mirror of
https://gitlab.isc.org/isc-projects/kea
synced 2025-08-24 10:48:42 +00:00
89 lines
3.2 KiB
Plaintext
89 lines
3.2 KiB
Plaintext
# This file contains an example nginx HTTP server configuration which
|
|
# enables reverse proxy service for Kea RESTful API. An access to
|
|
# the service is protected by client's certificate verification
|
|
# mechanism. Before using this configuration a server administrator
|
|
# must generate server certificate and private key as well as
|
|
# the certificate authority (CA). The clients' certificates must
|
|
# be signed by the CA.
|
|
#
|
|
# Note that the steps provided below to generate and setup certificates
|
|
# are provided as an example for testing purposes only. Always
|
|
# consider best known security measures to protect your production
|
|
# environment.
|
|
#
|
|
# The server certificate and key can be generated as follows:
|
|
#
|
|
# openssl genrsa -des3 -out kea-proxy.key 4096
|
|
# openssl req -new -x509 -days 365 -key kea-proxy.key -out kea-proxy.crt
|
|
#
|
|
# The CA certificate and key can be generated as follows:
|
|
#
|
|
# openssl genrsa -des3 -out ca.key 4096
|
|
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
|
|
#
|
|
#
|
|
# The client certificate needs to be generated and signed:
|
|
#
|
|
# openssl genrsa -des3 -out kea-client.key 4096
|
|
# openssl req -new -key kea-client.key -out kea-client.csr
|
|
# openssl x509 -req -days 365 -in kea-client.csr -CA ca.crt \
|
|
# -CAkey ca.key -set_serial 10 -out kea-client.crt
|
|
#
|
|
# Note that the 'common name' value used when generating the client
|
|
# and the server certificates must differ from the value used
|
|
# for the CA certificate.
|
|
#
|
|
# The client certificate must be deployed on the client system.
|
|
# In order to test the proxy configuration with 'curl' run
|
|
# command similar to the following:
|
|
#
|
|
# curl -k --key kea-client.key --cert kea-client.crt -X POST \
|
|
# -H Content-Type:application/json -d '{ "command": "list-commands" }' \
|
|
# https://kea.example.org
|
|
#
|
|
# On some curl running on macOS the crypto library requires a PKCS#12
|
|
# bundle with the private key and the certificate as the cert argument.
|
|
# The PKCS#12 file can be generated by:
|
|
#
|
|
# openssl pkcs12 -export -in kea-client.crt -inkey kea-client.key \
|
|
# -out kea-client.p12
|
|
#
|
|
# If the password is kea, curl command becomes:
|
|
#
|
|
# curl -k --cert kea-client.p12:kea -X POST \
|
|
# -H Content-Type:application/json -d '{ "command": "list-commands" }' \
|
|
# https://kea.example.org
|
|
#
|
|
# nginx configuration starts here.
|
|
|
|
events {
|
|
}
|
|
|
|
http {
|
|
# HTTPS server
|
|
server {
|
|
# Use default HTTPS port.
|
|
listen 443 ssl;
|
|
# Set server name.
|
|
server_name kea.example.org;
|
|
|
|
# Server certificate and key.
|
|
ssl_certificate /path/to/kea-proxy.crt;
|
|
ssl_certificate_key /path/to/kea-proxy.key;
|
|
|
|
# Certificate Authority. Client certificate must be signed by the CA.
|
|
ssl_client_certificate /path/to/ca.crt;
|
|
|
|
# Enable verification of the client certificate.
|
|
ssl_verify_client on;
|
|
|
|
# For the URL https://kea.example.org forward the
|
|
# requests to http://127.0.0.1:8000.
|
|
# kea-shell defaults to / but --path can be used to set another value
|
|
# for instance kea-shell --path kea which will matches location /kea
|
|
location / {
|
|
proxy_pass http://127.0.0.1:8000;
|
|
}
|
|
}
|
|
}
|