sudo echo "127.0.0.1 yourhostname.dev" >> /etc/hosts
brew install nginx
brew services start nginx
export CERT_NAME=yourhostname.dev
export SSL_FOLDER=/etc/ssl
export NGINX=/opt/homebrew/etc/nginx
chmod +x ./generate_certificate.sh
#! /bin/bash
openssl req \
-x509 \
-new \
-newkey rsa:2048 \
-keyout $1 .key \
-nodes \
-out $1 .pem \
-days 365 \
-subj " /C=DO/ST=Santo Domingo/L=Distrito Nacional/O=JGDev/OU=IT/CN=$1 " \
-addext " subjectAltName=DNS:$1 \
,DNS:*.$1 "
_EXC=" "
if [ " $2 " == " -i" ]; then
SSL_FOLDER=${3:- " /etc/ssl" }
if [ " $SSL_FOLDER " == " /etc/ssl" ]; then
_EXC=" sudo"
fi
if [ ! -d $SSL_FOLDER ]; then
$_EXC mkdir $SSL_FOLDER
fi
if [ ! -d $SSL_FOLDER /certs ];
then $_EXC mkdir $SSL_FOLDER /cets
fi
if [ ! -d $SSL_FOLDER /private ]; then
$_EXC mkdir $SSL_FOLDER /private
fi
$_EXC mv $1 .pem $SSL_FOLDER /certs/
$_EXC mv $1 .key $SSL_FOLDER /private/
fi
echo " $SSL_FOLDER /certs/$1 .pem created"
echo " $SSL_FOLDER /private/$1 .key created"
./generate_certificate $CERT_NAME -i
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /etc/ssl/$CERT_NAME.pem
Add nginx extra ssl parameters
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
mkdir $NGINX/snippets && touch $NGINX/snippets/ssl-params.conf
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
# ssl_stapling on; # Requires nginx >= 1.3.7
# ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
Generate a virtual server
tmp=$(cat << EOF
server {
listen 80;
server_name $CERT_NAME;
return 302 https://$CERT_NAME\$request_uri;
}
server {
listen 443 ssl;
http2 on;
server_name $CERT_NAME;
ssl_certificate $SSL_FOLDER/certs/$CERT_NAME.pem;
ssl_certificate_key $SSL_FOLDER/private/$CERT_NAME.key;
include $NGINX/snippets/ssl-params.conf;
location / {
proxy_pass http://localhost:4000;
proxy_set_header Host \$http_host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
}
}
EOF
) && echo $tmp > $NGINX/servers/$CERT_NAME
brew services restart nginx