nginx-sample-configs
This is an old revision of the document!
Nginx example for reverse proxy with ssl-client cert auth
server {
listen 443 ssl;
listen [::]:443 ssl;
include /etc/nginx/snippets/kc-certs.conf;
include /etc/nginx/snippets/kc-ssl-params.conf;
server_name example.org;
ssl_client_certificate /etc/ssl/private/kc-ca.cert.pem;
ssl_verify_client on;
location / {
proxy_pass http://127.0.0.1:8083;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
}
}
file kc-certs.conf
ssl_certificate /etc/ssl/private/kc-server.crt; ssl_certificate_key /etc/ssl/private/kc-server.key;
file kc-ssl-params.conf
# should be also TLSv1.3 if possible ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/dhparam.pem; ssl_ciphers EECDH+AESGCM:EDH+AESGCM; ssl_ecdh_curve secp384r1; ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling off; ssl_stapling_verify off; # replace follwing with local dns resolver 8.8.8.8 valid=300s; resolver_timeout 5s; # Disable strict transport security for now. You can uncomment the following # line if you understand the implications. #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block";
ansible role for adding client certs to firefox/chrome on the clients
nginx-sample-configs.1710171435.txt.gz · Last modified: 2024/03/11 16:37 by rklein
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
