Initialize reverse proxy and TLS workshop lab setup
This commit is contained in:
hkoeck
@@ -0,0 +1,125 @@
|
||||
# Easy-RSA Hint Card (optional)
|
||||
|
||||
Diese Hinweise koennen Teams nutzen, wenn sie bei der HTTPS-Challenge feststecken.
|
||||
|
||||
## 1) Easy-RSA installieren (WSL/Linux)
|
||||
|
||||
Fedora:
|
||||
|
||||
```bash
|
||||
sudo dnf install -y easy-rsa openssl
|
||||
```
|
||||
|
||||
Ubuntu/WSL:
|
||||
|
||||
```bash
|
||||
sudo apt update
|
||||
sudo apt install -y easy-rsa openssl
|
||||
```
|
||||
|
||||
## 2) PKI vorbereiten
|
||||
|
||||
```bash
|
||||
mkdir -p certs/easyrsa
|
||||
cp -r /usr/share/easy-rsa/* certs/easyrsa/
|
||||
cd certs/easyrsa
|
||||
./easyrsa init-pki
|
||||
```
|
||||
|
||||
## 3) CA erstellen
|
||||
|
||||
```bash
|
||||
./easyrsa build-ca nopass
|
||||
```
|
||||
|
||||
## 4) Server-Zertifikat fuer localhost
|
||||
|
||||
```bash
|
||||
./easyrsa gen-req localhost nopass
|
||||
./easyrsa sign-req server localhost
|
||||
```
|
||||
|
||||
## 5) Dateien fuer Nginx bereitstellen
|
||||
|
||||
Typische Dateien:
|
||||
|
||||
- `pki/issued/localhost.crt`
|
||||
- `pki/private/localhost.key`
|
||||
- `pki/ca.crt`
|
||||
|
||||
Danach in `proxy/nginx.conf` TLS aktivieren und in `docker-compose.yml` Port `443` mappen.
|
||||
|
||||
### Compose-Mindestbeispiel
|
||||
|
||||
```yaml
|
||||
services:
|
||||
reverse-proxy:
|
||||
ports:
|
||||
- "8080:80"
|
||||
- "8443:443"
|
||||
volumes:
|
||||
- ./proxy/nginx.conf:/etc/nginx/nginx.conf:ro,z
|
||||
- ./proxy/html:/usr/share/nginx/html:ro,z
|
||||
- ./certs/easyrsa/pki:/etc/nginx/pki:ro,z
|
||||
```
|
||||
|
||||
### Nginx-Mindestbeispiel
|
||||
|
||||
```nginx
|
||||
server {
|
||||
listen 443 ssl;
|
||||
server_name localhost;
|
||||
|
||||
ssl_certificate /etc/nginx/pki/issued/localhost.crt;
|
||||
ssl_certificate_key /etc/nginx/pki/private/localhost.key;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||
|
||||
location /service/a {
|
||||
proxy_pass http://backend_a/;
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
## 6) Root-CA importieren (Trust Store)
|
||||
|
||||
Fedora:
|
||||
|
||||
```bash
|
||||
sudo cp pki/ca.crt /etc/pki/ca-trust/source/anchors/htl-workshop-root-ca.crt
|
||||
sudo update-ca-trust
|
||||
```
|
||||
|
||||
Ubuntu/Debian:
|
||||
|
||||
```bash
|
||||
sudo cp pki/ca.crt /usr/local/share/ca-certificates/htl-workshop-root-ca.crt
|
||||
sudo update-ca-certificates
|
||||
```
|
||||
|
||||
Windows (PowerShell als Admin, optional):
|
||||
|
||||
```powershell
|
||||
certutil -addstore -f Root C:\path\to\ca.crt
|
||||
```
|
||||
|
||||
## 7) Test ohne -k
|
||||
|
||||
Nach Import sollte HTTPS ohne Insecure-Flag funktionieren:
|
||||
|
||||
```bash
|
||||
curl https://localhost:8443/service/a
|
||||
```
|
||||
|
||||
Falls CA nicht global importiert ist:
|
||||
|
||||
```bash
|
||||
curl --cacert pki/ca.crt https://localhost:8443/service/a
|
||||
```
|
||||
|
||||
## 8) Typische Fehlerbilder
|
||||
|
||||
- `curl: (60) SSL certificate problem` -> Root-CA nicht importiert oder falsche CA.
|
||||
- Browser war offen waehrend CA-Import -> Browser neu starten.
|
||||
- `permission denied` beim Nginx-Config-Mount (Fedora/SELinux) -> Volumes mit `:z` mounten.
|
||||
- Zertifikat ohne `localhost` -> SAN/CN passt nicht zum Hostnamen.
|
||||
Reference in New Issue
Block a user