495 lines
14 KiB
Nginx Configuration File
495 lines
14 KiB
Nginx Configuration File
|
|
worker_processes 1;
|
|
|
|
events {
|
|
}
|
|
|
|
|
|
http {
|
|
include mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
sendfile on;
|
|
|
|
keepalive_timeout 65;
|
|
|
|
ssl_session_tickets off;
|
|
|
|
|
|
# HTTPS server
|
|
|
|
# Using DH parameters
|
|
server {
|
|
listen 11443 ssl;
|
|
server_name localhost;
|
|
|
|
ssl_certificate cert.pem;
|
|
ssl_certificate_key cert.key;
|
|
ssl_dhparam dhparams.pem;
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
root html;
|
|
index index.html;
|
|
}
|
|
}
|
|
# Verify client
|
|
server {
|
|
listen 11444 ssl;
|
|
server_name localhost;
|
|
|
|
ssl_certificate cert.pem;
|
|
ssl_certificate_key cert.key;
|
|
ssl_client_certificate client-cert.pem;
|
|
ssl_verify_client on;
|
|
ssl_dhparam dhparams.pem;
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
root html;
|
|
index index.html;
|
|
}
|
|
}
|
|
# P384 curve with ECDHE
|
|
server {
|
|
listen 11445 ssl;
|
|
server_name localhost;
|
|
|
|
ssl_certificate cert.pem;
|
|
ssl_certificate_key cert.key;
|
|
ssl_ecdh_curve secp384r1;
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
root html;
|
|
index index.html;
|
|
}
|
|
}
|
|
# Default curve with ECDHE and ECDSA
|
|
server {
|
|
listen 11446 ssl;
|
|
server_name localhost;
|
|
|
|
ssl_certificate cert-ecc.pem;
|
|
ssl_certificate_key cert-ecc.key;
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
root html;
|
|
index index.html;
|
|
}
|
|
}
|
|
|
|
# Session ticket
|
|
server {
|
|
listen 11450 ssl;
|
|
server_name localhost;
|
|
|
|
ssl_certificate cert.pem;
|
|
ssl_certificate_key cert.key;
|
|
ssl_dhparam dhparams.pem;
|
|
ssl_session_ticket_key ticket_keys;
|
|
ssl_session_tickets on;
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
root html;
|
|
index index.html;
|
|
}
|
|
}
|
|
|
|
# Session cache off
|
|
server {
|
|
listen 11455 ssl;
|
|
server_name localhost;
|
|
|
|
ssl_certificate cert.pem;
|
|
ssl_certificate_key cert.key;
|
|
ssl_dhparam dhparams.pem;
|
|
|
|
ssl_session_cache off;
|
|
|
|
ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
root html;
|
|
index index.html;
|
|
}
|
|
}
|
|
# Session cache none
|
|
server {
|
|
listen 11456 ssl;
|
|
server_name localhost;
|
|
|
|
ssl_certificate cert.pem;
|
|
ssl_certificate_key cert.key;
|
|
ssl_dhparam dhparams.pem;
|
|
|
|
ssl_session_cache none;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
root html;
|
|
index index.html;
|
|
}
|
|
}
|
|
# Session cache builtin
|
|
server {
|
|
listen 11457 ssl;
|
|
server_name localhost;
|
|
|
|
ssl_certificate cert.pem;
|
|
ssl_certificate_key cert.key;
|
|
ssl_dhparam dhparams.pem;
|
|
|
|
ssl_session_cache builtin:100;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
root html;
|
|
index index.html;
|
|
}
|
|
}
|
|
|
|
# Proxy to wolfSSL server
|
|
upstream backend {
|
|
server 127.0.0.1:12443;
|
|
}
|
|
server {
|
|
listen 127.0.0.1:12443 ssl;
|
|
server_name www.wolfssl.com;
|
|
|
|
ssl_certificate cert.pem;
|
|
ssl_certificate_key cert.key;
|
|
ssl_dhparam dhparams.pem;
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
root wolfssl;
|
|
index index.html;
|
|
}
|
|
}
|
|
upstream backend_ecdhe_rsa {
|
|
server 127.0.0.1:12444;
|
|
}
|
|
server {
|
|
listen 127.0.0.1:12444 ssl;
|
|
server_name www.wolfssl.com;
|
|
|
|
ssl_certificate cert.pem;
|
|
ssl_certificate_key cert.key;
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
root wolfssl;
|
|
index index.html;
|
|
}
|
|
}
|
|
upstream backend_ecdhe_ecdsa {
|
|
server 127.0.0.1:12445;
|
|
}
|
|
server {
|
|
listen 127.0.0.1:12445 ssl;
|
|
server_name www.wolfssl.com;
|
|
|
|
ssl_certificate cert-ecc.pem;
|
|
ssl_certificate_key cert-ecc.key;
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
root wolfssl;
|
|
index index.html;
|
|
}
|
|
}
|
|
upstream backend_crl_rev {
|
|
server 127.0.0.1:12446;
|
|
}
|
|
server {
|
|
listen 127.0.0.1:12446 ssl;
|
|
server_name www.wolfssl.com;
|
|
|
|
ssl_certificate cert.pem;
|
|
ssl_certificate_key cert.key;
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
root wolfssl;
|
|
index index.html;
|
|
}
|
|
}
|
|
# Proxy using DHE cipher suites and CRL
|
|
server {
|
|
listen 11460 ssl;
|
|
server_name localhost;
|
|
|
|
ssl_certificate cert.pem;
|
|
ssl_certificate_key cert.key;
|
|
ssl_dhparam dhparams.pem;
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
proxy_pass https://backend;
|
|
proxy_ssl_name www.wolfssl.com;
|
|
proxy_ssl_server_name on;
|
|
proxy_ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA;
|
|
proxy_ssl_trusted_certificate ca-cert.pem;
|
|
proxy_ssl_certificate client-cert.pem;
|
|
proxy_ssl_certificate_key client-key.pem;
|
|
proxy_ssl_verify on;
|
|
proxy_ssl_crl crl.pem;
|
|
}
|
|
}
|
|
# Proxy using ECDHE cipher suites and CRL
|
|
server {
|
|
listen 11461 ssl;
|
|
server_name localhost;
|
|
|
|
ssl_certificate cert.pem;
|
|
ssl_certificate_key cert.key;
|
|
ssl_dhparam dhparams.pem;
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
proxy_pass https://backend_ecdhe_rsa;
|
|
proxy_ssl_name www.wolfssl.com;
|
|
proxy_ssl_server_name on;
|
|
proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA;
|
|
proxy_ssl_trusted_certificate ca-cert.pem;
|
|
proxy_ssl_certificate client-cert.pem;
|
|
proxy_ssl_certificate_key client-key.pem;
|
|
proxy_ssl_verify on;
|
|
proxy_ssl_crl crl.pem;
|
|
}
|
|
}
|
|
# Proxy using ECDHE and ECDSA cipher suites
|
|
server {
|
|
listen 11462 ssl;
|
|
server_name localhost;
|
|
|
|
ssl_certificate cert.pem;
|
|
ssl_certificate_key cert.key;
|
|
ssl_dhparam dhparams.pem;
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
proxy_pass https://backend_ecdhe_ecdsa;
|
|
proxy_ssl_name www.wolfssl.com;
|
|
proxy_ssl_server_name on;
|
|
proxy_ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA;
|
|
proxy_ssl_trusted_certificate ca-cert-ecc.pem;
|
|
proxy_ssl_certificate client-cert.pem;
|
|
proxy_ssl_certificate_key client-key.pem;
|
|
proxy_ssl_verify on;
|
|
proxy_ssl_session_reuse on;
|
|
}
|
|
}
|
|
# Proxy using revoked CRL
|
|
server {
|
|
listen 11465 ssl;
|
|
server_name localhost;
|
|
|
|
ssl_certificate cert.pem;
|
|
ssl_certificate_key cert.key;
|
|
ssl_dhparam dhparams.pem;
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
proxy_pass https://backend_crl_rev;
|
|
proxy_ssl_name www.wolfssl.com;
|
|
proxy_ssl_server_name on;
|
|
proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA;
|
|
proxy_ssl_trusted_certificate ca-cert.pem;
|
|
proxy_ssl_certificate client-cert.pem;
|
|
proxy_ssl_certificate_key client-key.pem;
|
|
proxy_ssl_verify on;
|
|
proxy_ssl_crl crl-revoked.pem;
|
|
proxy_ssl_session_reuse on;
|
|
}
|
|
}
|
|
|
|
# OCSP Stapling
|
|
# Valid server certificate - using OCSP responder
|
|
server {
|
|
listen 11470 ssl;
|
|
server_name localhost;
|
|
|
|
ssl_certificate ocsp-good-cert.pem;
|
|
ssl_certificate_key ocsp-good-key.pem;
|
|
ssl_stapling on;
|
|
ssl_stapling_responder http://localhost:22221;
|
|
ssl_stapling_verify on;
|
|
ssl_trusted_certificate ocsp-root-resp-cert.pem;
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
root html;
|
|
index index.html;
|
|
}
|
|
}
|
|
# Revoked server certificate - using OCSP responder
|
|
server {
|
|
listen 11471 ssl;
|
|
server_name localhost;
|
|
|
|
ssl_certificate ocsp-bad-cert.pem;
|
|
ssl_certificate_key ocsp-bad-key.pem;
|
|
ssl_stapling on;
|
|
ssl_stapling_responder http://localhost:22221;
|
|
ssl_trusted_certificate ocsp-root-resp-cert.pem;
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
root html;
|
|
index index.html;
|
|
}
|
|
}
|
|
# Valid server certificate in fixed OCSP response
|
|
server {
|
|
listen 11472 ssl;
|
|
server_name localhost;
|
|
|
|
ssl_certificate ocsp-good-cert.pem;
|
|
ssl_certificate_key ocsp-good-key.pem;
|
|
ssl_stapling on;
|
|
ssl_stapling_file ocsp-good-status.der;
|
|
ssl_trusted_certificate ocsp-root-resp-cert.pem;
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
root html;
|
|
index index.html;
|
|
}
|
|
}
|
|
# Revoked server certificate in fixed OCSP response
|
|
server {
|
|
listen 11473 ssl;
|
|
server_name localhost;
|
|
|
|
ssl_certificate ocsp-bad-cert.pem;
|
|
ssl_certificate_key ocsp-bad-key.pem;
|
|
ssl_stapling on;
|
|
ssl_stapling_file ocsp-bad-status.der;
|
|
ssl_trusted_certificate ocsp-root-resp-cert.pem;
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
root html;
|
|
index index.html;
|
|
}
|
|
}
|
|
# No CA to check responder certificate - using OCSP responder
|
|
server {
|
|
listen 11474 ssl;
|
|
server_name localhost;
|
|
|
|
ssl_certificate ocsp-good-cert.pem;
|
|
ssl_certificate_key ocsp-good-key.pem;
|
|
ssl_stapling on;
|
|
ssl_stapling_responder http://localhost:22221;
|
|
ssl_stapling_verify on;
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
ssl_session_timeout 5m;
|
|
|
|
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
location / {
|
|
root html;
|
|
index index.html;
|
|
}
|
|
}
|
|
}
|