Skip to content

Instantly share code, notes, and snippets.

@zmajstor
Last active August 29, 2015 14:14
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save zmajstor/6faa01fc26b17ec68681 to your computer and use it in GitHub Desktop.
nginx for Rails development
# NGinx SSL certificate authentication signed by intermediate CA (chain)
# http://stackoverflow.com/questions/8431528/nginx-ssl-certificate-authentication-signed-by-intermediate-ca-chain?rq=1
server {
listen 443 ssl;
ssl_certificate ...
ssl_certificate_key ...
ssl_client_certificate /path/to/ca.crt;
ssl_verify_client on;
ssl_verify_depth 2;
if ($ssl_client_i_dn != "/C=PL/CN=IntermediateCA1/emailAddress=cert@asdf.com") {
return 403;
}
}
# https://github.com/novapost/django-x509#nginx-configuration-for-certificate
upstream app_server {
# For a TCP configuration:
server 127.0.0.1:8000 fail_timeout=0;
}
server {
listen 443 default;
location / {
try_files $uri @proxy_to_app;
}
# Proxy to frontend application (WSGI).
location @proxy_to_app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto 'https';
proxy_set_header Host $http_host;
# Set to header x509 credentials
proxy_set_header SSL-client-serial $ssl_client_serial;
proxy_set_header SSL-client-dn $ssl_client_s_dn;
proxy_set_header SSL-client-verify $ssl_client_verify;
proxy_redirect off;
proxy_pass http://app_server;
}
ssl on;
ssl_certificate /etc/ssl/www-domain.crt;
ssl_certificate_key /etc/ssl/www-domain.key;
ssl_client_certificate /etc/ssl/org-ca.crt;
ssl_verify_client optional; # on | off | optional | optional_no_ca
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!RC4:!DES!3DES:!RC2:!MD5:!EXP:!aNULL:!eNULL;
}
curl -k 'https://localhost' --key examples/localhost/client.key --cert examples/localhost/client.crt
{'CONTENT_LENGTH': '',
'CONTENT_TYPE': '',
'HTTP_ACCEPT': '*/*',
'HTTP_CONNECTION': 'close',
'HTTP_HOST': 'localhost',
'HTTP_SSL_CLIENT_DN': '/C=FR/ST=Ile-de-France/L=Paris/O=Test Ltd/OU=Test/CN=Alain Dupont/emailAddress=alain.dupont@localhost',
'HTTP_SSL_CLIENT_SERIAL': 'CA92CBE98DDD421A9E4263254E413017',
'HTTP_SSL_CLIENT_VERIFY': 'SUCCESS',
'HTTP_USER_AGENT': 'curl/7.32.0',
'HTTP_X_FORWARDED_FOR': '127.0.0.1',
'HTTP_X_FORWARDED_PROTO': 'https',
'PATH_INFO': '/',
'QUERY_STRING': '',
'REMOTE_ADDR': '127.0.0.1',
'REMOTE_PORT': 51923,
'REQUEST_METHOD': 'GET',
'SCRIPT_NAME': '',
'SERVER_NAME': '127.0.0.1',
'SERVER_PORT': '8000',
'SERVER_PROTOCOL': 'HTTP/1.0',
'SERVER_SOFTWARE': 'Werkzeug/0.9.4',
'werkzeug.request': <Request 'http://localhost/' [GET]>,
'werkzeug.server.shutdown': <function shutdown_server at 0xb6d6eb1c>,
'wsgi.errors': <open file '<stderr>', mode 'w' at 0xb75250d0>,
'wsgi.input': <socket._fileobject object at 0xb6d698ec>,
'wsgi.multiprocess': False,
'wsgi.multithread': False,
'wsgi.run_once': False,
'wsgi.url_scheme': 'http',
'wsgi.version': (1, 0)}
# idea from http://that-matt.com/2014/06/05/setting-up-ssl-for-rails-development.html
# usually in /usr/local/etc/nginx
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
server {
listen 8080 ssl;
server_name dev.promdm.net;
port_in_redirect off;
# ssl on;
ssl_certificate /usr/local/etc/nginx/ssl/server.crt;
ssl_certificate_key /usr/local/etc/nginx/ssl/server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_redirect https://dev.promdm.net:8080/ https://dev.promdm.net/;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-SSL 1;
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment