Add hello-mTLS for nginx

2019-02-06 11:53:10 -08:00 · 2019-02-06 11:53:10 -08:00 · 74114a6234
commit 74114a6234
parent e70a5dae7d
6 changed files with 83 additions and 0 deletions
--- a/autocert/examples/hello-mtls/README.md
+++ b/autocert/examples/hello-mtls/README.md
@ -53,3 +53,10 @@ languages are appreciated!
  - [ ] TLS stack configuration loaded from `step-ca`
  - [ ] Root certificate rotation
 [nginx/](nginx/)
 - [X] Server
  - [X] mTLS (client authentication using internal root certificate)
  - [X] Automatic certificate renewal
  - [X] Restrict to safe ciphersuites and TLS versions
  - [ ] TLS stack configuration loaded from `step-ca`
  - [ ] Root certificate rotation
--- a/autocert/examples/hello-mtls/nginx/Dockerfile.server
+++ b/autocert/examples/hello-mtls/nginx/Dockerfile.server
@ -0,0 +1,11 @@
 FROM nginx:alpine
 RUN apk add inotify-tools
 RUN mkdir /src
 ADD site.conf /etc/nginx/conf.d
 ADD certwatch.sh /src
 ADD entrypoint.sh /src
 # Certificate watcher and nginx
 ENTRYPOINT ["/src/entrypoint.sh"]
 CMD ["nginx", "-g", "daemon off;"]
--- a/autocert/examples/hello-mtls/nginx/certwatch.sh
+++ b/autocert/examples/hello-mtls/nginx/certwatch.sh
@ -0,0 +1,6 @@
 #!/bin/sh
 while true; do
    inotifywait -e modify /var/run/autocert.step.sm/site.crt
    nginx -s reload
 done
--- a/autocert/examples/hello-mtls/nginx/entrypoint.sh
+++ b/autocert/examples/hello-mtls/nginx/entrypoint.sh
@ -0,0 +1,10 @@
 #!/bin/sh
 # Wait for renewer
 sleep 10
 # watch for the update of the cert and reload nginx
 /src/certwatch.sh &
 # Run docker CMD
 exec "$@"
--- a/autocert/examples/hello-mtls/nginx/hello-mtls.server.yaml
+++ b/autocert/examples/hello-mtls/nginx/hello-mtls.server.yaml
@ -0,0 +1,33 @@
 apiVersion: v1
 kind: Service
 metadata:
  labels: {app: hello-mtls}
  name: hello-mtls
 spec:
  type: ClusterIP
  ports:
  - port: 443
    targetPort: 443
  selector: {app: hello-mtls}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: hello-mtls
  labels: {app: hello-mtls}
 spec:
  replicas: 1
  selector: {matchLabels: {app: hello-mtls}}
  template:
    metadata:
      annotations:
        autocert.step.sm/name: hello-mtls.default.svc.cluster.local
      labels: {app: hello-mtls}
    spec:
      containers:
      - name: hello-mtls
        image: hello-mtls-server-nginx:latest
        imagePullPolicy: Never
        resources: {requests: {cpu: 10m, memory: 20Mi}}
--- a/autocert/examples/hello-mtls/nginx/site.conf
+++ b/autocert/examples/hello-mtls/nginx/site.conf
@ -0,0 +1,16 @@
 server {
    listen                     443 ssl;
    server_name                localhost;
    ssl_protocols              TLSv1.2;
    ssl_certificate            /var/run/autocert.step.sm/site.crt;
    ssl_certificate_key        /var/run/autocert.step.sm/site.key;
    ssl_client_certificate     /var/run/autocert.step.sm/root.crt;
    ssl_verify_client          on;
    ssl_prefer_server_ciphers  on;
    ssl_ciphers                ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }
 }