Created
January 17, 2018 12:45
-
-
Save tiblu/bc751eb15a8e198bdaa77b806719fa93 to your computer and use it in GitHub Desktop.
DigiDocService (http://sk-eid.github.io/dds-documentation/) Nginx proxy configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 8000; | |
server_name dds.mydomain.com; | |
access_log /var/log/nginx/dds.mydomain.com.access.log; | |
error_log /var/log/nginx/dds.mydomain.com.error.log; | |
ssl on; | |
ssl_certificate /my/server/cert/dds.mydomain.com.bundle.crt; | |
ssl_certificate_key /my/server/cert/private/dds.mydomain.com.key; | |
ssl_session_cache shared:SSL:50m; | |
ssl_session_timeout 5m; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | |
ssl_prefer_server_ciphers on; | |
ssl_dhparam /etc/ssl/dhparams.pem; | |
location / { | |
if ($http_authorization != 'Bearer CHANGEMEsuperSecretKeySoThatRandomPeopleDontUseMyService') { | |
return 401; | |
} | |
proxy_pass https://digidocservice.sk.ee; | |
proxy_set_header Authorization ""; #Hide the authroization header from upstream | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is needed because DigiDocService (DDS/SK) has an IP whitelist, but in cloud environments your public IP can change any time. So the solution is to deploy a proxy to a server that has a static IP and all your cloud apps can call DDS services via the proxy.
The
/etc/ssl/dhparams.pem
can be generated using OpenSSLopenssl dhparam -out /etc/ssl/dhparams.pem 4096
.IMPORTANT: Don't forget to change the
CHANGEMEsuperSecretKeySoThatRandomPeopleDontUseMyService
to a secret of your choice! All callers of the proxy have to provide the secret inAuthorization: Bearer <secret>
request header.