summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSamuli Silvius <s.silvius@partner.samsung.com>2018-12-21 16:08:09 +0200
committerSamuli Silvius <s.silvius@partner.samsung.com>2018-12-21 16:08:09 +0200
commitf5534d814e61981a13d4c5af177fa13956faf8f5 (patch)
tree41931192bf6e4a97fb84eef36569601f1b3b2375
parent9e9afd7b9b8276c8a20225266b2058024955cbbb (diff)
Added config files for old bash offline installer.
Old bash installer is still kept usable and these config files are used only by that bash solution. Change-Id: I72d010cc49412f106947e1644ad9c1923ca98772 Issue-ID: OOM-1551 Signed-off-by: Samuli Silvius <s.silvius@partner.samsung.com>
-rw-r--r--cfg/cacert.cnf113
-rw-r--r--cfg/nexus_cert.cnf33
-rw-r--r--cfg/nginx.conf110
-rw-r--r--cfg/v3.ext24
4 files changed, 280 insertions, 0 deletions
diff --git a/cfg/cacert.cnf b/cfg/cacert.cnf
new file mode 100644
index 00000000..a6917ca9
--- /dev/null
+++ b/cfg/cacert.cnf
@@ -0,0 +1,113 @@
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir = ./
+certs = $dir/certs
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/index.txt
+serial = $dir/serial
+RANDFILE = $dir/private/.rand
+
+# The root key and root certificate.
+private_key = $dir/private/ca.key.pem
+certificate = $dir/certs/ca.cert.pem
+
+# For certificate revocation lists.
+crlnumber = $dir/crlnumber
+crl = $dir/crl/ca.crl.pem
+crl_extensions = crl_ext
+default_crl_days = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 3750
+preserve = no
+policy = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName = match
+organizationName = match
+commonName = supplied
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName = optional
+localityName = optional
+organizationName = optional
+commonName = supplied
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits = 4096
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+prompt = no
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+# Optionally, specify some defaults.
+countryName = PL
+localityName = Krakow
+organizationName = Samsung
+commonName = onap
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
diff --git a/cfg/nexus_cert.cnf b/cfg/nexus_cert.cnf
new file mode 100644
index 00000000..ab8d5477
--- /dev/null
+++ b/cfg/nexus_cert.cnf
@@ -0,0 +1,33 @@
+[ req ]
+default_bits = 4096
+default_keyfile = server-key.pem
+distinguished_name = dn
+#req_extensions = v3_req
+x509_extensions = v3_req
+string_mask = utf8only
+prompt = no
+default_md = sha256
+
+[ dn ]
+
+countryName = PL
+localityName = Krakow
+organizationName = Samsung
+commonName = registry-1.docker.io
+#emailAddress
+
+[ v3_req ]
+
+#subjectKeyIdentifier = hash
+#authorityKeyIdentifier = keyid,issuer
+
+basicConstraints = CA:FALSE
+keyUsage = critical, keyAgreement, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+# does not work here because of bug in openssl
+#subjectAltName = @alternate_names
+nsComment = "OpenSSL Generated Certificate"
+
+#[ alternate_names ]
+
+#DNS.4 = ftp.example.com
diff --git a/cfg/nginx.conf b/cfg/nginx.conf
new file mode 100644
index 00000000..7317d3f2
--- /dev/null
+++ b/cfg/nginx.conf
@@ -0,0 +1,110 @@
+worker_processes 2;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+ error_log /var/log/nginx/error.log debug;
+ access_log /var/log/nginx/access.log;
+
+ proxy_intercept_errors on;
+ proxy_send_timeout 120;
+ proxy_read_timeout 300;
+
+ upstream nexus {
+ server nexus:8081;
+ }
+
+ upstream registry {
+ server nexus:8082;
+ }
+
+# http simulations
+ server {
+ listen 80;
+ listen 443 ssl;
+ server_name _;
+ ssl_certificate /etc/nginx/certs/nexus_server.crt;
+ ssl_certificate_key /etc/nginx/certs/nexus_server.key;
+
+ keepalive_timeout 5 5;
+
+ location / {
+ root /srv/http/$host;
+ index index.html;
+ }
+ }
+
+# nexus simulations
+ server {
+ listen 80;
+ listen 443 ssl;
+ server_name nexus.student12 gcr.io registry-1.docker.io docker.io registry.npmjs.org nexus3.onap.org docker.elastic.co registry.hub.docker.com;
+ ssl_certificate /etc/nginx/certs/nexus_server.crt;
+ ssl_certificate_key /etc/nginx/certs/nexus_server.key;
+
+ keepalive_timeout 5 5;
+ proxy_buffering off;
+
+ # allow large uploads
+ client_max_body_size 3G;
+
+ location /maven2 {
+ rewrite /maven2/(.*) /repository/maven2/$1 break;
+ # redirect to docker registry
+ proxy_pass http://nexus;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ }
+
+ location / {
+ # redirect to docker registry
+ if ($http_user_agent ~ docker ) {
+ proxy_pass http://registry;
+ }
+ proxy_pass http://nexus;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ }
+ }
+
+# git simulations
+ server {
+ listen 80;
+ listen 443 ssl;
+ server_name gerrit.onap.org git.rancher.io github.com;
+ ssl_certificate /etc/nginx/certs/nexus_server.crt;
+ ssl_certificate_key /etc/nginx/certs/nexus_server.key;
+
+ keepalive_timeout 5 5;
+ proxy_buffering off;
+
+ location / {
+ try_files $uri $uri/ @git;
+ }
+
+ location @git {
+
+ # Set chunks to unlimited, as the body's can be huge
+ client_max_body_size 0;
+
+ fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend;
+ fastcgi_param QUERY_STRING $args;
+ fastcgi_param HTTP_HOST $server_name;
+ fastcgi_param PATH_INFO $uri;
+
+ include fastcgi_params;
+
+ fastcgi_param GIT_HTTP_EXPORT_ALL "";
+ fastcgi_param GIT_PROJECT_ROOT /srv/git/$host/;
+
+ # Forward REMOTE_USER as we want to know when we are authenticated
+ fastcgi_param REMOTE_USER $remote_user;
+
+ fastcgi_pass unix:/var/run/fcgiwrap.socket;
+ }
+ }
+}
diff --git a/cfg/v3.ext b/cfg/v3.ext
new file mode 100644
index 00000000..b4a6e433
--- /dev/null
+++ b/cfg/v3.ext
@@ -0,0 +1,24 @@
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = nexus.student12
+DNS.2 = gcr.io
+DNS.3 = git.rancher.io
+DNS.4 = gerrit.onap.org
+DNS.5 = registry-1.docker.io
+DNS.6 = docker.io
+DNS.7 = registry.npmjs.org
+DNS.8 = nexus3.onap.org
+DNS.9 = nexus.onap.org
+DNS.10 = docker.elastic.co
+DNS.11 = www.getcloudify.org
+DNS.12 = registry.hub.docker.com
+DNS.13 = github.com
+DNS.14 = repo.maven.apache.org
+DNS.15 = www.springframework.org
+DNS.16 = repo1.maven.org
+DNS.17 = git.onap.org
+