Picalike Dokuwiki Archive

User Tools

Site Tools

Trace: ssl
ssl

Table of Contents

GIT: https://git.picalike.corpex-kunden.de/hackathon/tls-encrypt-and-authorize

Certificates

To create a certificate choose your engine and backend and follow the steps listed on

https://certbot.eff.org/

Phase 1

use letsencrypt certificate in nginx (follow instructions for certbot) 

  server {
  
          # SSL configuration
          #
          # listen 443 ssl default_server;
          # listen [::]:443 ssl default_server;
          #
          # Note: You should disable gzip for SSL traffic.
          # See: https://bugs.debian.org/773332
          #
          # Read up on ssl_ciphers to ensure a secure configuration.
          # See: https://bugs.debian.org/765782
          #
          # Self signed certs generated by the ssl-cert package
          # Don't use them in a production server!
          #
          # include snippets/snakeoil.conf;
  
          root /var/www/html;
  
          # Add index.php to the list if you are using PHP
          index index.html index.htm index.nginx-debian.html;
      server_name www.example.com, example.com; # managed by Certbot
  
  
          location / {
                  # First attempt to serve request as file, then
                  # as directory, then fall back to displaying a 404.
                  try_files $uri $uri/ =404;
          }
  
          # pass PHP scripts to FastCGI server
          #
          #location ~ \.php$ {
          #       include snippets/fastcgi-php.conf;
          #
          #       # With php-fpm (or other unix sockets):
          #       fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
          #       # With php-cgi (or other tcp sockets):
          #       fastcgi_pass 127.0.0.1:9000;
          #}
  
          # deny access to .htaccess files, if Apache's document root
          # concurs with nginx's one
          #
          #location ~ /\.ht {
          #       deny all;
          #}
  
  
      listen [::]:443 ssl ipv6only=on; # managed by Certbot
      listen 443 ssl; # managed by Certbot
      ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
      ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
      include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
      ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
  
  
  }
  server {
      if ($host = www.example.com) {
          return 301 https://$host$request_uri;
      } # managed by Certbot
  
      if ($host = example.com) {
          return 301 https://$host$request_uri;
      } # managed by Certbot
  
  
          listen 80 ;
          listen [::]:80 ;
      server_name www.example.com, example.com;
      return 404; # managed by Certbot

Phase 2

use self signed certificate in nginx for forwarding to internal service

<HTML><ol></HTML>

  • generate a self signed certificate
  • trust certificate in nginx
  • deploy service with self signed certificate<HTML></ol></HTML>

in git

Phase 3

use self signed certificate in nginx for authentication at internal service

in git

Phase 4

putting it all together

in git

ssl.txt · Last modified: 2024/04/11 14:23 by 127.0.0.1