Koronen · December 27, 2015 17:19
diff --git a/.gitignore b/.gitignore
 *.crt
 *.key
 *.log
 *.pem
 *.req
 .vagrant/
diff --git a/README.md b/README.md
diff --git a/app.rb b/app.rb
 require 'sinatra'

 get '/' do
  env['HTTP_SSL_CLIENT_DN'].inspect
 end
diff --git a/client.sh b/client.sh
 #!/bin/bash

 set -e

 curl -v -s -k --cacert ca.crt --key client.key --cert client.crt https://localhost:4343/
diff --git a/config.ru b/config.ru
 require './app'
 run Sinatra::Application
diff --git a/default.pp b/default.pp
 package { 'nginx':
    ensure => present
 }

 service { 'nginx':
    ensure  => 'running',
    enable  => true,
    require => Package['nginx'],
 }

 file { '/etc/nginx/sites-available/example.com.conf':
    ensure => file,
    source => 'file:///vagrant/nginx_example.com.conf'
 }

 file { '/etc/nginx/sites-enabled/example.com.conf':
    ensure  => link,
    target  => '/etc/nginx/sites-available/example.com.conf',
    notify  => Service['nginx']
 }

 package { 'ruby1.9.3':
    ensure => present
 }

 package { 'sinatra':
    ensure   => 'installed',
    provider => 'gem',
    require  => Package['ruby1.9.3']
 }

 file { '/etc/init/example.com.conf':
    ensure => file,
    source => 'file:///vagrant/upstart_example.com.conf'
 }

 service { 'example.com':
    ensure  => 'running',
    enable  => true,
    require => File['/etc/init/example.com.conf']
 }
diff --git a/Makefile b/Makefile
 OPENSSL?=openssl

 .PHONY: clean

 default: ca.crt client.crt server.crt

 %.key:
 	$(OPENSSL) genrsa -out $@ 1024

 ca.crt: ca.key
 	$(OPENSSL) req -new -x509 -days 365 -key $< -out $@ -subj "/C=SE/L=Stockholm/O=Koronen/CN=localhost-ca"

 server.req: server.key
 	$(OPENSSL) req -new -key $< -out $@ -subj "/C=SE/L=Stockholm/O=Koronen/CN=localhost-server"

 client.req: client.key
 	$(OPENSSL) req -new -key $< -out $@ -subj "/C=SE/L=Stockholm/O=Koronen/CN=localhost-client"

 %.crt: %.req ca.crt ca.key
 	$(OPENSSL) x509 -req -days 365 -in $< -CA ca.crt -CAkey ca.key -set_serial 01 -out $@

 clean:
 	rm -f *.crt *.key *.pem
diff --git a/nginx_example.com.conf b/nginx_example.com.conf
 upstream backend {
    server 127.0.0.1:9292;
 }

 server {
    listen      443;
    ssl         on;
    server_name example.com;

    ssl_certificate            /vagrant/server.crt;
    ssl_certificate_key        /vagrant/server.key;
    ssl_client_certificate     /vagrant/ca.crt;
    ssl_verify_client          on;
    ssl_verify_depth           2;

    location / {
        proxy_pass http://backend;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header SSL-Client-DN $ssl_client_s_dn;
    }
 }
diff --git a/upstart_example.com.conf b/upstart_example.com.conf
 description "example.com"

 start on filesystem
 stop on shutdown

 chdir /vagrant
 exec rackup >> /vagrant/example.com.log

 respawn
diff --git a/Vagrantfile b/Vagrantfile
 Vagrant.configure('2') do |config|
  config.vm.box = 'precise64'
  config.vm.box_url = 'http://files.vagrantup.com/precise64.box'
  config.vm.network :forwarded_port, guest: 443, host: 4343
  config.vm.provision 'puppet' do |puppet|
    puppet.manifests_path = '.'
  end
 end
	require 'sinatra'

	get '/' do
	env['HTTP_SSL_CLIENT_DN'].inspect
	end
	#!/bin/bash

	set -e

	curl -v -s -k --cacert ca.crt --key client.key --cert client.crt https://localhost:4343/
	package { 'nginx':
	ensure => present
	}

	service { 'nginx':
	ensure => 'running',
	enable => true,
	require => Package['nginx'],
	}

	file { '/etc/nginx/sites-available/example.com.conf':
	ensure => file,
	source => 'file:///vagrant/nginx_example.com.conf'
	}

	file { '/etc/nginx/sites-enabled/example.com.conf':
	ensure => link,
	target => '/etc/nginx/sites-available/example.com.conf',
	notify => Service['nginx']
	}

	package { 'ruby1.9.3':
	ensure => present
	}

	package { 'sinatra':
	ensure => 'installed',
	provider => 'gem',
	require => Package['ruby1.9.3']
	}

	file { '/etc/init/example.com.conf':
	ensure => file,
	source => 'file:///vagrant/upstart_example.com.conf'
	}

	service { 'example.com':
	ensure => 'running',
	enable => true,
	require => File['/etc/init/example.com.conf']
	}
	OPENSSL?=openssl

	.PHONY: clean

	default: ca.crt client.crt server.crt

	%.key:
	$(OPENSSL) genrsa -out $@ 1024

	ca.crt: ca.key
	$(OPENSSL) req -new -x509 -days 365 -key $< -out $@ -subj "/C=SE/L=Stockholm/O=Koronen/CN=localhost-ca"

	server.req: server.key
	$(OPENSSL) req -new -key $< -out $@ -subj "/C=SE/L=Stockholm/O=Koronen/CN=localhost-server"

	client.req: client.key
	$(OPENSSL) req -new -key $< -out $@ -subj "/C=SE/L=Stockholm/O=Koronen/CN=localhost-client"

	%.crt: %.req ca.crt ca.key
	$(OPENSSL) x509 -req -days 365 -in $< -CA ca.crt -CAkey ca.key -set_serial 01 -out $@

	clean:
	rm -f .crt .key *.pem
	upstream backend {
	server 127.0.0.1:9292;
	}

	server {
	listen 443;
	ssl on;
	server_name example.com;

	ssl_certificate /vagrant/server.crt;
	ssl_certificate_key /vagrant/server.key;
	ssl_client_certificate /vagrant/ca.crt;
	ssl_verify_client on;
	ssl_verify_depth 2;

	location / {
	proxy_pass http://backend;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header SSL-Client-DN $ssl_client_s_dn;
	}
	}
	description "example.com"

	start on filesystem
	stop on shutdown

	chdir /vagrant
	exec rackup >> /vagrant/example.com.log

	respawn
	Vagrant.configure('2') do \|config\|
	config.vm.box = 'precise64'
	config.vm.box_url = 'http://files.vagrantup.com/precise64.box'
	config.vm.network :forwarded_port, guest: 443, host: 4343
	config.vm.provision 'puppet' do \|puppet\|
	puppet.manifests_path = '.'
	end
	end