Accueil Explorer Aide
Connexion
zorun
/
kea
1
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Aborescence: 537ef63fe1
Branches Tags
kea
/
doc
/
examples
/
https
/
nginx
/
kea-nginx.conf

kea-nginx.conf 2.3 KB
Historique Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970 
  1. #   This file contains an example nginx HTTP server configuration which
    2. 

  2. #   enables reverse proxy service for Kea RESTful API. An access to
    3. 

  3. #   the service is protected by client's certificate verification
    4. 

  4. #   mechanism. Before using this configuration a server administrator
    5. 

  5. #   must generate server certificate and private key as well as
    6. 

  6. #   the certifiate authority (CA). The clients' certificates must
    7. 

  7. #   be signed by the CA.
    8. 

  8. 

  9. #   The server certificate and key can be generated as follows:
    10. 

  10. #
    11. 

  11. #   openssl genrsa -des3 -out kea-proxy.key 4096
    12. 

  12. #   openssl req -new -x509 -days 365 -key kea-proxy.key -out kea-proxy.crt
    13. 

  13. #
    14. 

  14. #   The CA certificate and key can be generated as follows:
    15. 

  15. #
    16. 

  16. #   openssl genrsa -des3 -out ca.key 4096
    17. 

  17. #   openssl req -new -x509 -days 365 -key ca.key -out ca.crt
    18. 

  18. #
    19. 

  19. #
    20. 

  20. #   The client certificate needs to be generated and signed:
    21. 

  21. #
    22. 

  22. #   openssl genrsa -des3 -out kea-client.key 4096
    23. 

  23. #   openssl req -new -key kea-client.key -out kea-client.csr
    24. 

  24. #   openssl x509 -req -days 365 -in kea-client.csr -CA ca.crt \
    25. 

  25. #           -CAkey ca.key -set_serial 01 -out kea-client.crt
    26. 

  26. #
    27. 

  27. #   Note that the 'common name' value used when generating the client
    28. 

  28. #   and the server certificates must differ from the value used
    29. 

  29. #   for the CA certificate.
    30. 

  30. #
    31. 

  31. #   The client certificate must be deployed on the client system.
    32. 

  32. #   In order to test the proxy configuration with 'curl' run
    33. 

  33. #   command similar to the following:
    34. 

  34. #
    35. 

  35. #   curl -k --key kea-client.key --cert kea-client.crt -X POST \
    36. 

  36. #        -H Content-Type:application/json -d '{ "command": "list-commands" }' \
    37. 

  37. #         https://kea.example.org/kea
    38. 

  38. #
    39. 

  39. #
    40. 

  40. #
    41. 

  41. #   nginx configuration starts here.
    42. 

  42. 

  43. events {
    44. 

  44. }
    45. 

  45. 

  46. http {
    47. 

  47.     #   HTTPS server
    48. 

  48.     server {
    49. 

  49.         #     Use default HTTPS port.
    50. 

  50.         listen 443 ssl;
    51. 

  51.         #     Set server name.
    52. 

  52.         server_name kea.example.org;
    53. 

  53. 

  54.         #   Server certificate and key.
    55. 

  55.         ssl_certificate /path/to/kea-proxy.crt;
    56. 

  56.         ssl_certificate_key /path/to/kea-proxy.key;
    57. 

  57. 

  58.         #   Certificate Authority. Client certificate must be signed by the CA.
    59. 

  59.         ssl_client_certificate /path/to/ca.crt;
    60. 

  60. 

  61.         # Enable verification of the client certificate.
    62. 

  62.         ssl_verify_client on;
    63. 

  63. 

  64.         # For URLs such as https://kea.example.org/kea, forward the
    65. 

  65.         # requests to http://127.0.0.1:8080.
    66. 

  66.         location /kea {
    67. 

  67.             proxy_pass http://127.0.0.1:8080;
    68. 

  68.         }
    69. 

  69.     }
    70. 

  70. }
    71.