hazelement/site.conf

## site.conf
http {
  server {
  // redirect all to 443
      listen          80	default server;
      return 301 https://$host$request_uri;
  }
  server {
      listen              443 ssl;
      server_name         www.example.com;
      ssl_certificate     www.example.com.crt;
      ssl_certificate_key www.example.com.key;
      ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers         HIGH:!aNULL:!MD5;

      location /sub1 {
      	proxy_pass      http://localhost:1243/sub1;
      }

      location / {
        proxy_pass      http://localhost:1242/sub1;
      }

  }
}

## ssl-gen
#!/bin/bash

# Bash shell script for generating self-signed certs. Run this in a folder, as it
# generates a few files. Large portions of this script were taken from the
# following artcile:
#
# http://usrportage.de/archives/919-Batch-generating-SSL-certificates.html
#
# Additional alterations by: haze
# Date: 2018-08-01

# Script accepts a single argument, the fqdn for the cert
# ssl-gen domain-name

#Change to your company details
country=XX
state=XX
locality=XXXX
organization=XXX
organizationalunit=XXX
email=XXX@XXX.com

DOMAIN="$1"
if [ -z "$DOMAIN" ]; then
  echo "Usage: $(basename $0) <domain>"
  exit 11
fi

fail_if_error() {
  [ $1 != 0 ] && {
    unset PASSPHRASE
    exit 10
  }
}

ca_str="RootCA"
ROOTCA=$DOMAIN$ca_str

# Certificate details; replace items in angle brackets with your own info
subj="/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$DOMAIN/emailAddress=$email"

casubj="/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$ROOTCA/emailAddress=$email"

# Root CA certificate
# generate root key
openssl genrsa -out $ROOTCA.key 4096

# create and sign the root certificate
openssl req -x509 -new -nodes -key $ROOTCA.key -sha256 -days 1024 -out $ROOTCA.crt -subj "$(echo -n "$casubj" | tr "\n" "/")" \


# ssl certficate
# Generate a passphrase
export PASSPHRASE=$(head -c 500 /dev/urandom | tr -dc a-z0-9A-Z | head -c 128; echo)

# Generate the server private key
openssl genrsa -des3 -out $DOMAIN.key -passout env:PASSPHRASE 4096
fail_if_error $?

# Generate the CSR
openssl req -sha256 \
    -new \
    -batch \
    -subj "$(echo -n "$subj" | tr "\n" "/")" \
    -key $DOMAIN.key \
    -out $DOMAIN.csr \
    -passin env:PASSPHRASE
fail_if_error $?
cp $DOMAIN.key $DOMAIN.key.org
fail_if_error $?

# Strip the password so we don't have to type it every time we restart Apache
openssl rsa -in $DOMAIN.key.org -out $DOMAIN.key -passin env:PASSPHRASE
fail_if_error $?

# remove original key
rm $DOMAIN.key.org

# Generate the cert (good for 10 years)
# openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt
# fail_if_error $?


openssl x509 -req -in $DOMAIN.csr -CA $ROOTCA.crt -CAkey $ROOTCA.key -CAcreateserial -out $DOMAIN.crt -days 3650 -sha256
fail_if_error $?

## web_socket.conf
server {
    listen 8000 default_server;

    server_name _;

    ssl on;
    ssl_certificate /etc/ssl/certs/TBD.crt;
    ssl_certificate_key /etc/ssl/certs/TBD.key;

    ssl_session_timeout 5m;
    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    #prevent 502 bad gateway
    #large_client_header_buffers 8 32;

    location /ws {

        # prevents 502 bad gateway error
        proxy_buffers 8 32k;
        proxy_buffer_size 64k;

        # redirect all HTTP traffic
        proxy_pass http://xxxxxx:8000/ws;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        #proxy_set_header X-NginX-Proxy true;

