Home Explore Help
Sign In
zorun
/
kea
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: e6980a2602
Branches Tags
kea
/
doc
/
examples
/
https
/
nginx
/
kea-nginx.conf

kea-nginx.conf 3.1 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687 
  1. #   This file contains an example nginx HTTP server configuration which
    2. 

  2. #   enables reverse proxy service for Kea RESTful API. An access to
    3. 

  3. #   the service is protected by client's certificate verification
    4. 

  4. #   mechanism. Before using this configuration a server administrator
    5. 

  5. #   must generate server certificate and private key as well as
    6. 

  6. #   the certificate authority (CA). The clients' certificates must
    7. 

  7. #   be signed by the CA.
    8. 

  8. #
    9. 

  9. #   Note that the steps provided below to generate and setup certificates
    10. 

  10. #   are provided as an example for testing purposes only. Always
    11. 

  11. #   consider best known security measures to protect your production
    12. 

  12. #   environment.
    13. 

  13. #
    14. 

  14. #   The server certificate and key can be generated as follows:
    15. 

  15. #
    16. 

  16. #   openssl genrsa -des3 -out kea-proxy.key 4096
    17. 

  17. #   openssl req -new -x509 -days 365 -key kea-proxy.key -out kea-proxy.crt
    18. 

  18. #
    19. 

  19. #   The CA certificate and key can be generated as follows:
    20. 

  20. #
    21. 

  21. #   openssl genrsa -des3 -out ca.key 4096
    22. 

  22. #   openssl req -new -x509 -days 365 -key ca.key -out ca.crt
    23. 

  23. #
    24. 

  24. #
    25. 

  25. #   The client certificate needs to be generated and signed:
    26. 

  26. #
    27. 

  27. #   openssl genrsa -des3 -out kea-client.key 4096
    28. 

  28. #   openssl req -new -key kea-client.key -out kea-client.csr
    29. 

  29. #   openssl x509 -req -days 365 -in kea-client.csr -CA ca.crt \
    30. 

  30. #           -CAkey ca.key -set_serial 10 -out kea-client.crt
    31. 

  31. #
    32. 

  32. #   Note that the 'common name' value used when generating the client
    33. 

  33. #   and the server certificates must differ from the value used
    34. 

  34. #   for the CA certificate.
    35. 

  35. #
    36. 

  36. #   The client certificate must be deployed on the client system.
    37. 

  37. #   In order to test the proxy configuration with 'curl' run
    38. 

  38. #   command similar to the following:
    39. 

  39. #
    40. 

  40. #   curl -k --key kea-client.key --cert kea-client.crt -X POST \
    41. 

  41. #        -H Content-Type:application/json -d '{ "command": "list-commands" }' \
    42. 

  42. #         https://kea.example.org/kea
    43. 

  43. #
    44. 

  44. #   On some curl running on macOS the crypto library requires a PKCS#12
    45. 

  45. #   bundle with the private key and the certificate as the cert argument.
    46. 

  46. #   The PKCS#12 file can be generated by:
    47. 

  47. #
    48. 

  48. #   openssl pkcs12 -export -in kea-client.crt -inkey kea-client.key \
    49. 

  49. #           -out kea-client.p12
    50. 

  50. #
    51. 

  51. #   If the password is kea, curl command becomes:
    52. 

  52. #
    53. 

  53. #   curl -k --cert kea-client.p12:kea -X POST \
    54. 

  54. #        -H Content-Type:application/json -d '{ "command": "list-commands" }' \
    55. 

  55. #         https://kea.example.org/kea
    56. 

  56. #
    57. 

  57. #   nginx configuration starts here.
    58. 

  58. 

  59. events {
    60. 

  60. }
    61. 

  61. 

  62. http {
    63. 

  63.     #   HTTPS server
    64. 

  64.     server {
    65. 

  65.         #     Use default HTTPS port.
    66. 

  66.         listen 443 ssl;
    67. 

  67.         #     Set server name.
    68. 

  68.         server_name kea.example.org;
    69. 

  69. 

  70.         #   Server certificate and key.
    71. 

  71.         ssl_certificate /path/to/kea-proxy.crt;
    72. 

  72.         ssl_certificate_key /path/to/kea-proxy.key;
    73. 

  73. 

  74.         #   Certificate Authority. Client certificate must be signed by the CA.
    75. 

  75.         ssl_client_certificate /path/to/ca.crt;
    76. 

  76. 

  77.         # Enable verification of the client certificate.
    78. 

  78.         ssl_verify_client on;
    79. 

  79. 

  80.         # For URLs such as https://kea.example.org/kea, forward the
    81. 

  81.         # requests to http://127.0.0.1:8080.
    82. 

  82.         # Use the / location for URLs with no path.
    83. 

  83.         location /kea {
    84. 

  84.             proxy_pass http://127.0.0.1:8080;
    85. 

  85.         }
    86. 

  86.     }
    87. 

  87. }
    88.