Skip to content

Instantly share code, notes, and snippets.

@jgdev

jgdev/macos.md

Last active February 12, 2024 12:04
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jgdev/c186140e5ba4104e9f2d330c9854533e to your computer and use it in GitHub Desktop.
Save jgdev/c186140e5ba4104e9f2d330c9854533e to your computer and use it in GitHub Desktop.
Download ZIP
Generate SSL Self-Signed Certificate
Raw
macos.md

Installation

  • sudo echo "127.0.0.1 yourhostname.dev" >> /etc/hosts
  • brew install nginx
  • brew services start nginx
  • export CERT_NAME=yourhostname.dev
  • export SSL_FOLDER=/etc/ssl
  • export NGINX=/opt/homebrew/etc/nginx
  • chmod +x ./generate_certificate.sh

generate_certificate.sh

#!/bin/bash

openssl req \
  -x509 \
  -new \
  -newkey rsa:2048 \
        -keyout $1.key \
        -nodes \
        -out $1.pem \
  -days 365 \
        -subj "/C=DO/ST=Santo Domingo/L=Distrito Nacional/O=JGDev/OU=IT/CN=$1" \
  -addext "subjectAltName=DNS:$1\
,DNS:*.$1"

_EXC=""

if [ "$2" == "-i" ]; then
  SSL_FOLDER=${3:-"/etc/ssl"}
  if [ "$SSL_FOLDER" == "/etc/ssl" ]; then
    _EXC="sudo"
  fi
  if [ ! -d $SSL_FOLDER ]; then
    $_EXC mkdir $SSL_FOLDER
  fi
  if [ ! -d $SSL_FOLDER/certs ];
    then $_EXC mkdir $SSL_FOLDER/cets
  fi
  if [ ! -d $SSL_FOLDER/private ]; then
    $_EXC mkdir $SSL_FOLDER/private
  fi
  $_EXC mv $1.pem $SSL_FOLDER/certs/
  $_EXC mv $1.key $SSL_FOLDER/private/
fi

echo "$SSL_FOLDER/certs/$1.pem created"
echo "$SSL_FOLDER/private/$1.key created"

Create the cert and key

  • ./generate_certificate $CERT_NAME -i

Trust certificate

  • sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /etc/ssl/$CERT_NAME.pem

Add nginx extra ssl parameters

  • sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
  • mkdir $NGINX/snippets && touch $NGINX/snippets/ssl-params.conf

ssl-params.conf

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
# ssl_stapling on; # Requires nginx >= 1.3.7
# ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

Generate a virtual server

tmp=$(cat << EOF
server {
  listen 80;
  server_name $CERT_NAME;
  return 302 https://$CERT_NAME\$request_uri;
}
server {
  listen 443 ssl;
  http2 on;
  server_name $CERT_NAME;

  ssl_certificate $SSL_FOLDER/certs/$CERT_NAME.pem;
  ssl_certificate_key $SSL_FOLDER/private/$CERT_NAME.key;
  include $NGINX/snippets/ssl-params.conf;

  location / {
    proxy_pass http://localhost:4000;
    proxy_set_header Host \$http_host;
    proxy_set_header X-Real-IP \$remote_addr;
    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto \$scheme;
  }
}
EOF
) && echo $tmp > $NGINX/servers/$CERT_NAME

Restart nginx

  • brew services restart nginx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment