mastersign · June 25, 2019 09:13
diff --git a/generate-cert.cmd b/generate-cert.cmd
 @ECHO OFF
 SETLOCAL

 SET COUNTRY=DE
 SET STATE=Bundesland
 SET LOCATION=Stadtname
 SET ORG=Unternehmen
 SET ORG_UNIT=Abteilung
 SET COMMON_NAME=servername.unternehmen.de

 SET KEY_FILE=self-signed.key
 SET CERT_FILE=self-signed.crt

 openssl req -x509 -sha256 -nodes -newkey rsa:4096 -days 365 ^
 	-config "%~dp0openssl.conf" ^
 	-subj "/C=%COUNTRY%/ST=%STATE%/L=%LOCATION%/O=%ORG%/OU=%ORG_UNIT%/CN=%COMMON_NAME%" ^
 	-keyout "%KEY_FILE%" -out "%CERT_FILE%"

 PAUSE
diff --git a/nginx.conf b/nginx.conf
 #user  nobody;
 worker_processes  1;

 #error_log  logs/error.log;
 #error_log  logs/error.log  notice;
 #error_log  logs/error.log  info;

 #pid        logs/nginx.pid;

 events {
    worker_connections  1024;
 }

 http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;

    keepalive_timeout  65;

    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    server {
        listen       0.0.0.0:443 ssl;
        server_name  MYHOSTNAME;

        ssl_certificate     self-signed.crt;
        ssl_certificate_key self-signed.key;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;

        # web application
        location /myapp/ {
            set $app http://127.0.0.1:8802;
            proxy_pass $app;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

        # web application with URL rewrite
        location /myapp-rewrite/ {
            set $app http://127.0.0.1:8802;
            proxy_pass $app;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            
            # rewrite request URLs
            rewrite /myapp-rewrite/(.*) /$1 break;
            
            # rewrite HTML content
            sub_filter "http://127.0.0.1:8802/" "https://MYHOSTNAME/myapp-rewrite/";
            sub_filter_once off;
        }

        # web application with WebSockets
        location /myapp-with-ws/ {
            set $app http://127.0.0.1:8803;
            proxy_pass $app;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            
            # HTTP config
            proxy_http_version 1.1;
            proxy_read_timeout 300s;
            
            # websocket headers
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }

        # root content
        location / {
            root   html;
            index  index.html index.htm;
        }
    }
 }
diff --git a/openssl.conf b/openssl.conf
 [req]
 req_extensions = v3_req
 distinguished_name = req_distinguished_name

 [req_distinguished_name]

 [v3_req]
 basicConstraints = CA:FALSE
 keyUsage = digitalSignature, keyEncipherment
	@ECHO OFF
	SETLOCAL

	SET COUNTRY=DE
	SET STATE=Bundesland
	SET LOCATION=Stadtname
	SET ORG=Unternehmen
	SET ORG_UNIT=Abteilung
	SET COMMON_NAME=servername.unternehmen.de

	SET KEY_FILE=self-signed.key
	SET CERT_FILE=self-signed.crt

	openssl req -x509 -sha256 -nodes -newkey rsa:4096 -days 365 ^
	-config "%~dp0openssl.conf" ^
	-subj "/C=%COUNTRY%/ST=%STATE%/L=%LOCATION%/O=%ORG%/OU=%ORG_UNIT%/CN=%COMMON_NAME%" ^
	-keyout "%KEY_FILE%" -out "%CERT_FILE%"

	PAUSE
	#user nobody;
	worker_processes 1;

	#error_log logs/error.log;
	#error_log logs/error.log notice;
	#error_log logs/error.log info;

	#pid logs/nginx.pid;

	events {
	worker_connections 1024;
	}

	http {
	include mime.types;
	default_type application/octet-stream;

	#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	# '$status $body_bytes_sent "$http_referer" '
	# '"$http_user_agent" "$http_x_forwarded_for"';

	#access_log logs/access.log main;

	sendfile on;

	keepalive_timeout 65;

	map $http_upgrade $connection_upgrade {
	default upgrade;
	'' close;
	}

	server {
	listen 0.0.0.0:443 ssl;
	server_name MYHOSTNAME;

	ssl_certificate self-signed.crt;
	ssl_certificate_key self-signed.key;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	# web application
	location /myapp/ {
	set $app http://127.0.0.1:8802;
	proxy_pass $app;
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}

	# web application with URL rewrite
	location /myapp-rewrite/ {
	set $app http://127.0.0.1:8802;
	proxy_pass $app;
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	# rewrite request URLs
	rewrite /myapp-rewrite/(.*) /$1 break;

	# rewrite HTML content
	sub_filter "http://127.0.0.1:8802/" "https://MYHOSTNAME/myapp-rewrite/";
	sub_filter_once off;
	}

	# web application with WebSockets
	location /myapp-with-ws/ {
	set $app http://127.0.0.1:8803;
	proxy_pass $app;
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	# HTTP config
	proxy_http_version 1.1;
	proxy_read_timeout 300s;

	# websocket headers
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $connection_upgrade;
	}

	# root content
	location / {
	root html;
	index index.html index.htm;
	}
	}
	}
	[req]
	req_extensions = v3_req
	distinguished_name = req_distinguished_name

	[req_distinguished_name]

	[v3_req]
	basicConstraints = CA:FALSE
	keyUsage = digitalSignature, keyEncipherment