Last active
August 29, 2015 14:14
-
-
Save zmajstor/6faa01fc26b17ec68681 to your computer and use it in GitHub Desktop.
nginx for Rails development
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # NGinx SSL certificate authentication signed by intermediate CA (chain) | |
| # http://stackoverflow.com/questions/8431528/nginx-ssl-certificate-authentication-signed-by-intermediate-ca-chain?rq=1 | |
| server { | |
| listen 443 ssl; | |
| ssl_certificate ... | |
| ssl_certificate_key ... | |
| ssl_client_certificate /path/to/ca.crt; | |
| ssl_verify_client on; | |
| ssl_verify_depth 2; | |
| if ($ssl_client_i_dn != "/C=PL/CN=IntermediateCA1/[email protected]") { | |
| return 403; | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://github.com/novapost/django-x509#nginx-configuration-for-certificate | |
| upstream app_server { | |
| # For a TCP configuration: | |
| server 127.0.0.1:8000 fail_timeout=0; | |
| } | |
| server { | |
| listen 443 default; | |
| location / { | |
| try_files $uri @proxy_to_app; | |
| } | |
| # Proxy to frontend application (WSGI). | |
| location @proxy_to_app { | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Forwarded-Proto 'https'; | |
| proxy_set_header Host $http_host; | |
| # Set to header x509 credentials | |
| proxy_set_header SSL-client-serial $ssl_client_serial; | |
| proxy_set_header SSL-client-dn $ssl_client_s_dn; | |
| proxy_set_header SSL-client-verify $ssl_client_verify; | |
| proxy_redirect off; | |
| proxy_pass http://app_server; | |
| } | |
| ssl on; | |
| ssl_certificate /etc/ssl/www-domain.crt; | |
| ssl_certificate_key /etc/ssl/www-domain.key; | |
| ssl_client_certificate /etc/ssl/org-ca.crt; | |
| ssl_verify_client optional; # on | off | optional | optional_no_ca | |
| ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_ciphers HIGH:!RC4:!DES!3DES:!RC2:!MD5:!EXP:!aNULL:!eNULL; | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| curl -k 'https://localhost' --key examples/localhost/client.key --cert examples/localhost/client.crt | |
| {'CONTENT_LENGTH': '', | |
| 'CONTENT_TYPE': '', | |
| 'HTTP_ACCEPT': '*/*', | |
| 'HTTP_CONNECTION': 'close', | |
| 'HTTP_HOST': 'localhost', | |
| 'HTTP_SSL_CLIENT_DN': '/C=FR/ST=Ile-de-France/L=Paris/O=Test Ltd/OU=Test/CN=Alain Dupont/emailAddress=alain.dupont@localhost', | |
| 'HTTP_SSL_CLIENT_SERIAL': 'CA92CBE98DDD421A9E4263254E413017', | |
| 'HTTP_SSL_CLIENT_VERIFY': 'SUCCESS', | |
| 'HTTP_USER_AGENT': 'curl/7.32.0', | |
| 'HTTP_X_FORWARDED_FOR': '127.0.0.1', | |
| 'HTTP_X_FORWARDED_PROTO': 'https', | |
| 'PATH_INFO': '/', | |
| 'QUERY_STRING': '', | |
| 'REMOTE_ADDR': '127.0.0.1', | |
| 'REMOTE_PORT': 51923, | |
| 'REQUEST_METHOD': 'GET', | |
| 'SCRIPT_NAME': '', | |
| 'SERVER_NAME': '127.0.0.1', | |
| 'SERVER_PORT': '8000', | |
| 'SERVER_PROTOCOL': 'HTTP/1.0', | |
| 'SERVER_SOFTWARE': 'Werkzeug/0.9.4', | |
| 'werkzeug.request': <Request 'http://localhost/' [GET]>, | |
| 'werkzeug.server.shutdown': <function shutdown_server at 0xb6d6eb1c>, | |
| 'wsgi.errors': <open file '<stderr>', mode 'w' at 0xb75250d0>, | |
| 'wsgi.input': <socket._fileobject object at 0xb6d698ec>, | |
| 'wsgi.multiprocess': False, | |
| 'wsgi.multithread': False, | |
| 'wsgi.run_once': False, | |
| 'wsgi.url_scheme': 'http', | |
| 'wsgi.version': (1, 0)} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # idea from http://that-matt.com/2014/06/05/setting-up-ssl-for-rails-development.html | |
| # usually in /usr/local/etc/nginx | |
| worker_processes 1; | |
| events { | |
| worker_connections 1024; | |
| } | |
| http { | |
| include mime.types; | |
| default_type application/octet-stream; | |
| server { | |
| listen 8080 ssl; | |
| server_name dev.promdm.net; | |
| port_in_redirect off; | |
| # ssl on; | |
| ssl_certificate /usr/local/etc/nginx/ssl/server.crt; | |
| ssl_certificate_key /usr/local/etc/nginx/ssl/server.key; | |
| ssl_session_cache shared:SSL:1m; | |
| ssl_session_timeout 5m; | |
| ssl_ciphers HIGH:!aNULL:!MD5; | |
| ssl_prefer_server_ciphers on; | |
| location / { | |
| proxy_pass http://127.0.0.1:3000; | |
| proxy_redirect https://dev.promdm.net:8080/ https://dev.promdm.net/; | |
| proxy_set_header Host $host:$server_port; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-Ssl on; | |
| proxy_set_header X-Forwarded-Proto https; | |
| proxy_set_header X-SSL 1; | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment