egeneralov/certificates.sh

## certificates.sh
#!/bin/bash -xec

export DOMAIN=

rm -rf /etc/nginx/client_ssl
mkdir -p /etc/nginx/client_ssl

cd /etc/nginx/client_ssl

openssl req -new -newkey rsa:2048 -nodes -keyout ca.key -sha256 -x509 -days 3650 -subj "/CN=${DOMAIN}" -out ca.crt

cat << EOF > ca.config
[ ca ]
default_ca = CA_CLIENT
[ CA_CLIENT ]
dir = ./db
certs = \$dir/certs
new_certs_dir = \$dir/newcerts
database = \$dir/index.txt
serial = \$dir/serial
certificate = ./ca.crt
private_key = ./ca.key
default_days = 365
default_crl_days = 365
default_md = sha256
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = optional
emailAddress = optional
EOF

mkdir -p db/{certs,newcerts,key,csr,crt,pfx}
echo 'unique_subject = yes' > ./db/index.txt.attr
touch db/index.txt
echo "000001" > db/serial


# for client in $(cat client_names.txt); do
export client=egeneralov
openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout db/key/${client}.key -subj "/CN=${client}@${DOMAIN}" -out db/csr/${client}.csr
openssl ca -config ca.config -in db/csr/${client}.csr -out db/crt/${client}.crt -batch
openssl pkcs12 -export -in db/crt/${client}.crt -inkey db/key/${client}.key -certfile ca.crt -out db/pfx/${client}.p12 -passout pass:${client}
# done;

curl -k "https://git.${DOMAIN}"
curl -k --key db/key/${client}.key --cert db/crt/${client}.crt --url "https://git.${DOMAIN}"

# local
scp -P 222 git.${DOMAIN}:/etc/nginx/client_ssl/db/pfx/${client}.p12 ~/Documents/access/git.${DOMAIN}.${client}.p12
Raw

## egeneralov.gitlab.sh
ln -sf /root/.acme.sh/gitlab.${DOMAIN}/fullchain.cer /etc/gitlab/ssl/gitlab.${DOMAIN}.crt
ln -sf /root/.acme.sh/gitlab.${DOMAIN}/fullchain.cer /etc/gitlab/ssl/registry.${DOMAIN}.crt

ln -sf /root/.acme.sh/gitlab.${DOMAIN}/gitlab.${DOMAIN}.key /etc/gitlab/ssl/gitlab.${DOMAIN}.key
ln -sf /root/.acme.sh/gitlab.${DOMAIN}/gitlab.${DOMAIN}.key /etc/gitlab/ssl/registry.${DOMAIN}.key

ln -sf /etc/nginx/client_ssl/ca.crt /etc/gitlab/ssl/ca.crt

## nginx-vhost.conf
geo $rfc6890 {
  default 0;
  10.0.0.0/8 1;
  172.16.0.0/12 1;
  192.168.0.0/16 1;
  100.64.0.0/10 1;
  127.0.0.0/8 1;
}

geo $allowed_ips {
  default 0;
  1.1.1.1/32 1;
}

server {
  listen 80;
  server_name ${DOMAIN};
  server_tokens off;

  access_log /var/log/nginx/${DOMAIN}_access.log;
  error_log /var/log/nginx/${DOMAIN}_error.log;

  location / {
    return 301 https://$host$request_uri;
  }

  location /.well-known/acme-challenge/ {
    default_type "text/plain";
    root /var/www/letsencrypt/;
  }
}

server {
  listen 443 ssl;
  server_name git.${DOMAIN};
  server_tokens off;

  ssl_certificate /etc/letsencrypt/live/git.${DOMAIN}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/git.${DOMAIN}/privkey.pem;
  ssl_dhparam /etc/nginx/ssl/dhparam.pem;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  ssl_client_certificate /etc/nginx/client_ssl/ca.crt;
  ssl_verify_client optional;
  ssl_verify_depth 2;

  if ($ssl_client_verify != SUCCESS) {
    set $fail 1;
  }

  if ($http_host ~ "registry.${DOMAIN}|jira.${DOMAIN}") { set $fail 0; }
  if ($rfc6890) { set $fail 0; }
  if ($allowed_ips) { set $fail 0; }
  if ($request_uri ~ "^/.well-known/acme-challenge") { set $fail 0; }

  if ($fail = 1) { return 403; }

  client_max_body_size 300m;
  client_body_buffer_size 128k;

  access_log /var/log/nginx/git.${DOMAIN}_access.log;
  error_log /var/log/nginx/git.${DOMAIN}_error.log;

  location /.well-known/acme-challenge/ {
    default_type "text/plain";
    root /var/www/letsencrypt/;
  }

  location / {
    proxy_pass http://127.0.0.1:8088;

