From 84d1f346fd1b2d0bab9db1048e11ced62ffc2981 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20=C5=A0uca?= <mark.suca@gmail.com>
Date: Mon, 27 Jan 2025 15:46:33 +0100
Subject: [PATCH] local nginx server for mTLS

---
 .gitignore                |  2 ++
 README.md                 | 12 ++++++++++++
 docker-compose.yml        |  9 +++++++++
 docker/keys/genkeys.sh    | 12 ++++++++++++
 docker/nginx/default.conf | 17 +++++++++++++++++
 5 files changed, 52 insertions(+)
 create mode 100755 docker/keys/genkeys.sh
 create mode 100644 docker/nginx/default.conf

diff --git a/.gitignore b/.gitignore
index 0c69b7e..bc9cd25 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,5 @@ vendor/
 /python-sync-actions/src/test.py
 /python-sync-actions/data
 __pycache__/
+docker/keys/*
+!docker/keys/genkeys.sh
diff --git a/README.md b/README.md
index 4417132..d1c8c2d 100644
--- a/README.md
+++ b/README.md
@@ -1226,6 +1226,18 @@ or (with local source code and vendor copy)
 docker compose run --rm tests-local
 ``` 
 
+# mTLS
+1. `cd docker/keys` and then run `./genkeys.sh`
+2. ```
+    "api": {
+        "baseUrl": "https://server.local/",
+        "caCertificate": "conent of file rootCA.crt with \n at the end",
+        "#clientCertificate": "conent of file client.crt with \n at the end",
+        "#clientKey": "conent of file client.key with \n at the end"
+    }
+   ```
+3. restart nginx
+
 ## License
 
 MIT licensed, see [LICENSE](./LICENSE) file.
diff --git a/docker-compose.yml b/docker-compose.yml
index e447f2b..a0c619f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -35,3 +35,12 @@ services:
     links:
       - jsontest:jsontest-behind-proxy
 
+  server.local:
+    image: nginx:alpine
+    ports:
+      - "443:443"
+    volumes:
+      - "./docker/nginx/default.conf:/etc/nginx/conf.d/default.conf"
+      - "./docker/keys/server.crt:/etc/nginx/server.crt"
+      - "./docker/keys/server.key:/etc/nginx/server.key"
+      - "./docker/keys/rootCA.crt:/etc/nginx/ca.crt"
diff --git a/docker/keys/genkeys.sh b/docker/keys/genkeys.sh
new file mode 100755
index 0000000..be420af
--- /dev/null
+++ b/docker/keys/genkeys.sh
@@ -0,0 +1,12 @@
+cd keys
+echo "creating rootCA"
+openssl genrsa -out rootCA.key 4096
+openssl req -x509 -new -nodes -key rootCA.key -subj "/C=CZ/ST=CZ/O=authority" -days 1024 -out rootCA.crt
+echo "creating server keys"
+openssl genrsa -out server.key 2048
+openssl req -new  -key server.key -subj "/C=CZ/ST=CZ/O=mytest/CN=server.local" -out server.csr # CN = server.local name of service
+openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 500
+echo "creating client keys"
+openssl genrsa -out client.key 2048
+openssl req -new -key client.key -subj "/C=CZ/ST=CZ/O=mytest/CN=dev" -out client.csr # CN = dev name of service
+openssl x509 -req -in client.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out client.crt -days 500
diff --git a/docker/nginx/default.conf b/docker/nginx/default.conf
new file mode 100644
index 0000000..4fb003d
--- /dev/null
+++ b/docker/nginx/default.conf
@@ -0,0 +1,17 @@
+server {
+    listen              443 ssl;
+    server_name         server.local;
+    ssl_certificate     /etc/nginx/server.crt;
+    ssl_certificate_key /etc/nginx/server.key;
+
+    ssl_client_certificate /etc/nginx/ca.crt;
+    ssl_verify_client      optional;
+
+    location / {
+        if ($ssl_client_verify != SUCCESS) {
+            return 403;
+        }
+
+        return 200 '{"name": "Nginx", "type": "server"}';
+    }
+}