headmin/MSA-2021_Notes.md

## custom.conf
server {
    # Listen on port 443 for HTTPS connections
    listen  443;

    # Turn TLS/SSL on
    ssl on;

    # Name of the server/website
    server_name example.com;

    # See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_server_name
    proxy_ssl_server_name on;

    # This is the server SSL certificate
    ssl_certificate       /etc/nginx/certs/example.com.pem;

    # This is the server certificate key
    ssl_certificate_key   /etc/nginx/certs/example.com.key;

    # Important:
    # This is the CA cert against which the client/user will be validated
    # In our case since the Server and the Client certificate is
    # generated from the same CA, we use the ca.crt
    # But in actual production, the Client certificate might be
    # created from a different CA
    ssl_client_certificate /etc/nginx/certs/root.pem;

    # Enables mutual TLS/two way certificate authetication to verify the client
    ssl_verify_client on;

    # Number of intermediate certificates to verify. Good explanation of
    # certificate chaining can be found at
    # https://cheapsslsecurity.com/p/what-is-ssl-certificate-chain/
    ssl_verify_depth 2;

    # Any error during the connection can be found on the following path
    error_log /var/log/nginx/error.log debug;

    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES2;

    keepalive_timeout 10;
    ssl_session_timeout 5m;

    # Matches the "root" of the website
    # If TLS handshake is successful, the request is routed to this block
    location / {
        # path from which the website is served from
        root /usr/share/nginx/content;
        # index file name
        index index.html index.htm;
    }
}

## MSA-2021_Notes.md

      
    Raw
  

              MSA-2021_Notes.md
            
          
    Blogpost / MacSysAdmin 2021


https://blog.macadmin.me/posts/mtls-lab-setup/
https://www.macsysadmin.se/program/program.html

Useful readings on certificate chains


https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce
https://support.dnsimple.com/articles/what-is-ssl-certificate-chain/
https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify

Nginx / mutual-TLS


https://www.nginx.com/blog/mtls-architecture-nginx-service-mesh/
https://www.nginx.com/nginxconf/2019/session/mtls-nginx/
https://developers.docusign.com/platform/webhooks/mutual-tls/mutual-tls-nginx/
	server {
	# Listen on port 443 for HTTPS connections
	listen 443;

	# Turn TLS/SSL on
	ssl on;

	# Name of the server/website
	server_name example.com;

	# See https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_server_name
	proxy_ssl_server_name on;

	# This is the server SSL certificate
	ssl_certificate /etc/nginx/certs/example.com.pem;

	# This is the server certificate key
	ssl_certificate_key /etc/nginx/certs/example.com.key;

	# Important:
	# This is the CA cert against which the client/user will be validated
	# In our case since the Server and the Client certificate is
	# generated from the same CA, we use the ca.crt
	# But in actual production, the Client certificate might be
	# created from a different CA
	ssl_client_certificate /etc/nginx/certs/root.pem;

	# Enables mutual TLS/two way certificate authetication to verify the client
	ssl_verify_client on;

	# Number of intermediate certificates to verify. Good explanation of
	# certificate chaining can be found at
	# https://cheapsslsecurity.com/p/what-is-ssl-certificate-chain/
	ssl_verify_depth 2;

	# Any error during the connection can be found on the following path
	error_log /var/log/nginx/error.log debug;

	ssl_prefer_server_ciphers on;
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES2;

	keepalive_timeout 10;
	ssl_session_timeout 5m;

	# Matches the "root" of the website
	# If TLS handshake is successful, the request is routed to this block
	location / {
	# path from which the website is served from
	root /usr/share/nginx/content;
	# index file name
	index index.html index.htm;
	}
	}