    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;

    proxy_redirect off;
    proxy_buffer_size 8k;
    proxy_buffers 8 16k;
    proxy_busy_buffers_size 64k;
    proxy_connect_timeout 600;
    proxy_send_timeout 600;
    proxy_read_timeout 600;
  }
}
	#!/bin/bash -xec

	export DOMAIN=

	rm -rf /etc/nginx/client_ssl
	mkdir -p /etc/nginx/client_ssl

	cd /etc/nginx/client_ssl

	openssl req -new -newkey rsa:2048 -nodes -keyout ca.key -sha256 -x509 -days 3650 -subj "/CN=${DOMAIN}" -out ca.crt

	cat << EOF > ca.config
	[ ca ]
	default_ca = CA_CLIENT
	[ CA_CLIENT ]
	dir = ./db
	certs = \$dir/certs
	new_certs_dir = \$dir/newcerts
	database = \$dir/index.txt
	serial = \$dir/serial
	certificate = ./ca.crt
	private_key = ./ca.key
	default_days = 365
	default_crl_days = 365
	default_md = sha256
	policy = policy_anything
	[ policy_anything ]
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = optional
	emailAddress = optional
	EOF

	mkdir -p db/{certs,newcerts,key,csr,crt,pfx}
	echo 'unique_subject = yes' > ./db/index.txt.attr
	touch db/index.txt
	echo "000001" > db/serial


	# for client in $(cat client_names.txt); do
	export client=egeneralov
	openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout db/key/${client}.key -subj "/CN=${client}@${DOMAIN}" -out db/csr/${client}.csr
	openssl ca -config ca.config -in db/csr/${client}.csr -out db/crt/${client}.crt -batch
	openssl pkcs12 -export -in db/crt/${client}.crt -inkey db/key/${client}.key -certfile ca.crt -out db/pfx/${client}.p12 -passout pass:${client}
	# done;

	curl -k "https://git.${DOMAIN}"
	curl -k --key db/key/${client}.key --cert db/crt/${client}.crt --url "https://git.${DOMAIN}"

	# local
	scp -P 222 git.${DOMAIN}:/etc/nginx/client_ssl/db/pfx/${client}.p12 ~/Documents/access/git.${DOMAIN}.${client}.p12
	Raw
	ln -sf /root/.acme.sh/gitlab.${DOMAIN}/fullchain.cer /etc/gitlab/ssl/gitlab.${DOMAIN}.crt
	ln -sf /root/.acme.sh/gitlab.${DOMAIN}/fullchain.cer /etc/gitlab/ssl/registry.${DOMAIN}.crt

	ln -sf /root/.acme.sh/gitlab.${DOMAIN}/gitlab.${DOMAIN}.key /etc/gitlab/ssl/gitlab.${DOMAIN}.key
	ln -sf /root/.acme.sh/gitlab.${DOMAIN}/gitlab.${DOMAIN}.key /etc/gitlab/ssl/registry.${DOMAIN}.key

	ln -sf /etc/nginx/client_ssl/ca.crt /etc/gitlab/ssl/ca.crt
	geo $rfc6890 {
	default 0;
	10.0.0.0/8 1;
	172.16.0.0/12 1;
	192.168.0.0/16 1;
	100.64.0.0/10 1;
	127.0.0.0/8 1;
	}

	geo $allowed_ips {
	default 0;
	1.1.1.1/32 1;
	}

	server {
	listen 80;
	server_name ${DOMAIN};
	server_tokens off;

	access_log /var/log/nginx/${DOMAIN}_access.log;
	error_log /var/log/nginx/${DOMAIN}_error.log;

	location / {
	return 301 https://$host$request_uri;
	}

	location /.well-known/acme-challenge/ {
	default_type "text/plain";
	root /var/www/letsencrypt/;
	}
	}

	server {
	listen 443 ssl;
	server_name git.${DOMAIN};
	server_tokens off;

	ssl_certificate /etc/letsencrypt/live/git.${DOMAIN}/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/git.${DOMAIN}/privkey.pem;
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	ssl_client_certificate /etc/nginx/client_ssl/ca.crt;
	ssl_verify_client optional;
	ssl_verify_depth 2;

	if ($ssl_client_verify != SUCCESS) {
	set $fail 1;
	}

	if ($http_host ~ "registry.${DOMAIN}\|jira.${DOMAIN}") { set $fail 0; }
	if ($rfc6890) { set $fail 0; }
	if ($allowed_ips) { set $fail 0; }
	if ($request_uri ~ "^/.well-known/acme-challenge") { set $fail 0; }

	if ($fail = 1) { return 403; }

	client_max_body_size 300m;
	client_body_buffer_size 128k;

	access_log /var/log/nginx/git.${DOMAIN}_access.log;
	error_log /var/log/nginx/git.${DOMAIN}_error.log;

	location /.well-known/acme-challenge/ {
	default_type "text/plain";
	root /var/www/letsencrypt/;
	}

	location / {
	proxy_pass http://127.0.0.1:8088;

	proxy_set_header X-Forwarded-Proto https;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Server $host;

	proxy_redirect off;
	proxy_buffer_size 8k;
	proxy_buffers 8 16k;
	proxy_busy_buffers_size 64k;
	proxy_connect_timeout 600;
	proxy_send_timeout 600;
	proxy_read_timeout 600;
	}
	}