cert stuff :(
This commit is contained in:
parent
e84b98ed04
commit
44879f10e7
|
|
@ -1,2 +1,12 @@
|
|||
|
||||
reader/ngrok\.exe
|
||||
|
||||
alexa\.jopa\.dev\.csr
|
||||
|
||||
alexa\.jopa\.dev\.key
|
||||
|
||||
certificate\.pem
|
||||
|
||||
privkey\.pem
|
||||
|
||||
reader/cert/certificate\.crt
|
||||
|
|
|
|||
|
|
@ -1,14 +1,13 @@
|
|||
FROM tiangolo/uwsgi-nginx-flask:python3.5
|
||||
ENV FQDN *.example.com
|
||||
|
||||
RUN python -m pip install pip==9.0.3
|
||||
RUN apt-get update
|
||||
RUN apt-get install -y gcc libevent-dev python-dev
|
||||
|
||||
COPY ./requirements.txt /
|
||||
COPY ./ /app
|
||||
COPY ./gen_cert.sh /gen_cert.sh
|
||||
|
||||
COPY ./nginx.conf /etc/nginx/nginx.conf
|
||||
#COPY /app/certificate.pem /etc/nginx/certs
|
||||
RUN pip install -r /requirements.txt
|
||||
CMD sh /gen_cert.sh && cp /server.crt /etc/nginx/certs:/etc/nginx/certs && /start.sh
|
||||
|
||||
|
||||
|
||||
|
||||
Binary file not shown.
Binary file not shown.
|
|
@ -1,48 +1 @@
|
|||
#!/bin/bash
|
||||
|
||||
# set values for certificate DNs
|
||||
# note: CN is set to different values in the sections below
|
||||
ORG="000_Test_Certificates"
|
||||
|
||||
# set values that the commands will share
|
||||
VALID_DAYS=360
|
||||
CA_KEY=ca.key
|
||||
CA_CERT=ca.crt
|
||||
CLIENT_KEY=client.key
|
||||
CLIENT_CERT=client.crt
|
||||
CLIENT_CSR=client.csr
|
||||
CLIENT_P12=client.p12
|
||||
SERVER_KEY=server.key
|
||||
SERVER_CERT=server.crt
|
||||
SERVER_CSR=server.csr
|
||||
KEY_BITS=2048
|
||||
|
||||
echo
|
||||
echo "Create CA certificate..."
|
||||
CN="Test CA"
|
||||
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$KEY_BITS -out $CA_KEY
|
||||
openssl req -new -x509 -days $VALID_DAYS -key $CA_KEY -subj "/CN=$CN/O=$ORG" -out $CA_CERT
|
||||
echo "Done."
|
||||
|
||||
echo
|
||||
echo "Creating Server certificate..."
|
||||
CN="localhost"
|
||||
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$KEY_BITS -out $SERVER_KEY
|
||||
openssl req -new -key $SERVER_KEY -subj "/CN=$CN/O=$ORG" -out $SERVER_CSR
|
||||
openssl x509 -days $VALID_DAYS -req -in $SERVER_CSR -CAcreateserial -CA $CA_CERT -CAkey $CA_KEY -out $SERVER_CERT
|
||||
echo "Done."
|
||||
|
||||
echo
|
||||
echo "Creating Client certificate..."
|
||||
CN="Test User 1"
|
||||
USER_ID="testuser1"
|
||||
P12_PASSWORD=
|
||||
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:$KEY_BITS -out $CLIENT_KEY
|
||||
openssl req -new -key $CLIENT_KEY -subj "/CN=$CN/O=$ORG/UID=$USER_ID" -out $CLIENT_CSR
|
||||
openssl x509 -days $VALID_DAYS -req -in $CLIENT_CSR -CAcreateserial -CA $CA_CERT -CAkey $CA_KEY -out $CLIENT_CERT
|
||||
openssl pkcs12 -in $CLIENT_CERT -inkey $CLIENT_KEY -export -password pass:$P12_PASSWORD -out $CLIENT_P12
|
||||
echo "Done."
|
||||
|
||||
echo
|
||||
echo "----- Don't forget to open your browser and install your $CA_CERT and $CLIENT_P12 certificates -----"
|
||||
echo
|
||||
openssl req -newkey rsa:2048 -nodes -keyout privkey.pem -x509 -days 365 -out certificate.pem -subj "/C=US/ST=NRW/L=Earth/O=CompanyName/OU=IT/CN=alexa.jopa.dev"
|
||||
|
|
@ -1,4 +1,5 @@
|
|||
import logging
|
||||
from OpenSSL import SSL
|
||||
import os
|
||||
from flask import Flask
|
||||
from flask_ask import Ask, request, session, question, statement
|
||||
|
|
@ -150,4 +151,11 @@ if __name__ == '__main__':
|
|||
verify = str(os.environ.get('ASK_VERIFY_REQUESTS', '')).lower()
|
||||
if verify == 'false':
|
||||
app.config['ASK_VERIFY_REQUESTS'] = False
|
||||
app.run()
|
||||
|
||||
|
||||
context = SSL.Context(SSL.TLSv1_2_METHOD)
|
||||
cer = os.path.join(os.path.dirname(__file__), 'certificate.pem')
|
||||
key = os.path.join(os.path.dirname(__file__), 'privkey.pem')
|
||||
context = (cer, key)
|
||||
|
||||
app.run(host='127.0.0.1',port=443,ssl_context=context)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,61 @@
|
|||
|
||||
user nginx;
|
||||
worker_processes 1;
|
||||
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
pid /var/run/nginx.pid;
|
||||
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
}
|
||||
|
||||
|
||||
http {
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
||||
access_log /var/log/nginx/access.log main;
|
||||
|
||||
sendfile on;
|
||||
#tcp_nopush on;
|
||||
|
||||
keepalive_timeout 65;
|
||||
|
||||
#gzip on;
|
||||
|
||||
server {
|
||||
# enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used.
|
||||
ssl_protocols SSLv3 TLSv1;
|
||||
|
||||
# disables all weak ciphers
|
||||
ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
|
||||
|
||||
server_name alexa.jopa.dev jopa.dev;
|
||||
|
||||
## Access and error logs.
|
||||
access_log /var/log/nginx/access.log;
|
||||
error_log /var/log/nginx/error.log info;
|
||||
|
||||
## Keep alive timeout set to a greater value for SSL/TLS.
|
||||
keepalive_timeout 75 75;
|
||||
|
||||
## See the keepalive_timeout directive in nginx.conf.
|
||||
## Server certificate and key.
|
||||
ssl on;
|
||||
ssl_certificate /app/cert/certificate.pem;
|
||||
ssl_certificate_key /app/cert/privkey.pem;
|
||||
ssl_session_timeout 5m;
|
||||
|
||||
## Strict Transport Security header for enhanced security. See
|
||||
## http://www.chromium.org/sts. I've set it to 2 hours; set it to
|
||||
## whichever age you want.
|
||||
add_header Strict-Transport-Security "max-age=7200";
|
||||
|
||||
}
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
}
|
||||
|
|
@ -1,2 +1,3 @@
|
|||
requests
|
||||
flask-ask
|
||||
lxml
|
||||
|
|
|
|||
Loading…
Reference in New Issue