前回の続きっぽい話です。
easyrsaと前回の構成をつかてで簡易認証キー付きAPI鯖をつくります
実際のところ
$ cd /etc/openvpn/easy-rsa/ $ sudo su
# mkdir /etc/nginx/easyrsa/keys # cat keys/myservername.crt keys/ca.crt > keys/server_and_ca.crt # cp keys/ca.crt /etc/nginx/easyrsa/keys # cp keys/server_and_ca.crt /etc/nginx/easyrsa/keys # cp keys/myservername.key /etc/nginx/easyrsa/keys
前の記事通り
# ls keys/ 01.pem dh2048.pem index.txt.old myservername.key server_and_ca.crt ca.crt index.txt myservername.crt serial ca.key index.txt.attr myservername.csr serial.old
# nano /etc/nginx/conf.d/ZZZ.conf
# cat /etc/nginx/conf.d/ZZZ.conf
server {
listen 443;
location / {
# Here we define the name and the contents of the WSGI variable to pass to service
uwsgi_param SSL_CLIENT_ID $ssl_client_s_dn;
include uwsgi_params;
uwsgi_pass 127.0.0.1:5000;
}
# SSL support
ssl on;
ssl_protocols SSLv3 TLSv1;
ssl_certificate easyrsa/keys/ca_and_server.crt;
ssl_certificate_key easyrsa/keys/myserver.key;
# We don't accept anyone without correct client certificate
ssl_verify_client on;
# The CA we use to verify client certificates
ssl_client_certificate easyrsa/keys/ca.crt;
}
server {
listen 80;
server_name XXX YYY;
access_log /var/log/nginx/ZZZ.vs.sakura.ne.jp.access.log;
location / {
include uwsgi_params;
uwsgi_pass unix:/var/run/uwsgi/ZZZ.vs.sakura.ne.jp.sock;
}
}# service uwsgi restart # service nginx restart
