr; | |
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
# } | |
# location /ws { | |
# proxy_pass http://unix:/root/viper/daphne.sock; | |
# proxy_http_version 1.1; | |
# proxy_set_header Upgrade $http_upgrade; | |
# proxy_set_header Connection "upgrade"; | |
# } | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment