This repo is an example of how to create a docker environment with nginx serving as reverse proxy to nodejs app.
The Nginx server is configured to use ssl...
...delivering its content (through https://)
...and to authenticate its clients.
Disclaimer This is an example repo. Note that the commands below generate the files WITHOUT passphrases. You should look into using the -des3 option and adding the ssl_password_file directive to the nginx config.
for both the server and an example client
You can run these commands inside the /auth folder. Then, copy the files that nginx needs into docker/web/auth.
openssl genrsa -out ca.key 4096 # add -des3 to give the file a password
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
openssl genrsa -out server.key 1024 # add -des3 to give the file a password
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
openssl genrsa -out client.key 1024 # add -des3 to give the file a password
openssl req -new -key client.key -out client.csr
Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
openssl dhparam -out dhparam.pem 2048
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
You'll need to give these to nginx (place them in docker/web/auth, the dockerfile will do the rest):
- dhparam.pem
- ca.crt
- server.crt
- server.key
You'll need to give these to your clients:
- ca.crt
- client.key client.csr
- (or) client.p12
if you want to use curl or some dev library, the certificate key are enough. If you want to import the certificate into your keychain/firefos/client software, you'll need the p12 file.
- you can remove the -des3 from the commands above if you don't want to use passphrases in your files.
After configuring nginx, your client should be able to acess the service. Anyone else (or the client without the certificates) should get a 400 - No required SSL certificate was sent error.
(you need to be inside the /docker directory)
(also, make sure to change the /docker/web/confs/nodeapi.conf file to suit your domain)
You'll need to build the containers first (also, run this ever time you make ANY changes inside the /docker directory)
docker-compose build --pull;
# Interactively
docker-compose up;
# Daemon
docker-compose up -d;
docker-compose down
In order to test the configuration, in your client, you can use curl...
# Authenticated
curl -v -s -k --key client.key --cert client.crt https://example.com
# Not Authenticated
curl -v -s -k https://example.com
... or import the p12 file into your system/browser and then navigate to your url.