From f5534d814e61981a13d4c5af177fa13956faf8f5 Mon Sep 17 00:00:00 2001
From: Samuli Silvius <s.silvius@partner.samsung.com>
Date: Fri, 21 Dec 2018 16:08:09 +0200
Subject: Added config files for old bash offline installer.

Old bash installer is still kept usable and these config files are
used only by that bash solution.

Change-Id: I72d010cc49412f106947e1644ad9c1923ca98772
Issue-ID: OOM-1551
Signed-off-by: Samuli Silvius <s.silvius@partner.samsung.com>
---
 cfg/cacert.cnf     | 113 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 cfg/nexus_cert.cnf |  33 ++++++++++++++++
 cfg/nginx.conf     | 110 +++++++++++++++++++++++++++++++++++++++++++++++++++
 cfg/v3.ext         |  24 ++++++++++++
 4 files changed, 280 insertions(+)
 create mode 100644 cfg/cacert.cnf
 create mode 100644 cfg/nexus_cert.cnf
 create mode 100644 cfg/nginx.conf
 create mode 100644 cfg/v3.ext

diff --git a/cfg/cacert.cnf b/cfg/cacert.cnf
new file mode 100644
index 00000000..a6917ca9
--- /dev/null
+++ b/cfg/cacert.cnf
@@ -0,0 +1,113 @@
+[ ca ]
+# `man ca`
+default_ca = CA_default
+
+[ CA_default ]
+# Directory and file locations.
+dir               = ./
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.rand
+
+# The root key and root certificate.
+private_key       = $dir/private/ca.key.pem
+certificate       = $dir/certs/ca.cert.pem
+
+# For certificate revocation lists.
+crlnumber         = $dir/crlnumber
+crl               = $dir/crl/ca.crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md        = sha256
+
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = 3750
+preserve          = no
+policy            = policy_strict
+
+[ policy_strict ]
+# The root CA should only sign intermediate certificates that match.
+# See the POLICY FORMAT section of `man ca`.
+countryName             = match
+organizationName        = match
+commonName              = supplied
+
+[ policy_loose ]
+# Allow the intermediate CA to sign a more diverse range of certificates.
+# See the POLICY FORMAT section of the `ca` man page.
+countryName             = optional
+localityName            = optional
+organizationName        = optional
+commonName              = supplied
+
+[ req ]
+# Options for the `req` tool (`man req`).
+default_bits        = 4096
+distinguished_name  = req_distinguished_name
+string_mask         = utf8only
+prompt              = no
+
+# SHA-1 is deprecated, so use SHA-2 instead.
+default_md          = sha256
+
+# Extension to add when the -x509 option is used.
+x509_extensions     = v3_ca
+
+[ req_distinguished_name ]
+# Optionally, specify some defaults.
+countryName             = PL
+localityName            = Krakow
+organizationName        = Samsung
+commonName              = onap
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:true, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ usr_cert ]
+# Extensions for client certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = client, email
+nsComment = "OpenSSL Generated Client Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = clientAuth, emailProtection
+
+[ server_cert ]
+# Extensions for server certificates (`man x509v3_config`).
+basicConstraints = CA:FALSE
+nsCertType = server
+nsComment = "OpenSSL Generated Server Certificate"
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+keyUsage = critical, digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
diff --git a/cfg/nexus_cert.cnf b/cfg/nexus_cert.cnf
new file mode 100644
index 00000000..ab8d5477
--- /dev/null
+++ b/cfg/nexus_cert.cnf
@@ -0,0 +1,33 @@
+[ req ]
+default_bits        = 4096
+default_keyfile     = server-key.pem
+distinguished_name  = dn
+#req_extensions      = v3_req
+x509_extensions     = v3_req
+string_mask         = utf8only
+prompt              = no
+default_md          = sha256
+
+[ dn ]
+
+countryName = PL
+localityName = Krakow
+organizationName = Samsung
+commonName = registry-1.docker.io
+#emailAddress
+
+[ v3_req ]
+
+#subjectKeyIdentifier        = hash
+#authorityKeyIdentifier  = keyid,issuer
+
+basicConstraints        = CA:FALSE
