local nginx server for mTLS

keboola · Jan 27, 2025 · 84d1f34 · 84d1f34
1 parent 994bd63
commit 84d1f34
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -14,3 +14,5 @@ vendor/
 /python-sync-actions/src/test.py
 /python-sync-actions/data
 __pycache__/
+docker/keys/*
+!docker/keys/genkeys.sh
diff --git a/README.md b/README.md
@@ -1226,6 +1226,18 @@ or (with local source code and vendor copy)
 docker compose run --rm tests-local
 ``` 
 
+# mTLS
+1. `cd docker/keys` and then run `./genkeys.sh`
+2. ```
+    "api": {
+        "baseUrl": "https://server.local/",
+        "caCertificate": "conent of file rootCA.crt with \n at the end",
+        "#clientCertificate": "conent of file client.crt with \n at the end",
+        "#clientKey": "conent of file client.key with \n at the end"
+    }
+   ```
+3. restart nginx
+
 ## License
 
 MIT licensed, see [LICENSE](./LICENSE) file.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -35,3 +35,12 @@ services:
     links:
       - jsontest:jsontest-behind-proxy
 
+  server.local:
+    image: nginx:alpine
+    ports:
+      - "443:443"
+    volumes:
+      - "./docker/nginx/default.conf:/etc/nginx/conf.d/default.conf"
+      - "./docker/keys/server.crt:/etc/nginx/server.crt"
+      - "./docker/keys/server.key:/etc/nginx/server.key"
+      - "./docker/keys/rootCA.crt:/etc/nginx/ca.crt"
diff --git a/docker/keys/genkeys.sh b/docker/keys/genkeys.sh
@@ -0,0 +1,12 @@
+cd keys
+echo "creating rootCA"
+openssl genrsa -out rootCA.key 4096
+openssl req -x509 -new -nodes -key rootCA.key -subj "/C=CZ/ST=CZ/O=authority" -days 1024 -out rootCA.crt
+echo "creating server keys"
+openssl genrsa -out server.key 2048
+openssl req -new  -key server.key -subj "/C=CZ/ST=CZ/O=mytest/CN=server.local" -out server.csr # CN = server.local name of service
+openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 500
+echo "creating client keys"
+openssl genrsa -out client.key 2048
+openssl req -new -key client.key -subj "/C=CZ/ST=CZ/O=mytest/CN=dev" -out client.csr # CN = dev name of service
+openssl x509 -req -in client.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out client.crt -days 500
diff --git a/docker/nginx/default.conf b/docker/nginx/default.conf
@@ -0,0 +1,17 @@
+server {
+    listen              443 ssl;
+    server_name         server.local;
+    ssl_certificate     /etc/nginx/server.crt;
+    ssl_certificate_key /etc/nginx/server.key;
+
+    ssl_client_certificate /etc/nginx/ca.crt;
+    ssl_verify_client      optional;
+
+    location / {
+        if ($ssl_client_verify != SUCCESS) {
+            return 403;
+        }
+
+        return 200 '{"name": "Nginx", "type": "server"}';
+    }
+}