summaryrefslogtreecommitdiffstats
path: root/cfg
diff options
context:
space:
mode:
authorSamuli Silvius <s.silvius@partner.samsung.com>2018-12-21 16:08:09 +0200
committerSamuli Silvius <s.silvius@partner.samsung.com>2018-12-21 16:08:09 +0200
commitf5534d814e61981a13d4c5af177fa13956faf8f5 (patch)
tree41931192bf6e4a97fb84eef36569601f1b3b2375 /cfg
parent9e9afd7b9b8276c8a20225266b2058024955cbbb (diff)
Added config files for old bash offline installer.
Old bash installer is still kept usable and these config files are used only by that bash solution. Change-Id: I72d010cc49412f106947e1644ad9c1923ca98772 Issue-ID: OOM-1551 Signed-off-by: Samuli Silvius <s.silvius@partner.samsung.com>
Diffstat (limited to 'cfg')
-rw-r--r--cfg/cacert.cnf113
-rw-r--r--cfg/nexus_cert.cnf33
-rw-r--r--cfg/nginx.conf110
-rw-r--r--cfg/v3.ext24
4 files changed, 280 insertions, 0 deletions
diff --git a/cfg/cacert.cnf b/cfg/cacert.cnf
new file mode 100644
index 00000000..a6917ca9
--- /dev/null
+++ b/cfg/cacert.cnf
@@ -0,0 +1,113 @@
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir = ./
+certs = $dir/certs
+crl_dir = $dir/crl
+new_certs_dir = $dir/newcerts
+database = $dir/index.txt
+serial = $dir/serial
+RANDFILE = $dir/private/.rand
+
+# The root key and root certificate.
+private_key = $dir/private/ca.key.pem
+certificate = $dir/certs/ca.cert.pem
+
+# For certificate revocation lists.
+crlnumber = $dir/crlnumber
+crl = $dir/crl/ca.crl.pem
+crl_extensions = crl_ext
+default_crl_days = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+name_opt = ca_default
+cert_opt = ca_default
+default_days = 3750
+preserve = no
+policy = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName = match
+organizationName = match
+commonName = supplied
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName = optional
+localityName = optional
+organizationName = optional
+commonName = supplied
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits = 4096
+distinguished_name = req_distinguished_name
+string_mask = utf8only
+prompt = no
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+# Optionally, specify some defaults.
+countryName = PL
+localityName = Krakow
+organizationName = Samsung
+commonName = onap
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
diff --git a/cfg/nexus_cert.cnf b/cfg/nexus_cert.cnf
new file mode 100644
index 00000000..ab8d5477
--- /dev/null
+++ b/cfg/nexus_cert.cnf
@@ -0,0 +1,33 @@
+[ req ]
+default_bits = 4096
+default_keyfile = server-key.pem
+distinguished_name = dn
+#req_extensions = v3_req
+x509_extensions = v3_req
+string_mask = utf8only
+prompt = no
+default_md = sha256
+
+[ dn ]
+
+countryName = PL
+localityName = Krakow
+organizationName = Samsung
+commonName = registry-1.docker.io
+#emailAddress
+
+[ v3_req ]
+
+#subjectKeyIdentifier = hash
+#authorityKeyIdentifier = keyid,issuer
+
+basicConstraints = CA:FALSE
+keyUsage = critical, keyAgreement, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+# does not work here because of bug in openssl
+#subjectAltName = @alternate_names
+nsComment = "OpenSSL Generated Certificate"
+
+#[ alternate_names ]
+
+#DNS.4 = ftp.example.com
diff --git a/cfg/nginx.conf b/cfg/nginx.conf
new file mode 100644
index 00000000..7317d3f2
--- /dev/null
+++ b/cfg/nginx.conf
@@ -0,0 +1,110 @@
+worker_processes 2;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+ error_log /var/log/nginx/error.log debug;
+ access_log /var/log/nginx/access.log;
+
+ proxy_intercept_errors on;
+ proxy_send_timeout 120;
+ proxy_read_timeout 300;
+
+ upstream nexus {
+ server nexus:8081;
+ }
+
+ upstream registry {
+ server nexus:8082;
+ }
+
+# http simulations
+ server {
+ listen 80;
+ listen 443 ssl;
+ server_name _;
+ ssl_certificate /etc/nginx/certs/nexus_server.crt;
+ ssl_certificate_key /etc/nginx/certs/nexus_server.key;
+
+ keepalive_timeout 5 5;
+
+ location / {
+ root /srv/http/$host;
+ index index.html;
+ }
+ }
+
+# nexus simulations
+ server {
+ listen 80;
+ listen 443 ssl;
+ server_name nexus.student12 gcr.io registry-1.docker.io docker.io registry.npmjs.org nexus3.onap.org docker.elastic.co registry.hub.docker.com;
+ ssl_certificate /etc/nginx/certs/nexus_server.crt;
+ ssl_certificate_key /etc/nginx/certs/nexus_server.key;
+
+ keepalive_timeout 5 5;
+ proxy_buffering off;
+
+ # allow large uploads
+ client_max_body_size 3G;
+
+ location /maven2 {
+ rewrite /maven2/(.*) /repository/maven2/$1 break;
+ # redirect to docker registry
+ proxy_pass http://nexus;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ }
+
+ location / {
+ # redirect to docker registry
+ if ($http_user_agent ~ docker ) {
+ proxy_pass http://registry;
+ }
+ proxy_pass http://nexus;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ }
+ }
+
+# git simulations
+ server {
+ listen 80;
+ listen 443 ssl;
+ server_name gerrit.onap.org git.rancher.io github.com;
+ ssl_certificate /etc/nginx/certs/nexus_server.crt;
+ ssl_certificate_key /etc/nginx/certs/nexus_server.key;
+
+ keepalive_timeout 5 5;
+ proxy_buffering off;
+
+ location / {
+ try_files $uri $uri/ @git;
+ }
+
+ location @git {
+
+ # Set chunks to unlimited, as the body's can be huge
+ client_max_body_size 0;
+
+ fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend;
+ fastcgi_param QUERY_STRING $args;
+ fastcgi_param HTTP_HOST $server_name;
+ fastcgi_param PATH_INFO $uri;
+
+ include fastcgi_params;
+
+ fastcgi_param GIT_HTTP_EXPORT_ALL "";
+ fastcgi_param GIT_PROJECT_ROOT /srv/git/$host/;
+
+ # Forward REMOTE_USER as we want to know when we are authenticated
+ fastcgi_param REMOTE_USER $remote_user;
+
+ fastcgi_pass unix:/var/run/fcgiwrap.socket;
+ }
+ }
+}
diff --git a/cfg/v3.ext b/cfg/v3.ext
new file mode 100644
index 00000000..b4a6e433
--- /dev/null
+++ b/cfg/v3.ext
@@ -0,0 +1,24 @@
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = nexus.student12
+DNS.2 = gcr.io
+DNS.3 = git.rancher.io
+DNS.4 = gerrit.onap.org
+DNS.5 = registry-1.docker.io
+DNS.6 = docker.io
+DNS.7 = registry.npmjs.org
+DNS.8 = nexus3.onap.org
+DNS.9 = nexus.onap.org
+DNS.10 = docker.elastic.co
+DNS.11 = www.getcloudify.org
+DNS.12 = registry.hub.docker.com
+DNS.13 = github.com
+DNS.14 = repo.maven.apache.org
+DNS.15 = www.springframework.org
+DNS.16 = repo1.maven.org
+DNS.17 = git.onap.org
+