Overview Edit

These notes have been sitting idly in our internal wiki. I'm pasting them here. Our test machine runs on FreeBSD 8.0-CURRENT.

Notes Edit


#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/;

events {
    worker_connections  1024;

http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] $request '
    #                  '"$status" $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       443;
        server_name  localhost;

        ssl                  on;
        ssl_certificate      ssl/server.crt;
        ssl_certificate_key  ssl/server.key;
        ssl_client_certificate  ssl/ca.crt;
        ssl_verify_client    on;

        ssl_session_timeout  5m;

        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers   on;

        location / {
            root   /usr/local/www;
            index  index.html index.htm index.php;


Commands for generating certs:

# cd /usr/local/etc/nginx
# mkdir ssl && cd ssl

Create a Certificate Signing Request (CSR)
# openssl genrsa -des3 -out server.key 1024
# openssl req -new -key server.key -out server.csr

Create own Certificate Authority (CA)
# openssl genrsa -des3 -out ca.key 1024
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Sign the CSR using the CA
# openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

Remove password from private key in order for the web server to start without human intervention
# cp server.key
# openssl rsa -in -out server.key 

Ensure that private key is readable by root only
# chmod 400 server.key

Convert the certificate into pkcs12 format so that it can be read by Web browsers
# openssl pkcs12 -export -in server.crt -inkey server.key -certfile ca.crt -name "FooBar Certificate" -out foobar.p12

Links Edit