        # enables WS support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_read_timeout 999999999;

    }

    location / {
        proxy_pass http://xxxxxx:8000/;
        proxy_redirect     off;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $server_name;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
	http {
	server {
	// redirect all to 443
	listen 80 default server;
	return 301 https://$host$request_uri;
	}
	server {
	listen 443 ssl;
	server_name www.example.com;
	ssl_certificate www.example.com.crt;
	ssl_certificate_key www.example.com.key;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers HIGH:!aNULL:!MD5;

	location /sub1 {
	proxy_pass http://localhost:1243/sub1;
	}

	location / {
	proxy_pass http://localhost:1242/sub1;
	}

	}
	}
	#!/bin/bash

	# Bash shell script for generating self-signed certs. Run this in a folder, as it
	# generates a few files. Large portions of this script were taken from the
	# following artcile:
	#
	# http://usrportage.de/archives/919-Batch-generating-SSL-certificates.html
	#
	# Additional alterations by: haze
	# Date: 2018-08-01

	# Script accepts a single argument, the fqdn for the cert
	# ssl-gen domain-name

	#Change to your company details
	country=XX
	state=XX
	locality=XXXX
	organization=XXX
	organizationalunit=XXX
	email=XXX@XXX.com

	DOMAIN="$1"
	if [ -z "$DOMAIN" ]; then
	echo "Usage: $(basename $0) <domain>"
	exit 11
	fi

	fail_if_error() {
	[ $1 != 0 ] && {
	unset PASSPHRASE
	exit 10
	}
	}

	ca_str="RootCA"
	ROOTCA=$DOMAIN$ca_str

	# Certificate details; replace items in angle brackets with your own info
	subj="/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$DOMAIN/emailAddress=$email"

	casubj="/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$ROOTCA/emailAddress=$email"

	# Root CA certificate
	# generate root key
	openssl genrsa -out $ROOTCA.key 4096

	# create and sign the root certificate
	openssl req -x509 -new -nodes -key $ROOTCA.key -sha256 -days 1024 -out $ROOTCA.crt -subj "$(echo -n "$casubj" \| tr "\n" "/")" \


	# ssl certficate
	# Generate a passphrase
	export PASSPHRASE=$(head -c 500 /dev/urandom \| tr -dc a-z0-9A-Z \| head -c 128; echo)

	# Generate the server private key
	openssl genrsa -des3 -out $DOMAIN.key -passout env:PASSPHRASE 4096
	fail_if_error $?

	# Generate the CSR
	openssl req -sha256 \
	-new \
	-batch \
	-subj "$(echo -n "$subj" \| tr "\n" "/")" \
	-key $DOMAIN.key \
	-out $DOMAIN.csr \
	-passin env:PASSPHRASE
	fail_if_error $?
	cp $DOMAIN.key $DOMAIN.key.org
	fail_if_error $?

	# Strip the password so we don't have to type it every time we restart Apache
	openssl rsa -in $DOMAIN.key.org -out $DOMAIN.key -passin env:PASSPHRASE
	fail_if_error $?

	# remove original key
	rm $DOMAIN.key.org

	# Generate the cert (good for 10 years)
	# openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt
	# fail_if_error $?


	openssl x509 -req -in $DOMAIN.csr -CA $ROOTCA.crt -CAkey $ROOTCA.key -CAcreateserial -out $DOMAIN.crt -days 3650 -sha256
	fail_if_error $?
	server {
	listen 8000 default_server;

	server_name _;

	ssl on;
	ssl_certificate /etc/ssl/certs/TBD.crt;
	ssl_certificate_key /etc/ssl/certs/TBD.key;

	ssl_session_timeout 5m;
	ssl_protocols SSLv2 SSLv3 TLSv1;
	ssl_ciphers HIGH:!aNULL:!MD5;
	ssl_prefer_server_ciphers on;

	#prevent 502 bad gateway
	#large_client_header_buffers 8 32;

	location /ws {

	# prevents 502 bad gateway error
	proxy_buffers 8 32k;
	proxy_buffer_size 64k;

	# redirect all HTTP traffic
	proxy_pass http://xxxxxx:8000/ws;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header Host $http_host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	#proxy_set_header X-NginX-Proxy true;

	# enables WS support
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";

	proxy_read_timeout 999999999;

	}

	location / {
	proxy_pass http://xxxxxx:8000/;
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $server_name;
	proxy_set_header X-Forwarded-Proto $scheme;
	}
	}