tjunussov · November 23, 2020 13:17
diff --git a/nginx mutual b/nginx mutual
 ##
 ## Generating client certificatie
 ## https://gist.github.com/mtigas/952344
 ## sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout bein.tech.key -out bein.tech.crt
 # openssl genrsa -des3 -out bein.tech.key 4096
 # openssl req -new -x509 -days 365 -key bein.tech.key -out bein.tech.crt


 # openssl req -new -key client.key -out client.csr 
 # ---- or
 # openssl req -new -newkey rsa:2048 -nodes -keyout your_domain.key -out your_domain.csr

 # openssl x509 -req -days 365 -in client.csr -CA bein.tech.crt -CAkey bein.tech.key -set_serial 01 -out client.crt
 # openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

 server {
  server_name auth.com.kz;
  listen 80;

  return 301 https://$host$request_uri;

   # root /var/www/html;
   # include letsencrypt.conf;
 }

 server {
  server_name auth.com.kz;
  listen 443 ssl;

   ## SSL Termination
  include ssl.conf;
  include letsencrypt.conf;

  ssl_certificate /etc/letsencrypt/live/auth.com.kz/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/auth.com.kz/privkey.pem;

  ssl_verify_client       optional;
  #ssl_verify_depth        2;
  ssl_client_certificate /pos/nginx/mutual/ca.crt;

  add_header X-Frame-Options "SAMEORIGIN"; #no fram&iframe
  add_header X-Content-Type-Options nosniff;
  add_header X-Robots-Tag "noindex, nofollow";
  add_header Access-Control-Allow-Origin "https://com.kz";

 # ================== optional mutual ================
 if ($http_user_agent != "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)") {
        set $test NL; # NL stays for - Not Letsecnrypt
 }

 if ($http_user_agent = "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)") {
        set $test L; # L stays for - Letsecnrypt
 }

 if ($ssl_client_verify != 'SUCCESS') {
        set $test "${test}NC"; # NC stays for - No Certificate
 }

 if ($test = 'NLNC') {
        return 496;
 }

 if ($test = 'LNC'){
        #nothin, letsencrypt's job
 }

 add_header X-000-UserAgent-ClientVerify '$http_user_agent, $test' always;

 #  if ($http_user_agent != "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letssdencrypt.org)") {
 #     set $value A;
 #  }
 #
 #  if ($ssl_client_verify != 'SUCCESS') {
 #     set $value "${value}B";
 #  }
 #
 #  if ($value = 'AB') {
 #     return 496;
 #  }

 autoindex off;
  log_not_found off;

  client_max_body_size 1M;

  location / {
    proxy_pass http://localhost:5001;
    proxy_redirect      off;
    proxy_set_header    Host              $host;
    proxy_set_header    X-Real-IP         $remote_addr;
    proxy_set_header    Referer           $http_referer;
    proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header    X-SSL_IDN           $ssl_client_i_dn;
    proxy_set_header    X-SSL_SDN           $ssl_client_s_dn;
    proxy_set_header    X-SSL_SERIAL        $ssl_client_serial;
    proxy_set_header    X-SSL_VERIFY        $ssl_client_verify;
  }

 }
	##
	## Generating client certificatie
	## https://gist.github.com/mtigas/952344
	## sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout bein.tech.key -out bein.tech.crt
	# openssl genrsa -des3 -out bein.tech.key 4096
	# openssl req -new -x509 -days 365 -key bein.tech.key -out bein.tech.crt


	# openssl req -new -key client.key -out client.csr
	# ---- or
	# openssl req -new -newkey rsa:2048 -nodes -keyout your_domain.key -out your_domain.csr

	# openssl x509 -req -days 365 -in client.csr -CA bein.tech.crt -CAkey bein.tech.key -set_serial 01 -out client.crt
	# openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

	server {
	server_name auth.com.kz;
	listen 80;

	return 301 https://$host$request_uri;

	# root /var/www/html;
	# include letsencrypt.conf;
	}

	server {
	server_name auth.com.kz;
	listen 443 ssl;

	## SSL Termination
	include ssl.conf;
	include letsencrypt.conf;

	ssl_certificate /etc/letsencrypt/live/auth.com.kz/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/auth.com.kz/privkey.pem;

	ssl_verify_client optional;
	#ssl_verify_depth 2;
	ssl_client_certificate /pos/nginx/mutual/ca.crt;

	add_header X-Frame-Options "SAMEORIGIN"; #no fram&iframe
	add_header X-Content-Type-Options nosniff;
	add_header X-Robots-Tag "noindex, nofollow";
	add_header Access-Control-Allow-Origin "https://com.kz";

	# ================== optional mutual ================
	if ($http_user_agent != "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)") {
	set $test NL; # NL stays for - Not Letsecnrypt
	}

	if ($http_user_agent = "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)") {
	set $test L; # L stays for - Letsecnrypt
	}

	if ($ssl_client_verify != 'SUCCESS') {
	set $test "${test}NC"; # NC stays for - No Certificate
	}

	if ($test = 'NLNC') {
	return 496;
	}

	if ($test = 'LNC'){
	#nothin, letsencrypt's job
	}

	add_header X-000-UserAgent-ClientVerify '$http_user_agent, $test' always;

	# if ($http_user_agent != "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letssdencrypt.org)") {
	# set $value A;
	# }
	#
	# if ($ssl_client_verify != 'SUCCESS') {
	# set $value "${value}B";
	# }
	#
	# if ($value = 'AB') {
	# return 496;
	# }

	autoindex off;
	log_not_found off;

	client_max_body_size 1M;

	location / {
	proxy_pass http://localhost:5001;
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header Referer $http_referer;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-SSL_IDN $ssl_client_i_dn;
	proxy_set_header X-SSL_SDN $ssl_client_s_dn;
	proxy_set_header X-SSL_SERIAL $ssl_client_serial;
	proxy_set_header X-SSL_VERIFY $ssl_client_verify;
	}

	}