知识图谱>> docker-client-ssl>> 返回
项目作者: dataloudlabs

项目描述 :
Docker environment example with nginx serving as reverse proxy and using ssl to authenticate clients
高级语言: JavaScript
项目地址: git://github.com/dataloudlabs/docker-client-ssl.git
创建时间: 2018-08-22T14:58:34Z
项目社区:https://github.com/dataloudlabs/docker-client-ssl
开源协议:
下载


This repo is an example of how to create a docker environment with nginx serving as reverse proxy to nodejs app.

The Nginx server is configured to use ssl…

…delivering its content (through https://)

…and to authenticate its clients.

Disclaimer
This is an example repo. Note that the commands below generate the files WITHOUT passphrases.
You should look into using the -des3 option and adding the ssl_password_file directive to the nginx config.

Creating the keys and certificates

for both the server and an example client

Taken from here and here

You can run these commands inside the /auth folder. Then, copy the files that nginx needs into docker/web/auth.

Create the CA Key and Certificate for signing Client Certs

  1. openssl genrsa -out ca.key 4096 # add -des3 to give the file a password
  2. openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Create the Server Key, CSR, and Certificate

  1. openssl genrsa -out server.key 1024 # add -des3 to give the file a password
  2. openssl req -new -key server.key -out server.csr

We’re self signing our own server cert here. This is a no-no in production.

  1. openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Create the Client Key and CSR

  1. openssl genrsa -out client.key 1024 # add -des3 to give the file a password
  2. openssl req -new -key client.key -out client.csr

Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.

  1. openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

Create diffie hellman key for the server

  1. openssl dhparam -out dhparam.pem 2048

Bundle the client certificate and key into p12 file

  1. openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

You’ll need to give these to nginx (place them in docker/web/auth, the dockerfile will do the rest):

  • dhparam.pem
  • ca.crt
  • server.crt
  • server.key

You’ll need to give these to your clients:

  • ca.crt
  • client.key + client.csr
  • (or) client.p12

if you want to use curl or some dev library, the certificate+key are enough. If you want to import the certificate into
your keychain/firefos/client software, you’ll need the p12 file.

  • you can remove the -des3 from the commands above if you don’t want to use passphrases in your files.

After configuring nginx, your client should be able to acess the service. Anyone else (or the client without the certificates) should get a 400 - No required SSL certificate was sent error.

In order to run the containers

(you need to be inside the /docker directory)

(also, make sure to change the /docker/web/confs/nodeapi.conf file to suit your domain)

You’ll need to build the containers first (also, run this ever time you make ANY changes inside the /docker directory)

  1. docker-compose build --pull;

Run the containers

  1. # Interactively
  2. docker-compose up;
  3. # Daemon
  4. docker-compose up -d;

Stop the containers

  1. docker-compose down

Test

In order to test the configuration, in your client, you can use curl…

  1. # Authenticated
  2. curl -v -s -k --key client.key --cert client.crt https://example.com
  4. # Not Authenticated
  5. curl -v -s -k https://example.com

… or import the p12 file into your system/browser and then navigate to your url.