Home Verkennen Help
Registreren Inloggen
blake
/
epri-vtn_custom
Volgen 1
Ster 0
Vork 0
Bestanden Kwesties 0 Pull-aanvragen 0 Wiki
Aftakking: PROD-1704
Aftakkingen Labels
epri-vtn_cus...
/
nginx.conf

nginx.conf 2.3 KB
Permalink Geschiedenis Ruwe

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677 
  1. map $ssl_client_s_dn $ssl_client_s_dn_cn {
    2. 

  2. 	default "no_client_cert";
    3. 

  3. 	~(^|,)CN=(?<CN>[^,]+) $CN;
    4. 

  4. }
    5. 

  5. 

  6. server {
    7. 

  7.     listen 443 ssl;
    8. 

  8.     # TODO: nginx doesn't natively support env variable expansion here, but
    9. 

  9.     # you can eventually create a custom Dockerfile/entrypoint to populate
    10. 

  10.     # this value from an env variable rather than hard-coding.
    11. 

  11.     server_name vtn1.bsch.ca;
    12. 

  12.     root /dev/null;
    13. 

  13.     
    14. 

  14.     # next 3 lines force clients to provide a client cert, and ensure that the
    15. 

  15.     # cert is trusted by the chain in clientssl.crt.
    16. 

  16.     ssl_verify_client on;
    17. 

  17.     ssl_client_certificate /etc/ssl/clientssl.crt;
    18. 

  18.     ssl_verify_depth 2;
    19. 

  19. 

  20.     # Don't advertise
    21. 

  21.     server_tokens off;
    22. 

  22. 

  23.     # Don't merge slashes
    24. 

  24.     merge_slashes off;
    25. 

  25. 

  26.     location / {
    27. 

  27.         proxy_set_header  X-Real-IP        $remote_addr;
    28. 

  28.         proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
    29. 

  29.         proxy_set_header  Host             $http_host;
    30. 

  30.         proxy_set_header  X-Forwarded-Proto $scheme;
    31. 

  31.         proxy_set_header  X-Forwarded-Ssl on;
    32. 

  32.         proxy_set_header  X-Forwarded-Port $server_port;
    33. 

  33.         proxy_set_header  X-Forwarded-Host $host;
    34. 

  34. 

  35.         # these next two headers are consumed by EPRI to validate client cert
    36. 

  36.         # CN vs. EPRI VEN Common Name.
    37. 

  37.         proxy_set_header  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn; 
    38. 

  38.         proxy_set_header  HTTPS true;
    39. 

  39.         
    40. 

  40.         proxy_redirect    off;
    41. 

  41.         proxy_pass http://vtn-rails:8080;
    42. 

  42.     }
    43. 

  43. 

  44.     ssl_certificate /etc/ssl/ssl.crt;
    45. 

  45.     ssl_certificate_key /etc/ssl/ssl.key;
    46. 

  46. }
    47. 

  47. 

  48. server {
    49. 

  49.     listen 443 ssl;
    50. 

  50.     server_name admin.vtn1.bsch.ca;
    51. 

  51.     root /dev/null;
    52. 

  52. 

  53.     # Don't advertise
    54. 

  54.     server_tokens off;
    55. 

  55. 

  56.     # Don't merge slashes
    57. 

  57.     merge_slashes off;
    58. 

  58. 

  59.     location / {
    60. 

  60.         proxy_set_header  X-Real-IP        $remote_addr;
    61. 

  61.         proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
    62. 

  62.         proxy_set_header  Host             $http_host;
    63. 

  63.         proxy_set_header  X-Forwarded-Proto $scheme;
    64. 

  64.         proxy_set_header  X-Forwarded-Ssl on;
    65. 

  65.         proxy_set_header  X-Forwarded-Port $server_port;
    66. 

  66.         proxy_set_header  X-Forwarded-Host $host;
    67. 

  67. 

  68.         proxy_set_header  HTTPS true;
    69. 

  69. 

  70.         proxy_redirect    off;
    71. 

  71.         proxy_pass http://vtn-rails:8080;
    72. 

  72.     }
    73. 

  73. 

  74.     ssl_certificate /etc/ssl/adminssl.crt;
    75. 

  75.     ssl_certificate_key /etc/ssl/adminssl.key;
    76. 

  76. }
    77. 

  77.