Skip to content

Instantly share code, notes, and snippets.

@hazelement hazelement/site.conf
Last active Nov 13, 2018

Embed
What would you like to do?
Nginx
http {
server {
// redirect all to 443
listen 80 default server;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
location /sub1 {
proxy_pass http://localhost:1243/sub1;
}
location / {
proxy_pass http://localhost:1242/sub1;
}
}
}
#!/bin/bash
# Bash shell script for generating self-signed certs. Run this in a folder, as it
# generates a few files. Large portions of this script were taken from the
# following artcile:
#
# http://usrportage.de/archives/919-Batch-generating-SSL-certificates.html
#
# Additional alterations by: haze
# Date: 2018-08-01
# Script accepts a single argument, the fqdn for the cert
# ssl-gen domain-name
#Change to your company details
country=XX
state=XX
locality=XXXX
organization=XXX
organizationalunit=XXX
email=XXX@XXX.com
DOMAIN="$1"
if [ -z "$DOMAIN" ]; then
echo "Usage: $(basename $0) <domain>"
exit 11
fi
fail_if_error() {
[ $1 != 0 ] && {
unset PASSPHRASE
exit 10
}
}
ca_str="RootCA"
ROOTCA=$DOMAIN$ca_str
# Certificate details; replace items in angle brackets with your own info
subj="/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$DOMAIN/emailAddress=$email"
casubj="/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$ROOTCA/emailAddress=$email"
# Root CA certificate
# generate root key
openssl genrsa -out $ROOTCA.key 4096
# create and sign the root certificate
openssl req -x509 -new -nodes -key $ROOTCA.key -sha256 -days 1024 -out $ROOTCA.crt -subj "$(echo -n "$casubj" | tr "\n" "/")" \
# ssl certficate
# Generate a passphrase
export PASSPHRASE=$(head -c 500 /dev/urandom | tr -dc a-z0-9A-Z | head -c 128; echo)
# Generate the server private key
openssl genrsa -des3 -out $DOMAIN.key -passout env:PASSPHRASE 4096
fail_if_error $?
# Generate the CSR
openssl req -sha256 \
-new \
-batch \
-subj "$(echo -n "$subj" | tr "\n" "/")" \
-key $DOMAIN.key \
-out $DOMAIN.csr \
-passin env:PASSPHRASE
fail_if_error $?
cp $DOMAIN.key $DOMAIN.key.org
fail_if_error $?
# Strip the password so we don't have to type it every time we restart Apache
openssl rsa -in $DOMAIN.key.org -out $DOMAIN.key -passin env:PASSPHRASE
fail_if_error $?
# remove original key
rm $DOMAIN.key.org
# Generate the cert (good for 10 years)
# openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt
# fail_if_error $?
openssl x509 -req -in $DOMAIN.csr -CA $ROOTCA.crt -CAkey $ROOTCA.key -CAcreateserial -out $DOMAIN.crt -days 3650 -sha256
fail_if_error $?
server {
listen 8000 default_server;
server_name _;
ssl on;
ssl_certificate /etc/ssl/certs/TBD.crt;
ssl_certificate_key /etc/ssl/certs/TBD.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#prevent 502 bad gateway
#large_client_header_buffers 8 32;
location /ws {
# prevents 502 bad gateway error
proxy_buffers 8 32k;
proxy_buffer_size 64k;
# redirect all HTTP traffic
proxy_pass http://xxxxxx:8000/ws;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-NginX-Proxy true;
# enables WS support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 999999999;
}
location / {
proxy_pass http://xxxxxx:8000/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.