+keyUsage            = critical, keyAgreement, nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage    = serverAuth
+# does not work here because of bug in openssl
+#subjectAltName          = @alternate_names
+nsComment           = "OpenSSL Generated Certificate"
+
+#[ alternate_names ]
+
+#DNS.4       = ftp.example.com
diff --git a/cfg/nginx.conf b/cfg/nginx.conf
new file mode 100644
index 00000000..7317d3f2
--- /dev/null
+++ b/cfg/nginx.conf
@@ -0,0 +1,110 @@
+worker_processes 2;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    error_log /var/log/nginx/error.log debug;
+    access_log /var/log/nginx/access.log;
+
+    proxy_intercept_errors on;
+    proxy_send_timeout 120;
+    proxy_read_timeout 300;
+
+    upstream nexus {
+        server nexus:8081;
+    }
+
+    upstream registry {
+        server nexus:8082;
+    }
+
+# http simulations
+    server {
+        listen 80;
+        listen 443 ssl;
+        server_name _;
+        ssl_certificate         /etc/nginx/certs/nexus_server.crt;
+        ssl_certificate_key     /etc/nginx/certs/nexus_server.key;
+
+        keepalive_timeout  5 5;
+
+        location / {
+            root   /srv/http/$host;
+            index  index.html;
+        }
+    }
+
+# nexus simulations
+    server {
+        listen 80;
+        listen 443 ssl;
+        server_name nexus.student12 gcr.io registry-1.docker.io docker.io registry.npmjs.org nexus3.onap.org docker.elastic.co registry.hub.docker.com;
+        ssl_certificate         /etc/nginx/certs/nexus_server.crt;
+        ssl_certificate_key     /etc/nginx/certs/nexus_server.key;
+
+        keepalive_timeout  5 5;
+        proxy_buffering    off;
+
+        # allow large uploads
+        client_max_body_size 3G;
+
+        location /maven2 {
+            rewrite /maven2/(.*) /repository/maven2/$1  break;
+            # redirect to docker registry
+            proxy_pass http://nexus;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+
+        location / {
+            # redirect to docker registry
+            if ($http_user_agent ~ docker ) {
+                proxy_pass http://registry;
+            }
+            proxy_pass http://nexus;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+    }
+
+# git simulations
+    server {
+        listen 80;
+        listen 443 ssl;
+        server_name gerrit.onap.org git.rancher.io github.com;
+        ssl_certificate         /etc/nginx/certs/nexus_server.crt;
+        ssl_certificate_key     /etc/nginx/certs/nexus_server.key;
+
+        keepalive_timeout  5 5;
+        proxy_buffering    off;
+
+        location / {
+              try_files $uri $uri/ @git;
+        }
+
+        location @git {
+
+            # Set chunks to unlimited, as the body's can be huge
+            client_max_body_size            0;
+
+            fastcgi_param   SCRIPT_FILENAME     /usr/libexec/git-core/git-http-backend;
+            fastcgi_param   QUERY_STRING        $args;
+            fastcgi_param   HTTP_HOST           $server_name;
+            fastcgi_param   PATH_INFO           $uri;
+
+            include fastcgi_params;
+
+            fastcgi_param   GIT_HTTP_EXPORT_ALL "";
+            fastcgi_param   GIT_PROJECT_ROOT    /srv/git/$host/;
+
+            # Forward REMOTE_USER as we want to know when we are authenticated
+            fastcgi_param               REMOTE_USER $remote_user;
+
+            fastcgi_pass unix:/var/run/fcgiwrap.socket;
+        }
+    }
+}
diff --git a/cfg/v3.ext b/cfg/v3.ext
new file mode 100644
index 00000000..b4a6e433
--- /dev/null
+++ b/cfg/v3.ext
@@ -0,0 +1,24 @@
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = nexus.student12
+DNS.2 = gcr.io
+DNS.3 = git.rancher.io
+DNS.4 = gerrit.onap.org
+DNS.5 = registry-1.docker.io
+DNS.6 = docker.io
+DNS.7 = registry.npmjs.org
+DNS.8 = nexus3.onap.org
+DNS.9 = nexus.onap.org
+DNS.10 = docker.elastic.co
+DNS.11 = www.getcloudify.org
+DNS.12 = registry.hub.docker.com
+DNS.13 = github.com
+DNS.14 = repo.maven.apache.org
+DNS.15 = www.springframework.org
+DNS.16 = repo1.maven.org
+DNS.17 = git.onap.org
+
-- 
cgit 1.2.3-korg