1 files changed, 88 insertions, 0 deletions
diff --git a/doc/examples/https/nginx/kea-nginx.conf b/doc/examples/https/nginx/kea-nginx.conf
new file mode 100644
index 0000000..cdbd7b3
--- /dev/null
+++ b/doc/examples/https/nginx/kea-nginx.conf
@@ -0,0 +1,88 @@
+#   This file contains an example nginx HTTP server configuration which
+#   enables reverse proxy service for Kea RESTful API. An access to
+#   the service is protected by client's certificate verification
+#   mechanism. Before using this configuration a server administrator
+#   must generate server certificate and private key as well as
+#   the certificate authority (CA). The clients' certificates must
+#   be signed by the CA.
+#
+#   Note that the steps provided below to generate and setup certificates
+#   are provided as an example for testing purposes only. Always
+#   consider best known security measures to protect your production
+#   environment.
+#
+#   The server certificate and key can be generated as follows:
+#
+#   openssl genrsa -des3 -out kea-proxy.key 4096
+#   openssl req -new -x509 -days 365 -key kea-proxy.key -out kea-proxy.crt
+#
+#   The CA certificate and key can be generated as follows:
+#
+#   openssl genrsa -des3 -out ca.key 4096
+#   openssl req -new -x509 -days 365 -key ca.key -out ca.crt
+#
+#
+#   The client certificate needs to be generated and signed:
+#
+#   openssl genrsa -des3 -out kea-client.key 4096
+#   openssl req -new -key kea-client.key -out kea-client.csr
+#   openssl x509 -req -days 365 -in kea-client.csr -CA ca.crt \
+#           -CAkey ca.key -set_serial 10 -out kea-client.crt
+#
+#   Note that the 'common name' value used when generating the client
+#   and the server certificates must differ from the value used
+#   for the CA certificate.
+#
+#   The client certificate must be deployed on the client system.
+#   In order to test the proxy configuration with 'curl' run
+#   command similar to the following:
+#
+#   curl -k --key kea-client.key --cert kea-client.crt -X POST \
+#        -H Content-Type:application/json -d '{ "command": "list-commands" }' \
+#         https://kea.example.org
+#
+#   On some curl running on macOS the crypto library requires a PKCS#12
+#   bundle with the private key and the certificate as the cert argument.
+#   The PKCS#12 file can be generated by:
+#
+#   openssl pkcs12 -export -in kea-client.crt -inkey kea-client.key \
+#           -out kea-client.p12
+#
+#   If the password is kea, curl command becomes:
+#
+#   curl -k --cert kea-client.p12:kea -X POST \
+#        -H Content-Type:application/json -d '{ "command": "list-commands" }' \
+#         https://kea.example.org
+#
+#   nginx configuration starts here.
+
+events {
+}
+
+http {
+    #   HTTPS server
+    server {
+        #     Use default HTTPS port.
+        listen 443 ssl;
+        #     Set server name.
+        server_name kea.example.org;
+
+        #   Server certificate and key.
+        ssl_certificate /path/to/kea-proxy.crt;
+        ssl_certificate_key /path/to/kea-proxy.key;
+
+        #   Certificate Authority. Client certificate must be signed by the CA.
+        ssl_client_certificate /path/to/ca.crt;
+
+        # Enable verification of the client certificate.
+        ssl_verify_client on;
+
+        # For the URL https://kea.example.org forward the
+        # requests to http://127.0.0.1:8000.
+        # kea-shell defaults to / but --path can be used to set another value
+        # for instance kea-shell --path kea which will matches location /kea
+        location / {
+            proxy_pass http://127.0.0.1:8000;
+        }
+    }
+}