Skip to content

Instantly share code, notes, and snippets.

@stjohnjohnson

stjohnjohnson/Makefile

Last active July 4, 2022 11:14
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save stjohnjohnson/77c5515720954a97f2b9866bc6ab85e0 to your computer and use it in GitHub Desktop.
Save stjohnjohnson/77c5515720954a97f2b9866bc6ab85e0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ca-config.json
{
"signing": {
"profiles": {
"web-servers": {
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
],
"expiry": "8760h"
}
}
}
}
Raw
ca-csr.json
{
"CN": "stj.me",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "California",
"ST": "San Francisco"
}
]
}
Raw
docker-compose.yml
version: '3'
services:
nginx:
image: nginx:alpine
# Expose both 80 and 443
ports:
- 80:80
- 443:443
# Mount our config, public CA, and server keys
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
- ./ca.pem:/var/www/html/ca.pem:ro
- ./server.pem:/etc/certs/server.pem:ro
- ./server-key.pem:/etc/certs/server-key.pem:ro
# This connects the container networks together
depends_on:
- pihole
# For more information on the following configuration,
# checkout https://hub.docker.com/r/pihole/pihole
pihole:
image: pihole/pihole
hostname: pihole
expose:
- 80
ports:
# DNS ports
- 53:53/tcp
- 53:53/udp
dns:
# Local first
- 127.0.0.1
# Cloudflare next
- 1.1.1.1
environment:
ServerIP: "127.0.0.1"
Raw
Makefile
docker: ca.pem server.pem server-key.pem
docker-compose up
ca.pem ca-key.pem:
cfssl gencert \
-initca ca-csr.json | cfssljson -bare ca
server.pem server-key.pem:
cfssl gencert \
-ca=ca.pem \
-ca-key=ca-key.pem \
-config=ca-config.json \
-profile=web-servers \
server-csr.json | cfssljson -bare server
clean:
rm *.pem *.csr
Raw
nginx.conf
http {
# Serve the root certificate for client installation
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /var/www/html;
# Redirect to the ca.pem file
location / {
return 301 /ca.pem;
}
# Filename matters here, otherwise iOS will not recognize it
location /ca.pem {}
}
# Redirect pi-hole http traffic to https
server {
listen 80;
listen [::]:80;
server_name pihole.stj.me;
return 301 https://$host$request_uri;
}
# Proxy pihole container over https
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name pihole.stj.me;
# Use the certificates we made
ssl_certificate /etc/certs/server.pem;
ssl_certificate_key /etc/certs/server-key.pem;
# Proxy all requests to the pihole docker container
location / {
proxy_pass http://pihole;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
}
Raw
server-csr.json
{
"CN": "pihole",
"hosts": [
"pihole.stj.me"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "CA",
"ST": "San Francisco"
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment