Commit 96332eac authored by Vitali Stupin's avatar Vitali Stupin
Browse files

Adding nginx configuration with client authentication

parent c0b82e15
......@@ -22,4 +22,55 @@ curl -i -d '{"member_code": "XX000002", "member_name": "XX Test 2", "member_clas
## API description
API is described using OpenAPI specification: [openapi-definition.yaml](openapi-definition.yaml)
\ No newline at end of file
API is described using OpenAPI specification: [openapi-definition.yaml](openapi-definition.yaml)
## Nginx configuration
Create a certificate for nginx (already installed to Central Server):
```bash
mkdir -p /etc/nginx/csapi
cd /etc/nginx/csapi
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout csapi.key -out csapi.crt
```
Cert info:
```
Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:RIA
Organizational Unit Name (eg, section) []:CSAPI
Common Name (e.g. server FQDN or YOUR name) []:jan-center2.ci.kit
Email Address []:
```
Make sure key is accessible to nginx:
```bash
sudo chgrp www-data /etc/nginx/csapi/csapi.key
sudo chmod g+r /etc/nginx/csapi/csapi.key
```
On client side (XTSS app):
```bash
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout client.key -out client.crt
```
Cert info:
```
Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Harjumaa
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:RIA
Organizational Unit Name (eg, section) []:xtss
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
```
Copy client.srt to nginx machine: `/etc/nginx/csapi/client.crt`
For testing copy nginx csapi.crt to client and issue curl command:
```bash
curl --cert client.crt --key client.key --cacert csapi.crt -i -d '{"member_code": "XX000003", "member_name": "XX Test 3", "member_class": "GOVXXX"}' -X POST https://jan-center2.ci.kit:5443/member
```
Add nginx configuration from this repository: `nginx/csapi` to nginx server: `/etc/nginx/sites-enabled/csapi`
\ No newline at end of file
server {
listen 5443 ssl;
access_log /var/log/nginx/csapi.access.log;
error_log /var/log/nginx/csapi.error.log;
ssl_protocols TLSv1.2;
# Nginx key and cert
ssl_certificate /etc/nginx/csapi/csapi.crt;
ssl_certificate_key /etc/nginx/csapi/csapi.key;
# client certificate
ssl_client_certificate /etc/nginx/csapi/client.crt;
# make verification optional, so we can display a 403 message to those
# who fail authentication
ssl_verify_client optional;
location / {
# Require authentication!!!
if ($ssl_client_verify != SUCCESS) {
return 403;
}
proxy_pass http://127.0.0.1:5444;
#proxy_redirect http:// https://;
}
}
......@@ -6,4 +6,4 @@ source venv/bin/activate
# Flask (Werkzeug) server
#python server_dev.py
# Production ready Gunicorn server
gunicorn -w 4 -b 0.0.0.0:5444 server:app
gunicorn -w 4 -b 127.0.0.1:5444 server:app
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment