egeneralov · March 28, 2022 08:56
diff --git a/certificates.sh b/certificates.sh
 #!/bin/bash -xec

 export DOMAIN=

 rm -rf /etc/nginx/client_ssl
 mkdir -p /etc/nginx/client_ssl

 cd /etc/nginx/client_ssl

 openssl req -new -newkey rsa:2048 -nodes -keyout ca.key -sha256 -x509 -days 3650 -subj "/CN=${DOMAIN}" -out ca.crt

 cat << EOF > ca.config
 [ ca ]
 default_ca = CA_CLIENT
 [ CA_CLIENT ]
 dir = ./db
 certs = \$dir/certs
 new_certs_dir = \$dir/newcerts
 database = \$dir/index.txt
 serial = \$dir/serial
 certificate = ./ca.crt
 private_key = ./ca.key
 default_days = 365
 default_crl_days = 365
 default_md = sha256
 policy = policy_anything
 [ policy_anything ]
 countryName = optional
 stateOrProvinceName = optional
 localityName = optional
 organizationName = optional
 organizationalUnitName = optional
 commonName = optional
 emailAddress = optional
 EOF

 mkdir -p db/{certs,newcerts,key,csr,crt,pfx}
 echo 'unique_subject = yes' > ./db/index.txt.attr
 touch db/index.txt
 echo "000001" > db/serial


 # for client in $(cat client_names.txt); do
 export client=egeneralov
 openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout db/key/${client}.key -subj "/CN=${client}@${DOMAIN}" -out db/csr/${client}.csr
 openssl ca -config ca.config -in db/csr/${client}.csr -out db/crt/${client}.crt -batch
 openssl pkcs12 -export -in db/crt/${client}.crt -inkey db/key/${client}.key -certfile ca.crt -out db/pfx/${client}.p12 -passout pass:${client}
 # done;

 curl -k "https://git.${DOMAIN}"
 curl -k --key db/key/${client}.key --cert db/crt/${client}.crt --url "https://git.${DOMAIN}"

 # local
 scp -P 222 git.${DOMAIN}:/etc/nginx/client_ssl/db/pfx/${client}.p12 ~/Documents/access/git.${DOMAIN}.${client}.p12
 Raw
diff --git a/egeneralov.gitlab.sh b/egeneralov.gitlab.sh
 ln -sf /root/.acme.sh/gitlab.${DOMAIN}/fullchain.cer /etc/gitlab/ssl/gitlab.${DOMAIN}.crt
 ln -sf /root/.acme.sh/gitlab.${DOMAIN}/fullchain.cer /etc/gitlab/ssl/registry.${DOMAIN}.crt

 ln -sf /root/.acme.sh/gitlab.${DOMAIN}/gitlab.${DOMAIN}.key /etc/gitlab/ssl/gitlab.${DOMAIN}.key
 ln -sf /root/.acme.sh/gitlab.${DOMAIN}/gitlab.${DOMAIN}.key /etc/gitlab/ssl/registry.${DOMAIN}.key

 ln -sf /etc/nginx/client_ssl/ca.crt /etc/gitlab/ssl/ca.crt
diff --git a/nginx-vhost.conf b/nginx-vhost.conf
 geo $rfc6890 {
  default 0;
  10.0.0.0/8 1;
  172.16.0.0/12 1;
  192.168.0.0/16 1;
  100.64.0.0/10 1;
  127.0.0.0/8 1;
 }

 geo $allowed_ips {
  default 0;
  1.1.1.1/32 1;
 }

 server {
  listen 80;
  server_name ${DOMAIN};
  server_tokens off;
  
  access_log /var/log/nginx/${DOMAIN}_access.log;
  error_log /var/log/nginx/${DOMAIN}_error.log;
  
  location / {
    return 301 https://$host$request_uri;
  }
  
  location /.well-known/acme-challenge/ {
    default_type "text/plain";
    root /var/www/letsencrypt/;
  }
 }

 server {
  listen 443 ssl;
  server_name git.${DOMAIN};
  server_tokens off;
  
  ssl_certificate /etc/letsencrypt/live/git.${DOMAIN}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/git.${DOMAIN}/privkey.pem; 
  ssl_dhparam /etc/nginx/ssl/dhparam.pem;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  
  ssl_client_certificate /etc/nginx/client_ssl/ca.crt;
  ssl_verify_client optional;
  ssl_verify_depth 2;
  
  if ($ssl_client_verify != SUCCESS) {
    set $fail 1;
  }
  
  if ($http_host ~ "registry.${DOMAIN}|jira.${DOMAIN}") { set $fail 0; }
  if ($rfc6890) { set $fail 0; }
  if ($allowed_ips) { set $fail 0; }
  if ($request_uri ~ "^/.well-known/acme-challenge") { set $fail 0; }
  
  if ($fail = 1) { return 403; }
  
  client_max_body_size 300m;
  client_body_buffer_size 128k;
  
  access_log /var/log/nginx/git.${DOMAIN}_access.log;
  error_log /var/log/nginx/git.${DOMAIN}_error.log;
  
  location /.well-known/acme-challenge/ {
    default_type "text/plain";
    root /var/www/letsencrypt/;
  }
  
  location / {
    proxy_pass http://127.0.0.1:8088;
    
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    
    proxy_redirect off;
    proxy_buffer_size 8k;
    proxy_buffers 8 16k;
    proxy_busy_buffers_size 64k;
    proxy_connect_timeout 600;
    proxy_send_timeout 600;
    proxy_read_timeout 600;
  }
 }
	#!/bin/bash -xec

	export DOMAIN=

	rm -rf /etc/nginx/client_ssl
	mkdir -p /etc/nginx/client_ssl

	cd /etc/nginx/client_ssl

	openssl req -new -newkey rsa:2048 -nodes -keyout ca.key -sha256 -x509 -days 3650 -subj "/CN=${DOMAIN}" -out ca.crt

	cat << EOF > ca.config
	[ ca ]
	default_ca = CA_CLIENT
	[ CA_CLIENT ]
	dir = ./db
	certs = \$dir/certs
	new_certs_dir = \$dir/newcerts
	database = \$dir/index.txt
	serial = \$dir/serial
	certificate = ./ca.crt
	private_key = ./ca.key
	default_days = 365
	default_crl_days = 365
	default_md = sha256
	policy = policy_anything
	[ policy_anything ]
	countryName = optional
	stateOrProvinceName = optional
	localityName = optional
	organizationName = optional
	organizationalUnitName = optional
	commonName = optional
	emailAddress = optional
	EOF

	mkdir -p db/{certs,newcerts,key,csr,crt,pfx}
	echo 'unique_subject = yes' > ./db/index.txt.attr
	touch db/index.txt
	echo "000001" > db/serial


	# for client in $(cat client_names.txt); do
	export client=egeneralov
	openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout db/key/${client}.key -subj "/CN=${client}@${DOMAIN}" -out db/csr/${client}.csr
	openssl ca -config ca.config -in db/csr/${client}.csr -out db/crt/${client}.crt -batch
	openssl pkcs12 -export -in db/crt/${client}.crt -inkey db/key/${client}.key -certfile ca.crt -out db/pfx/${client}.p12 -passout pass:${client}
	# done;

	curl -k "https://git.${DOMAIN}"
	curl -k --key db/key/${client}.key --cert db/crt/${client}.crt --url "https://git.${DOMAIN}"

	# local
	scp -P 222 git.${DOMAIN}:/etc/nginx/client_ssl/db/pfx/${client}.p12 ~/Documents/access/git.${DOMAIN}.${client}.p12
	Raw
	ln -sf /root/.acme.sh/gitlab.${DOMAIN}/fullchain.cer /etc/gitlab/ssl/gitlab.${DOMAIN}.crt
	ln -sf /root/.acme.sh/gitlab.${DOMAIN}/fullchain.cer /etc/gitlab/ssl/registry.${DOMAIN}.crt

	ln -sf /root/.acme.sh/gitlab.${DOMAIN}/gitlab.${DOMAIN}.key /etc/gitlab/ssl/gitlab.${DOMAIN}.key
	ln -sf /root/.acme.sh/gitlab.${DOMAIN}/gitlab.${DOMAIN}.key /etc/gitlab/ssl/registry.${DOMAIN}.key

	ln -sf /etc/nginx/client_ssl/ca.crt /etc/gitlab/ssl/ca.crt
	geo $rfc6890 {
	default 0;
	10.0.0.0/8 1;
	172.16.0.0/12 1;
	192.168.0.0/16 1;
	100.64.0.0/10 1;
	127.0.0.0/8 1;
	}

	geo $allowed_ips {
	default 0;
	1.1.1.1/32 1;
	}

	server {
	listen 80;
	server_name ${DOMAIN};
	server_tokens off;

	access_log /var/log/nginx/${DOMAIN}_access.log;
	error_log /var/log/nginx/${DOMAIN}_error.log;

	location / {
	return 301 https://$host$request_uri;
	}

	location /.well-known/acme-challenge/ {
	default_type "text/plain";
	root /var/www/letsencrypt/;
	}
	}

	server {
	listen 443 ssl;
	server_name git.${DOMAIN};
	server_tokens off;

	ssl_certificate /etc/letsencrypt/live/git.${DOMAIN}/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/git.${DOMAIN}/privkey.pem;
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	ssl_client_certificate /etc/nginx/client_ssl/ca.crt;
	ssl_verify_client optional;
	ssl_verify_depth 2;

	if ($ssl_client_verify != SUCCESS) {
	set $fail 1;
	}

	if ($http_host ~ "registry.${DOMAIN}\|jira.${DOMAIN}") { set $fail 0; }
	if ($rfc6890) { set $fail 0; }
	if ($allowed_ips) { set $fail 0; }
	if ($request_uri ~ "^/.well-known/acme-challenge") { set $fail 0; }

	if ($fail = 1) { return 403; }

	client_max_body_size 300m;
	client_body_buffer_size 128k;

	access_log /var/log/nginx/git.${DOMAIN}_access.log;
	error_log /var/log/nginx/git.${DOMAIN}_error.log;

	location /.well-known/acme-challenge/ {
	default_type "text/plain";
	root /var/www/letsencrypt/;
	}

	location / {
	proxy_pass http://127.0.0.1:8088;

	proxy_set_header X-Forwarded-Proto https;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Server $host;

	proxy_redirect off;
	proxy_buffer_size 8k;
	proxy_buffers 8 16k;
	proxy_busy_buffers_size 64k;
	proxy_connect_timeout 600;
	proxy_send_timeout 600;
	proxy_read_timeout 600;
	}
	}