diff options
| -rw-r--r-- | cfg/cacert.cnf | 113 | ||||
| -rw-r--r-- | cfg/nexus_cert.cnf | 33 | ||||
| -rw-r--r-- | cfg/nginx.conf | 110 | ||||
| -rw-r--r-- | cfg/v3.ext | 24 |
4 files changed, 280 insertions, 0 deletions
diff --git a/cfg/cacert.cnf b/cfg/cacert.cnf new file mode 100644 index 00000000..a6917ca9 --- /dev/null +++ b/cfg/cacert.cnf @@ -0,0 +1,113 @@ +[ ca ] +# `man ca` +default_ca = CA_default + +[ CA_default ] +# Directory and file locations. +dir = ./ +certs = $dir/certs +crl_dir = $dir/crl +new_certs_dir = $dir/newcerts +database = $dir/index.txt +serial = $dir/serial +RANDFILE = $dir/private/.rand + +# The root key and root certificate. +private_key = $dir/private/ca.key.pem +certificate = $dir/certs/ca.cert.pem + +# For certificate revocation lists. +crlnumber = $dir/crlnumber +crl = $dir/crl/ca.crl.pem +crl_extensions = crl_ext +default_crl_days = 30 + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +name_opt = ca_default +cert_opt = ca_default +default_days = 3750 +preserve = no +policy = policy_strict + +[ policy_strict ] +# The root CA should only sign intermediate certificates that match. +# See the POLICY FORMAT section of `man ca`. +countryName = match +organizationName = match +commonName = supplied + +[ policy_loose ] +# Allow the intermediate CA to sign a more diverse range of certificates. +# See the POLICY FORMAT section of the `ca` man page. +countryName = optional +localityName = optional +organizationName = optional +commonName = supplied + +[ req ] +# Options for the `req` tool (`man req`). +default_bits = 4096 +distinguished_name = req_distinguished_name +string_mask = utf8only +prompt = no + +# SHA-1 is deprecated, so use SHA-2 instead. +default_md = sha256 + +# Extension to add when the -x509 option is used. +x509_extensions = v3_ca + +[ req_distinguished_name ] +# Optionally, specify some defaults. +countryName = PL +localityName = Krakow +organizationName = Samsung +commonName = onap + +[ v3_ca ] +# Extensions for a typical CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ v3_intermediate_ca ] +# Extensions for a typical intermediate CA (`man x509v3_config`). +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + +[ usr_cert ] +# Extensions for client certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = client, email +nsComment = "OpenSSL Generated Client Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth, emailProtection + +[ server_cert ] +# Extensions for server certificates (`man x509v3_config`). +basicConstraints = CA:FALSE +nsCertType = server +nsComment = "OpenSSL Generated Server Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth + +[ crl_ext ] +# Extension for CRLs (`man x509v3_config`). +authorityKeyIdentifier=keyid:always + +[ ocsp ] +# Extension for OCSP signing certificates (`man ocsp`). +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, OCSPSigning diff --git a/cfg/nexus_cert.cnf b/cfg/nexus_cert.cnf new file mode 100644 index 00000000..ab8d5477 --- /dev/null +++ b/cfg/nexus_cert.cnf @@ -0,0 +1,33 @@ +[ req ] +default_bits = 4096 +default_keyfile = server-key.pem +distinguished_name = dn +#req_extensions = v3_req +x509_extensions = v3_req +string_mask = utf8only +prompt = no +default_md = sha256 + +[ dn ] + +countryName = PL +localityName = Krakow +organizationName = Samsung +commonName = registry-1.docker.io +#emailAddress + +[ v3_req ] + +#subjectKeyIdentifier = hash +#authorityKeyIdentifier = keyid,issuer + +basicConstraints = CA:FALSE +keyUsage = critical, keyAgreement, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth +# does not work here because of bug in openssl +#subjectAltName = @alternate_names +nsComment = "OpenSSL Generated Certificate" + +#[ alternate_names ] + +#DNS.4 = ftp.example.com diff --git a/cfg/nginx.conf b/cfg/nginx.conf new file mode 100644 index 00000000..7317d3f2 --- /dev/null +++ b/cfg/nginx.conf @@ -0,0 +1,110 @@ +worker_processes 2; + +events { + worker_connections 1024; +} + +http { + error_log /var/log/nginx/error.log debug; + access_log /var/log/nginx/access.log; + + proxy_intercept_errors on; + proxy_send_timeout 120; + proxy_read_timeout 300; + + upstream nexus { + server nexus:8081; + } + + upstream registry { + server nexus:8082; + } + +# http simulations + server { + listen 80; + listen 443 ssl; + server_name _; + ssl_certificate /etc/nginx/certs/nexus_server.crt; + ssl_certificate_key /etc/nginx/certs/nexus_server.key; + + keepalive_timeout 5 5; + + location / { + root /srv/http/$host; + index index.html; + } + } + +# nexus simulations + server { + listen 80; + listen 443 ssl; + server_name nexus.student12 gcr.io registry-1.docker.io docker.io registry.npmjs.org nexus3.onap.org docker.elastic.co registry.hub.docker.com; + ssl_certificate /etc/nginx/certs/nexus_server.crt; + ssl_certificate_key /etc/nginx/certs/nexus_server.key; + + keepalive_timeout 5 5; + proxy_buffering off; + + # allow large uploads + client_max_body_size 3G; + + location /maven2 { + rewrite /maven2/(.*) /repository/maven2/$1 break; + # redirect to docker registry + proxy_pass http://nexus; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location / { + # redirect to docker registry + if ($http_user_agent ~ docker ) { + proxy_pass http://registry; + } + proxy_pass http://nexus; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + } + +# git simulations + server { + listen 80; + listen 443 ssl; + server_name gerrit.onap.org git.rancher.io github.com; + ssl_certificate /etc/nginx/certs/nexus_server.crt; + ssl_certificate_key /etc/nginx/certs/nexus_server.key; + + keepalive_timeout 5 5; + proxy_buffering off; + + location / { + try_files $uri $uri/ @git; + } + + location @git { + + # Set chunks to unlimited, as the body's can be huge + client_max_body_size 0; + + fastcgi_param SCRIPT_FILENAME /usr/libexec/git-core/git-http-backend; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_param PATH_INFO $uri; + + include fastcgi_params; + + fastcgi_param GIT_HTTP_EXPORT_ALL ""; + fastcgi_param GIT_PROJECT_ROOT /srv/git/$host/; + + # Forward REMOTE_USER as we want to know when we are authenticated + fastcgi_param REMOTE_USER $remote_user; + + fastcgi_pass unix:/var/run/fcgiwrap.socket; + } + } +} diff --git a/cfg/v3.ext b/cfg/v3.ext new file mode 100644 index 00000000..b4a6e433 --- /dev/null +++ b/cfg/v3.ext @@ -0,0 +1,24 @@ +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +subjectAltName = @alt_names + +[alt_names] +DNS.1 = nexus.student12 +DNS.2 = gcr.io +DNS.3 = git.rancher.io +DNS.4 = gerrit.onap.org +DNS.5 = registry-1.docker.io +DNS.6 = docker.io +DNS.7 = registry.npmjs.org +DNS.8 = nexus3.onap.org +DNS.9 = nexus.onap.org +DNS.10 = docker.elastic.co +DNS.11 = www.getcloudify.org +DNS.12 = registry.hub.docker.com +DNS.13 = github.com +DNS.14 = repo.maven.apache.org +DNS.15 = www.springframework.org +DNS.16 = repo1.maven.org +DNS.17 = git.onap.org + |