summaryrefslogtreecommitdiffstats
path: root/doc/examples/https/nginx/kea-nginx.conf
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-04 11:36:04 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-04 11:36:04 +0000
commit040eee1aa49b49df4698d83a05af57c220127fd1 (patch)
treef635435954e6ccde5eee9893889e24f30ca68346 /doc/examples/https/nginx/kea-nginx.conf
parentInitial commit. (diff)
downloadisc-kea-040eee1aa49b49df4698d83a05af57c220127fd1.tar.xz
isc-kea-040eee1aa49b49df4698d83a05af57c220127fd1.zip
Adding upstream version 2.2.0.upstream/2.2.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/examples/https/nginx/kea-nginx.conf')
-rw-r--r--doc/examples/https/nginx/kea-nginx.conf88
1 files changed, 88 insertions, 0 deletions
diff --git a/doc/examples/https/nginx/kea-nginx.conf b/doc/examples/https/nginx/kea-nginx.conf
new file mode 100644
index 0000000..cdbd7b3
--- /dev/null
+++ b/doc/examples/https/nginx/kea-nginx.conf
@@ -0,0 +1,88 @@
+# This file contains an example nginx HTTP server configuration which
+# enables reverse proxy service for Kea RESTful API. An access to
+# the service is protected by client's certificate verification
+# mechanism. Before using this configuration a server administrator
+# must generate server certificate and private key as well as
+# the certificate authority (CA). The clients' certificates must
+# be signed by the CA.
+#
+# Note that the steps provided below to generate and setup certificates
+# are provided as an example for testing purposes only. Always
+# consider best known security measures to protect your production
+# environment.
+#
+# The server certificate and key can be generated as follows:
+#
+# openssl genrsa -des3 -out kea-proxy.key 4096
+# openssl req -new -x509 -days 365 -key kea-proxy.key -out kea-proxy.crt
+#
+# The CA certificate and key can be generated as follows:
+#
+# openssl genrsa -des3 -out ca.key 4096
+# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
+#
+#
+# The client certificate needs to be generated and signed:
+#
+# openssl genrsa -des3 -out kea-client.key 4096
+# openssl req -new -key kea-client.key -out kea-client.csr
+# openssl x509 -req -days 365 -in kea-client.csr -CA ca.crt \
+# -CAkey ca.key -set_serial 10 -out kea-client.crt
+#
+# Note that the 'common name' value used when generating the client
+# and the server certificates must differ from the value used
+# for the CA certificate.
+#
+# The client certificate must be deployed on the client system.
+# In order to test the proxy configuration with 'curl' run
+# command similar to the following:
+#
+# curl -k --key kea-client.key --cert kea-client.crt -X POST \
+# -H Content-Type:application/json -d '{ "command": "list-commands" }' \
+# https://kea.example.org
+#
+# On some curl running on macOS the crypto library requires a PKCS#12
+# bundle with the private key and the certificate as the cert argument.
+# The PKCS#12 file can be generated by:
+#
+# openssl pkcs12 -export -in kea-client.crt -inkey kea-client.key \
+# -out kea-client.p12
+#
+# If the password is kea, curl command becomes:
+#
+# curl -k --cert kea-client.p12:kea -X POST \
+# -H Content-Type:application/json -d '{ "command": "list-commands" }' \
+# https://kea.example.org
+#
+# nginx configuration starts here.
+
+events {
+}
+
+http {
+ # HTTPS server
+ server {
+ # Use default HTTPS port.
+ listen 443 ssl;
+ # Set server name.
+ server_name kea.example.org;
+
+ # Server certificate and key.
+ ssl_certificate /path/to/kea-proxy.crt;
+ ssl_certificate_key /path/to/kea-proxy.key;
+
+ # Certificate Authority. Client certificate must be signed by the CA.
+ ssl_client_certificate /path/to/ca.crt;
+
+ # Enable verification of the client certificate.
+ ssl_verify_client on;
+
+ # For the URL https://kea.example.org forward the
+ # requests to http://127.0.0.1:8000.
+ # kea-shell defaults to / but --path can be used to set another value
+ # for instance kea-shell --path kea which will matches location /kea
+ location / {
+ proxy_pass http://127.0.0.1:8000;
+ }
+ }
+}