Skip to content

Instantly share code, notes, and snippets.

@tuxmartin

tuxmartin/nginx.conf

Last active March 17, 2016 14:15
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tuxmartin/920588c6c81d1c1bdf7a to your computer and use it in GitHub Desktop.
Save tuxmartin/920588c6c81d1c1bdf7a to your computer and use it in GitHub Desktop.
Download ZIP
APT HTTPS - overovani pomoci klientskych SSL certifikatu
Raw
nginx.conf
root@martin:/etc/nginx# cat /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
# --- pokud ma byt urcity klient presmerovan jinam
# map nemuze byt v server{}
map $ssl_client_s_dn $ssl_client_s_dn_cn {
default $remote_user;
~/CN=(?<CN>[^/]+) $CN;
}
# --- pokud ma byt urcity klient presmerovan jinam
server {
listen 443;
ssl on;
server_name "localhost";
ssl_certificate /etc/nginx/easy-rsa/keys/localhost.crt;
ssl_certificate_key /etc/nginx/easy-rsa/keys/localhost.key;
ssl_client_certificate /etc/nginx/easy-rsa/keys/ca.crt;
ssl_verify_client on;
ssl_verify_depth 2;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:;
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
root /var/www/;
location / {
if ($ssl_client_verify != SUCCESS) { return 403; }
# --- pokud ma byt urcity klient presmerovan jinam
if ($ssl_client_s_dn_cn = "client2") { return 302 http://google.cz/; }
# --- pokud ma byt urcity klient presmerovan jinam
autoindex on; # directory listing
}
}
}
Raw
postup.md 
apt-get install nginx-full
cd /etc/nginx/

# CA a generovani certifikatu:
apt-get install easy-rsa
cp -R /usr/share/easy-rsa/ /etc/nginx/
chmod 0700 /etc/nginx/easy-rsa/
# editovat "vars"
. ./vars
./clean-all 
./build-ca
./build-dh
./build-key-server localhost
		# upravit localhost na platny hostname!
		#Sign the certificate? [y/n]:y		!!!
		#1 out of 1 certificate requests certified, commit? [y/n]y	!!!
./build-key client
		#Sign the certificate? [y/n]:y		!!!
		#1 out of 1 certificate requests certified, commit? [y/n]y	!!!

service nginx restart 
# vytvoreni PFX formatu certifikatu, ktery jde importovat do Google Chrome
openssl pkcs12 -export -out /tmp/client.pfx -inkey /etc/nginx/easy-rsa/keys/client.key -in /etc/nginx/easy-rsa/keys/client.crt

Pokud budu generovat certifikaty pro dalsi klienty:

cd /etc/nginx/easy-rsa/
. ./vars
	# spusteni vars je dulezite!!!
./build-key clientABC
		#Sign the certificate? [y/n]:y		!!!
		#1 out of 1 certificate requests certified, commit? [y/n]y	!!!

cp /etc/nginx/easy-rsa/keys/{ca.crt,clientABC.crt,clientABC.key} /tmp/

Po otevreni https://localhost/ (a odsouhlaseni neduveryhodneho certifikatu) v Chrome dostanu:

400 Bad Request
No required SSL certificate was sent
nginx/1.9.3 (Ubuntu)

Po naimportovani /tmp/client.pfx do Chromu dostanu stranku (HTTP 200 OK):

Welcome to nginx!
If you see this page, the nginx web server is successfully installed and working....

APT zdroj:

apt-get install apt-transport-https

Do /etc/apt/sources.list.d/test.list dam:

deb https://localhost/ ./

Pred nastavenim certifikatu:

root@martin:# apt-get update 
Hit http://cz.archive.ubuntu.com wily InRelease
...
Hit http://cz.archive.ubuntu.com wily/restricted amd64 Packages
Hit http://cz.archive.ubuntu.com wily/universe amd64 Packages 
Hit http://cz.archive.ubuntu.com wily-updates/restricted Sources
Err https://localhost ./ Packages                                 
  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Hit http://cz.archive.ubuntu.com wily-updates/universe Sources    
W: Failed to fetch https://localhost/./Packages  server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

E: Some index files failed to download. They have been ignored, or old ones used instead.
root@martin:/etc/nginx#

Do /etc/apt/apt.conf.d/90test dam:

#Acquire::https::test.com {
Acquire::https::localhost {
    Verify-Peer "true";
    Verify-Host "false";

    CaInfo "/etc/apt/ca.crt";
    SslCert "/etc/apt/client.crt";
    SslKey  "/etc/apt/client.key";
};

Pro self-signed certifikaty je potreba mit Verify-Host=false. Pokud je true, muzou nastavat chyby:

certificate subject name (localhost) does not match target host name 'example.net'

Kazdy PC musi mit certifikat ca a svuj certifikat a svuj klic:

cp /etc/nginx/easy-rsa/keys/{ca.crt,client.crt,client.key} /etc/apt/

Nyni uz aktualizace funguje:

vraci HTTP 404, protoze na webserveru nejsou zadne balicky

root@martin:# apt-get update 
Get:1 https://localhost ./ InRelease [177 B]
Ign https://localhost ./ InRelease                                                                                                                                                      
Get:2 https://localhost ./ Release.gpg [177 B]                                                                                                                                               
Ign https://localhost ./ Release.gpg                                                                                                                                                         
Get:3 https://localhost ./ Release [177 B]                                                                                                                                                   
Ign https://localhost ./ Release                                                                                                                                                             
Get:4 https://localhost ./ Packages [177 B]                                                                                                                                                  
Get:5 https://localhost ./ Translation-en [177 B]                                                                                                                                            
Get:6 https://localhost ./ Translation-cs [177 B]                                                                                                                                            
Get:7 https://localhost ./ Packages [177 B]                                                                                                                                                  
Get:8 https://localhost ./ Translation-en [177 B]                                                                                                                                            
Get:9 https://localhost ./ Translation-cs [177 B]                                                                                                                                            
Get:10 https://localhost ./ Packages [177 B]                                                                                                                                                 
Get:11 https://localhost ./ Translation-en [177 B]                                                                                                                                           
Get:12 https://localhost ./ Translation-cs [177 B]                                                                                                                                           
Hit http://cz.archive.ubuntu.com wily InRelease                                                                                                                                              
Get:13 https://localhost ./ Packages [177 B]                                                                                                                                                 
Get:14 https://localhost ./ Translation-en [177 B]                                                                      
Get:15 https://localhost ./ Translation-cs [177 B]                                                                                                                    
Get:16 https://localhost ./ Packages [177 B]                                                                                                                                                 
Err https://localhost ./ Packages                                                                                                                                                            
  HttpError404
Get:17 https://localhost ./ Translation-en [177 B]                                                                                                                                           
Ign https://localhost ./ Translation-en                                                                                                                                                      
Get:18 https://localhost ./ Translation-cs [177 B]                                                                                                                                           
Ign https://localhost ./ Translation-cs                                                                                                                                                      
Hit http://security.ubuntu.com wily-security/universe Translation-en
W: Failed to fetch https://localhost/./Packages  HttpError404

E: Some index files failed to download. They have been ignored, or old ones used instead.
root@martin:#

Testovano na:

root@martin:/# uname -a
Linux martin 4.2.0-34-generic #39-Ubuntu SMP Thu Mar 10 22:13:01 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
root@martin:/# lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 15.10
Release:	15.10
Codename:	wily
root@martin:/#
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment