Home Explore Help
Sign In
zorun
/
kea
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 5615b95f58
Branches Tags
kea
/
doc
/
examples
/
https
/
nginx
/
kea-nginx.conf

kea-nginx.conf 2.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475 
  1. #   This file contains an example nginx HTTP server configuration which
    2. 

  2. #   enables reverse proxy service for Kea RESTful API. An access to
    3. 

  3. #   the service is protected by client's certificate verification
    4. 

  4. #   mechanism. Before using this configuration a server administrator
    5. 

  5. #   must generate server certificate and private key as well as
    6. 

  6. #   the certificate authority (CA). The clients' certificates must
    7. 

  7. #   be signed by the CA.
    8. 

  8. #
    9. 

  9. #   Note that the steps provided below to generate and setup certificates
    10. 

  10. #   are provided as an example for testing purposes only. Always
    11. 

  11. #   consider best known security measures to protect your production
    12. 

  12. #   environment.
    13. 

  13. #
    14. 

  14. #   The server certificate and key can be generated as follows:
    15. 

  15. #
    16. 

  16. #   openssl genrsa -des3 -out kea-proxy.key 4096
    17. 

  17. #   openssl req -new -x509 -days 365 -key kea-proxy.key -out kea-proxy.crt
    18. 

  18. #
    19. 

  19. #   The CA certificate and key can be generated as follows:
    20. 

  20. #
    21. 

  21. #   openssl genrsa -des3 -out ca.key 4096
    22. 

  22. #   openssl req -new -x509 -days 365 -key ca.key -out ca.crt
    23. 

  23. #
    24. 

  24. #
    25. 

  25. #   The client certificate needs to be generated and signed:
    26. 

  26. #
    27. 

  27. #   openssl genrsa -des3 -out kea-client.key 4096
    28. 

  28. #   openssl req -new -key kea-client.key -out kea-client.csr
    29. 

  29. #   openssl x509 -req -days 365 -in kea-client.csr -CA ca.crt \
    30. 

  30. #           -CAkey ca.key -set_serial 01 -out kea-client.crt
    31. 

  31. #
    32. 

  32. #   Note that the 'common name' value used when generating the client
    33. 

  33. #   and the server certificates must differ from the value used
    34. 

  34. #   for the CA certificate.
    35. 

  35. #
    36. 

  36. #   The client certificate must be deployed on the client system.
    37. 

  37. #   In order to test the proxy configuration with 'curl' run
    38. 

  38. #   command similar to the following:
    39. 

  39. #
    40. 

  40. #   curl -k --key kea-client.key --cert kea-client.crt -X POST \
    41. 

  41. #        -H Content-Type:application/json -d '{ "command": "list-commands" }' \
    42. 

  42. #         https://kea.example.org/kea
    43. 

  43. #
    44. 

  44. #
    45. 

  45. #
    46. 

  46. #   nginx configuration starts here.
    47. 

  47. 

  48. events {
    49. 

  49. }
    50. 

  50. 

  51. http {
    52. 

  52.     #   HTTPS server
    53. 

  53.     server {
    54. 

  54.         #     Use default HTTPS port.
    55. 

  55.         listen 443 ssl;
    56. 

  56.         #     Set server name.
    57. 

  57.         server_name kea.example.org;
    58. 

  58. 

  59.         #   Server certificate and key.
    60. 

  60.         ssl_certificate /path/to/kea-proxy.crt;
    61. 

  61.         ssl_certificate_key /path/to/kea-proxy.key;
    62. 

  62. 

  63.         #   Certificate Authority. Client certificate must be signed by the CA.
    64. 

  64.         ssl_client_certificate /path/to/ca.crt;
    65. 

  65. 

  66.         # Enable verification of the client certificate.
    67. 

  67.         ssl_verify_client on;
    68. 

  68. 

  69.         # For URLs such as https://kea.example.org/kea, forward the
    70. 

  70.         # requests to http://127.0.0.1:8080.
    71. 

  71.         location /kea {
    72. 

  72.             proxy_pass http://127.0.0.1:8080;
    73. 

  73.         }
    74. 

  74.     }
    75. 

  75. }
    76.