diff options
Diffstat (limited to 'doc/examples/https/nginx')
-rw-r--r-- | doc/examples/https/nginx/kea-nginx.conf | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/doc/examples/https/nginx/kea-nginx.conf b/doc/examples/https/nginx/kea-nginx.conf new file mode 100644 index 0000000..cdbd7b3 --- /dev/null +++ b/doc/examples/https/nginx/kea-nginx.conf @@ -0,0 +1,88 @@ +# This file contains an example nginx HTTP server configuration which +# enables reverse proxy service for Kea RESTful API. An access to +# the service is protected by client's certificate verification +# mechanism. Before using this configuration a server administrator +# must generate server certificate and private key as well as +# the certificate authority (CA). The clients' certificates must +# be signed by the CA. +# +# Note that the steps provided below to generate and setup certificates +# are provided as an example for testing purposes only. Always +# consider best known security measures to protect your production +# environment. +# +# The server certificate and key can be generated as follows: +# +# openssl genrsa -des3 -out kea-proxy.key 4096 +# openssl req -new -x509 -days 365 -key kea-proxy.key -out kea-proxy.crt +# +# The CA certificate and key can be generated as follows: +# +# openssl genrsa -des3 -out ca.key 4096 +# openssl req -new -x509 -days 365 -key ca.key -out ca.crt +# +# +# The client certificate needs to be generated and signed: +# +# openssl genrsa -des3 -out kea-client.key 4096 +# openssl req -new -key kea-client.key -out kea-client.csr +# openssl x509 -req -days 365 -in kea-client.csr -CA ca.crt \ +# -CAkey ca.key -set_serial 10 -out kea-client.crt +# +# Note that the 'common name' value used when generating the client +# and the server certificates must differ from the value used +# for the CA certificate. +# +# The client certificate must be deployed on the client system. +# In order to test the proxy configuration with 'curl' run +# command similar to the following: +# +# curl -k --key kea-client.key --cert kea-client.crt -X POST \ +# -H Content-Type:application/json -d '{ "command": "list-commands" }' \ +# https://kea.example.org +# +# On some curl running on macOS the crypto library requires a PKCS#12 +# bundle with the private key and the certificate as the cert argument. +# The PKCS#12 file can be generated by: +# +# openssl pkcs12 -export -in kea-client.crt -inkey kea-client.key \ +# -out kea-client.p12 +# +# If the password is kea, curl command becomes: +# +# curl -k --cert kea-client.p12:kea -X POST \ +# -H Content-Type:application/json -d '{ "command": "list-commands" }' \ +# https://kea.example.org +# +# nginx configuration starts here. + +events { +} + +http { + # HTTPS server + server { + # Use default HTTPS port. + listen 443 ssl; + # Set server name. + server_name kea.example.org; + + # Server certificate and key. + ssl_certificate /path/to/kea-proxy.crt; + ssl_certificate_key /path/to/kea-proxy.key; + + # Certificate Authority. Client certificate must be signed by the CA. + ssl_client_certificate /path/to/ca.crt; + + # Enable verification of the client certificate. + ssl_verify_client on; + + # For the URL https://kea.example.org forward the + # requests to http://127.0.0.1:8000. + # kea-shell defaults to / but --path can be used to set another value + # for instance kea-shell --path kea which will matches location /kea + location / { + proxy_pass http://127.0.0.1:8000; + } + } +} |