Max Nasonov maxnasonov

Client-side SSL

For excessively paranoid client authentication.

Updated Apr 5 2019:

because this is a gist from 2011 that people stumble into and maybe you should AES instead of 3DES in the year of our lord 2019.

some other notes:

For educational reasons I've decided to create my own CA. Here is what I learned.

Lets get some context first.

	# Basically the nginx configuration I use at konklone.com.
	# I check it using https://www.ssllabs.com/ssltest/analyze.html?d=konklone.com
	#
	# To provide feedback, please tweet at @konklone or email [email protected].
	# Comments on gists don't notify the author.
	#
	# Thanks to WubTheCaptain (https://wubthecaptain.eu) for his help and ciphersuites.
	# Thanks to Ilya Grigorik (https://www.igvita.com) for constant inspiration.

	server {

	using http://nssm.cc/usage

	Install BTSync
	Configure your shared folders
	Make sure you uncheck the "Start btsync when windows starts" option in the preferences.
	Download nssm, as an admin run "nssm install BTSync"
	Put in the path to the BTSync.exe
	Open windows service manager and tell it to run BTSync as the user you just used to install.
	Make sure BTSync isn't already running, then start the service.

	- What do Etcd, Consul, and Zookeeper do?
	- Service Registration:
	- Host, port number, and sometimes authentication credentials, protocols, versions
	numbers, and/or environment details.
	- Service Discovery:
	- Ability for client application to query the central registry to learn of service location.
	- Consistent and durable general-purpose K/V store across distributed system.
	- Some solutions support this better than others.
	- Based on Paxos or some derivative (i.e. Raft) algorithm to quickly converge to a consistent state.
	- Centralized locking can be based on this K/V store.

	#!/bin/bash
	# bash generate random alphanumeric string
	#

	if [[ "$OSTYPE" == "linux-gnu" ]]; then
	# bash generate random 32 character alphanumeric string (upper and lowercase) and
	NEW_UUID=$(cat /dev/urandom \| tr -dc 'a-zA-Z0-9' \| fold -w 32 \| head -n 1)

	# bash generate random 32 character alphanumeric string (lowercase only)
	cat /dev/urandom \| tr -dc 'a-zA-Z0-9' \| fold -w 32 \| head -n 1

	input {

	tcp{
	type => eventlog
	port => 1515
	ssl_enable => true
	ssl_cert => "/etc/nginx/ssl/server.crt"
	ssl_key => "/etc/nginx/ssl/server.key"
	ssl_key_passphrase => "password"
	ssl_cacert => "/etc/nginx/ssl/server.csr"

	# to generate your dhparam.pem file, run in the terminal
	openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

	git branch -m old_branch new_branch # Rename branch locally
	git push origin :old_branch # Delete the old branch
	git push --set-upstream origin new_branch # Push the new branch, set local branch to track the new remote

	## Please set the ROOT to the folder your nxlog was installed into,
	## otherwise it will not start.

	#define ROOT C:\Program Files\nxlog
	define ROOT C:\Program Files (x86)\nxlog

	Moduledir %ROOT%\modules
	CacheDir %ROOT%\data
	Pidfile %ROOT%\data\nxlog.pid
	SpoolDir %ROOT%\data