Last active
November 13, 2018 22:52
-
-
Save hazelement/0324a7ec14153bb5095ed0495095290c to your computer and use it in GitHub Desktop.
Nginx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http { | |
server { | |
// redirect all to 443 | |
listen 80 default server; | |
return 301 https://$host$request_uri; | |
} | |
server { | |
listen 443 ssl; | |
server_name www.example.com; | |
ssl_certificate www.example.com.crt; | |
ssl_certificate_key www.example.com.key; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_ciphers HIGH:!aNULL:!MD5; | |
location /sub1 { | |
proxy_pass http://localhost:1243/sub1; | |
} | |
location / { | |
proxy_pass http://localhost:1242/sub1; | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Bash shell script for generating self-signed certs. Run this in a folder, as it | |
# generates a few files. Large portions of this script were taken from the | |
# following artcile: | |
# | |
# http://usrportage.de/archives/919-Batch-generating-SSL-certificates.html | |
# | |
# Additional alterations by: haze | |
# Date: 2018-08-01 | |
# Script accepts a single argument, the fqdn for the cert | |
# ssl-gen domain-name | |
#Change to your company details | |
country=XX | |
state=XX | |
locality=XXXX | |
organization=XXX | |
organizationalunit=XXX | |
email=XXX@XXX.com | |
DOMAIN="$1" | |
if [ -z "$DOMAIN" ]; then | |
echo "Usage: $(basename $0) <domain>" | |
exit 11 | |
fi | |
fail_if_error() { | |
[ $1 != 0 ] && { | |
unset PASSPHRASE | |
exit 10 | |
} | |
} | |
ca_str="RootCA" | |
ROOTCA=$DOMAIN$ca_str | |
# Certificate details; replace items in angle brackets with your own info | |
subj="/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$DOMAIN/emailAddress=$email" | |
casubj="/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$ROOTCA/emailAddress=$email" | |
# Root CA certificate | |
# generate root key | |
openssl genrsa -out $ROOTCA.key 4096 | |
# create and sign the root certificate | |
openssl req -x509 -new -nodes -key $ROOTCA.key -sha256 -days 1024 -out $ROOTCA.crt -subj "$(echo -n "$casubj" | tr "\n" "/")" \ | |
# ssl certficate | |
# Generate a passphrase | |
export PASSPHRASE=$(head -c 500 /dev/urandom | tr -dc a-z0-9A-Z | head -c 128; echo) | |
# Generate the server private key | |
openssl genrsa -des3 -out $DOMAIN.key -passout env:PASSPHRASE 4096 | |
fail_if_error $? | |
# Generate the CSR | |
openssl req -sha256 \ | |
-new \ | |
-batch \ | |
-subj "$(echo -n "$subj" | tr "\n" "/")" \ | |
-key $DOMAIN.key \ | |
-out $DOMAIN.csr \ | |
-passin env:PASSPHRASE | |
fail_if_error $? | |
cp $DOMAIN.key $DOMAIN.key.org | |
fail_if_error $? | |
# Strip the password so we don't have to type it every time we restart Apache | |
openssl rsa -in $DOMAIN.key.org -out $DOMAIN.key -passin env:PASSPHRASE | |
fail_if_error $? | |
# remove original key | |
rm $DOMAIN.key.org | |
# Generate the cert (good for 10 years) | |
# openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt | |
# fail_if_error $? | |
openssl x509 -req -in $DOMAIN.csr -CA $ROOTCA.crt -CAkey $ROOTCA.key -CAcreateserial -out $DOMAIN.crt -days 3650 -sha256 | |
fail_if_error $? |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 8000 default_server; | |
server_name _; | |
ssl on; | |
ssl_certificate /etc/ssl/certs/TBD.crt; | |
ssl_certificate_key /etc/ssl/certs/TBD.key; | |
ssl_session_timeout 5m; | |
ssl_protocols SSLv2 SSLv3 TLSv1; | |
ssl_ciphers HIGH:!aNULL:!MD5; | |
ssl_prefer_server_ciphers on; | |
#prevent 502 bad gateway | |
#large_client_header_buffers 8 32; | |
location /ws { | |
# prevents 502 bad gateway error | |
proxy_buffers 8 32k; | |
proxy_buffer_size 64k; | |
# redirect all HTTP traffic | |
proxy_pass http://xxxxxx:8000/ws; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
#proxy_set_header X-NginX-Proxy true; | |
# enables WS support | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
proxy_read_timeout 999999999; | |
} | |
location / { | |
proxy_pass http://xxxxxx:8000/; | |
proxy_redirect off; | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Host $server_name; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment