1. Dariusz Suchojad
  2. stuff

Commits

Dariusz Suchojad  committed 4cde4b7

Added material for a blog post on a minimal lighttpd SSL/TLS reverse proxy.

  • Participants
  • Parent commits 435a84f
  • Branches default

Comments (0)

Files changed (6)

File lighttpd-ssl-tls-reverse-proxy/ca-chain.pem

View file
+-----BEGIN CERTIFICATE-----
+MIIDtzCCAp+gAwIBAgIJAMnzwJQDL4VeMA0GCSqGSIb3DQEBBAUAMHIxEzARBgNV
+BAoTCk15IENvbXBhbnkxEDAOBgNVBAsTB015IFVuaXQxEDAOBgNVBAcTB015IFRv
+d24xETAPBgNVBAgTCE15IFN0YXRlMQswCQYDVQQGEwJVUzEXMBUGA1UEAxMOU0FN
+UExFIFJvb3QgQ0EwHhcNMTAwOTE0MTkwOTEwWhcNMjAwOTExMTkwOTEwWjByMRMw
+EQYDVQQKEwpNeSBDb21wYW55MRAwDgYDVQQLEwdNeSBVbml0MRAwDgYDVQQHEwdN
+eSBUb3duMREwDwYDVQQIEwhNeSBTdGF0ZTELMAkGA1UEBhMCVVMxFzAVBgNVBAMT
+DlNBTVBMRSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+vtsgzTwqnpHKblC8uHi+L+98q1FhB0hFNHfBTri7BFhOjsvJnOk/T8y2f6o8tpfS
+8q0fUtzxOQbgsSekLBdgHGDMdVcEgCM5+zNW4Rvm62pXAi2yo4y4b9/Xl1GZQp1O
+cCG5jz1s9FbeCYlrfRDPbSDCcxbtK0umnk6XmVYT47JXK8pieSlLidveMkhrrhlv
+fg8KjQjljihZRQBeR4OQ/EbCKbLYTQWpGJCle/JZe/N0nm0iYKgehBjKZreCM9oS
+fVUpp3ID46VQ3S9J3x1PbHiv75EBRMltY6kCZSllxT9TmifVSO2BWRJB0H5g7hR1
+xSY/PegUj09clRIyKVhu6QIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQW
+BBSXjmOlgHIg/X32Gf6byJzr6ME2QDAfBgNVHSMEGDAWgBSXjmOlgHIg/X32Gf6b
+yJzr6ME2QDANBgkqhkiG9w0BAQQFAAOCAQEArXdsXg/nUeJk3Usslm1PDeHztiGQ
+GH2yNdAjRVL0yV1z087Ikn9S0MCrqFsvc0b1LdlpfOWrzn5Kg7JvkhfqYvIHfmv1
+bwtSXfKh1/Sbd2mZzdFzRzcZPYQSab0+IiT4/M1+IGwPnMMnBuAcQE7rUQScy2/4
+pRYR4tP8VDC3XIxrLfZ5oSZB16IPrBvMIKSMb4Rgi9LRamo20UbSfy3WMjYpSL17
+01f/ix/lMm3UwNsia4N9p4EVoOcs+f09mw9f1a19oj8x/jVdseMXs+LGJ7i8VTCo
+tItbnFb2Oy71LwBpTZibQ3YBe3rMcKkLDgvJCroq3D9BQW12yR7m8d2REg==
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1048595 (0x100013)
+        Signature Algorithm: md5WithRSAEncryption
+        Issuer: O=My Company, OU=My Unit, L=My Town, ST=My State, C=US, CN=SAMPLE Root CA
+        Validity
+            Not Before: Sep 14 19:19:53 2010 GMT
+            Not After : Sep 11 19:19:53 2020 GMT
+        Subject: C=US, ST=My State, O=My Company, OU=My Unit, CN=SAMPLE Signing CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:ce:79:81:1f:b5:38:62:a9:9a:8b:80:26:ec:66:
+                    f2:86:13:32:53:12:16:c7:d5:38:c0:e4:ee:1d:11:
+                    bd:fc:8c:5b:f5:59:b5:a4:18:77:04:54:4c:57:8c:
+                    85:0a:9e:02:b2:f6:f4:d5:d5:a6:cc:eb:91:d7:17:
+                    ec:75:86:30:c9:60:79:40:69:13:7e:65:d5:e5:f8:
+                    89:7e:de:9b:c9:c1:19:74:ae:d9:d7:e1:86:c0:1e:
+                    2e:be:44:73:45:d9:3c:06:1a:4a:4d:f1:86:79:f8:
+                    68:e6:24:d0:7a:5d:92:8e:76:62:63:9a:bd:b7:43:
+                    52:a9:be:ad:3b:43:92:99:43:18:80:09:e9:9e:65:
+                    d4:02:1d:97:c4:e4:6a:d9:9f:23:3d:66:2a:64:0c:
+                    ad:41:48:ca:16:bf:82:34:32:ec:c2:09:5a:dd:0c:
+                    a7:cc:99:a0:a5:5f:6a:e4:42:01:13:a9:e4:f7:ad:
+                    e7:f0:78:51:9f:f0:7e:21:94:ff:0b:12:ce:19:a3:
+                    51:a6:a3:53:3c:65:3f:26:3e:31:b4:f3:98:82:4e:
+                    81:a3:14:aa:a4:63:6a:7e:6c:50:dd:86:74:cb:33:
+                    f5:67:c7:29:24:d5:e9:86:9d:82:55:e3:d2:c2:4e:
+                    85:3f:0d:03:fc:5a:15:29:cf:94:d8:e6:59:8c:d4:
+                    13:25
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:TRUE
+            X509v3 Subject Key Identifier: 
+                FE:24:B7:46:DF:51:66:99:27:F6:68:02:F8:F2:9C:21:13:5E:5D:C1
+            X509v3 Authority Key Identifier: 
+                keyid:97:8E:63:A5:80:72:20:FD:7D:F6:19:FE:9B:C8:9C:EB:E8:C1:36:40
+
+    Signature Algorithm: md5WithRSAEncryption
+        3b:ea:41:d7:02:49:79:41:fb:35:07:85:ae:ae:40:86:63:08:
+        82:52:4b:03:32:42:21:b9:f9:24:f9:ef:14:9c:e2:0f:99:42:
+        36:a3:cf:41:79:e7:0b:90:27:4b:85:d7:57:a0:6e:de:05:8c:
+        6e:27:f5:33:fe:d6:c5:fc:8a:39:2d:b3:4e:41:15:a3:71:1f:
+        a2:75:4f:c7:aa:30:f4:1d:18:4b:44:a3:39:11:d2:05:c7:80:
+        cd:76:59:79:67:25:25:e0:f2:5e:5d:14:3a:ec:71:eb:c8:d3:
+        12:20:8f:f7:99:96:28:c7:40:7d:0f:66:bb:1f:58:c1:df:7d:
+        d3:31:cb:1e:f5:bc:67:23:f6:74:b7:9c:d9:7f:d9:9a:d2:fe:
+        71:05:8b:ba:05:51:a5:bc:e3:e8:db:b2:31:72:89:32:80:ff:
+        61:09:37:7b:57:c8:c6:6a:06:e2:9a:7c:73:22:43:d2:9a:d8:
+        9e:4b:3c:1c:50:38:40:84:da:b6:0a:a5:93:8c:21:1e:b7:4b:
+        6b:f7:88:34:c4:16:d5:72:ed:dd:01:5b:b7:a5:9c:a5:46:0c:
+        e9:cd:36:04:30:4f:ab:4b:96:a7:0c:71:8e:89:3c:3e:37:6f:
+        d4:1f:8f:9b:01:16:ca:4e:16:17:93:a4:60:6f:c6:a2:55:a1:
+        f0:4e:1c:e2
+-----BEGIN CERTIFICATE-----
+MIIDojCCAoqgAwIBAgIDEAATMA0GCSqGSIb3DQEBBAUAMHIxEzARBgNVBAoTCk15
+IENvbXBhbnkxEDAOBgNVBAsTB015IFVuaXQxEDAOBgNVBAcTB015IFRvd24xETAP
+BgNVBAgTCE15IFN0YXRlMQswCQYDVQQGEwJVUzEXMBUGA1UEAxMOU0FNUExFIFJv
+b3QgQ0EwHhcNMTAwOTE0MTkxOTUzWhcNMjAwOTExMTkxOTUzWjBjMQswCQYDVQQG
+EwJVUzERMA8GA1UECBMITXkgU3RhdGUxEzARBgNVBAoTCk15IENvbXBhbnkxEDAO
+BgNVBAsTB015IFVuaXQxGjAYBgNVBAMTEVNBTVBMRSBTaWduaW5nIENBMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAznmBH7U4Yqmai4Am7GbyhhMyUxIW
+x9U4wOTuHRG9/Ixb9Vm1pBh3BFRMV4yFCp4Csvb01dWmzOuR1xfsdYYwyWB5QGkT
+fmXV5fiJft6bycEZdK7Z1+GGwB4uvkRzRdk8BhpKTfGGefho5iTQel2SjnZiY5q9
+t0NSqb6tO0OSmUMYgAnpnmXUAh2XxORq2Z8jPWYqZAytQUjKFr+CNDLswgla3Qyn
+zJmgpV9q5EIBE6nk963n8HhRn/B+IZT/CxLOGaNRpqNTPGU/Jj4xtPOYgk6BoxSq
+pGNqfmxQ3YZ0yzP1Z8cpJNXphp2CVePSwk6FPw0D/FoVKc+U2OZZjNQTJQIDAQAB
+o1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBT+JLdG31FmmSf2aAL48pwhE15d
+wTAfBgNVHSMEGDAWgBSXjmOlgHIg/X32Gf6byJzr6ME2QDANBgkqhkiG9w0BAQQF
+AAOCAQEAO+pB1wJJeUH7NQeFrq5AhmMIglJLAzJCIbn5JPnvFJziD5lCNqPPQXnn
+C5AnS4XXV6Bu3gWMbif1M/7WxfyKOS2zTkEVo3EfonVPx6ow9B0YS0SjORHSBceA
+zXZZeWclJeDyXl0UOuxx68jTEiCP95mWKMdAfQ9mux9Ywd990zHLHvW8ZyP2dLec
+2X/ZmtL+cQWLugVRpbzj6NuyMXKJMoD/YQk3e1fIxmoG4pp8cyJD0prYnks8HFA4
+QITatgqlk4whHrdLa/eINMQW1XLt3QFbt6WcpUYM6c02BDBPq0uWpwxxjok8Pjdv
+1B+PmwEWyk4WF5OkYG/GolWh8E4c4g==
+-----END CERTIFICATE-----

File lighttpd-ssl-tls-reverse-proxy/config-variables.conf

View file
+var.my-host = "localhost"
+var.my-ssl-client-validation-port = "27443"
+var.my-plain-http-port = "18080"
+var.my-backend-host = "localhost"
+var.my-backend-plain-http-port = "28080"
+var.my-dummy-document-root="./"
+var.my-username="dsuch"
+var.my-groupname="dsuch"
+var.my-ssl-server-certificate-key = "server-pair.pem"
+var.my-ca-certificate = "./ca-chain.pem"
+var.my-verifyclient-depth = "3"

File lighttpd-ssl-tls-reverse-proxy/config.conf

View file
+
+# Include necessary modules.
+server.modules = ("mod_proxy", "mod_setenv")
+
+# Include config variables.
+include "./config-variables.conf"
+
+server.document-root = my-dummy-document-root
+server.username = my-username
+server.groupname = my-groupname
+
+# IP address or hostname to listen on.
+server.bind = my-host
+server.port = my-plain-http-port
+
+$SERVER["socket"] == my-host + ":" + my-ssl-client-validation-port {
+
+    ssl.engine = "enable"
+    ssl.use-sslv2 = "disable"
+    ssl.verifyclient.exportcert = "enable"
+    ssl.verifyclient.username = "enable"
+
+    proxy.server = ("" => (("host"=>my-backend-host, 
+                            "port"=>my-backend-plain-http-port)))
+
+    # Server certificate.
+    ssl.pemfile = my-ssl-server-certificate-key
+
+    # Verify client's certificate.
+    ssl.verifyclient.activate = "enable"
+    ssl.verifyclient.enforce = "enable"
+    ssl.verifyclient.depth = my-verifyclient-depth
+    ssl.ca-file = my-ca-certificate
+}

File lighttpd-ssl-tls-reverse-proxy/lighttpd.graphml

View file
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<graphml xmlns="http://graphml.graphdrawing.org/xmlns" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:y="http://www.yworks.com/xml/graphml" xmlns:yed="http://www.yworks.com/xml/yed/3" xsi:schemaLocation="http://graphml.graphdrawing.org/xmlns http://www.yworks.com/xml/schema/graphml/1.1/ygraphml.xsd">
+  <!--Created by yFiles for Java 2.8-->
+  <key for="graphml" id="d0" yfiles.type="resources"/>
+  <key for="port" id="d1" yfiles.type="portgraphics"/>
+  <key for="port" id="d2" yfiles.type="portgeometry"/>
+  <key for="port" id="d3" yfiles.type="portuserdata"/>
+  <key attr.name="url" attr.type="string" for="node" id="d4"/>
+  <key attr.name="description" attr.type="string" for="node" id="d5"/>
+  <key for="node" id="d6" yfiles.type="nodegraphics"/>
+  <key attr.name="Description" attr.type="string" for="graph" id="d7">
+    <default/>
+  </key>
+  <key attr.name="url" attr.type="string" for="edge" id="d8"/>
+  <key attr.name="description" attr.type="string" for="edge" id="d9"/>
+  <key for="edge" id="d10" yfiles.type="edgegraphics"/>
+  <graph edgedefault="directed" id="G">
+    <node id="n0">
+      <data key="d5"/>
+      <data key="d6">
+        <y:GenericNode configuration="BevelNodeWithShadow">
+          <y:Geometry height="53.0" width="166.0" x="127.0" y="243.5"/>
+          <y:Fill color="#99CCFF" transparent="false"/>
+          <y:BorderStyle hasColor="false" type="line" width="1.0"/>
+          <y:NodeLabel alignment="center" autoSizePolicy="content" fontFamily="Dialog" fontSize="12" fontStyle="plain" hasBackgroundColor="false" hasLineColor="false" height="17.96875" modelName="internal" modelPosition="c" textColor="#000000" visible="true" width="115.0" x="25.5" y="17.515625">Client applications</y:NodeLabel>
+        </y:GenericNode>
+      </data>
+    </node>
+    <node id="n1">
+      <data key="d5"/>
+      <data key="d6">
+        <y:GenericNode configuration="BevelNodeWithShadow">
+          <y:Geometry height="72.0" width="184.0" x="358.0" y="234.0"/>
+          <y:Fill color="#99CCFF" transparent="false"/>
+          <y:BorderStyle hasColor="false" type="line" width="1.0"/>
+          <y:NodeLabel alignment="center" autoSizePolicy="content" fontFamily="Dialog" fontSize="12" fontStyle="plain" hasBackgroundColor="false" hasLineColor="false" height="45.90625" modelName="internal" modelPosition="c" textColor="#000000" visible="true" width="158.962890625" x="12.5185546875" y="13.046875">lighttpd SSL/TLS proxy
+localhost:17443 (proxy)
+localhost:18080 (dummy)</y:NodeLabel>
+        </y:GenericNode>
+      </data>
+    </node>
+    <node id="n2">
+      <data key="d5"/>
+      <data key="d6">
+        <y:GenericNode configuration="BevelNodeWithShadow">
+          <y:Geometry height="53.0" width="166.0" x="607.0" y="243.5"/>
+          <y:Fill color="#99CCFF" transparent="false"/>
+          <y:BorderStyle hasColor="false" type="line" width="1.0"/>
+          <y:NodeLabel alignment="center" autoSizePolicy="content" fontFamily="Dialog" fontSize="12" fontStyle="plain" hasBackgroundColor="false" hasLineColor="false" height="31.9375" modelName="internal" modelPosition="c" textColor="#000000" visible="true" width="100.08203125" x="32.958984375" y="10.53125">Backend server
+localhost:28080</y:NodeLabel>
+        </y:GenericNode>
+      </data>
+    </node>
+    <edge id="e0" source="n0" target="n1">
+      <data key="d10">
+        <y:PolyLineEdge>
+          <y:Path sx="0.0" sy="0.0" tx="0.0" ty="0.0"/>
+          <y:LineStyle color="#000000" type="line" width="1.0"/>
+          <y:Arrows source="none" target="standard"/>
+          <y:BendStyle smoothed="false"/>
+        </y:PolyLineEdge>
+      </data>
+    </edge>
+    <edge id="e1" source="n1" target="n2">
+      <data key="d10">
+        <y:PolyLineEdge>
+          <y:Path sx="0.0" sy="0.0" tx="0.0" ty="0.0"/>
+          <y:LineStyle color="#000000" type="line" width="1.0"/>
+          <y:Arrows source="none" target="standard"/>
+          <y:BendStyle smoothed="false"/>
+        </y:PolyLineEdge>
+      </data>
+    </edge>
+  </graph>
+  <data key="d0">
+    <y:Resources/>
+  </data>
+</graphml>

File lighttpd-ssl-tls-reverse-proxy/lighttpd.png

Added
New image

File lighttpd-ssl-tls-reverse-proxy/server-pair.pem

View file
+-----BEGIN CERTIFICATE-----
+MIIDSzCCAjMCAxAAGzANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzERMA8G
+A1UECBMITXkgU3RhdGUxEzARBgNVBAoTCk15IENvbXBhbnkxEDAOBgNVBAsTB015
+IFVuaXQxGjAYBgNVBAMTEVNBTVBMRSBTaWduaW5nIENBMB4XDTEwMDkxNDE5NDgy
+MVoXDTIwMDkxMTE5NDgyMVowcjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE15IFN0
+YXRlMRAwDgYDVQQHEwdNeSBUb3duMRMwEQYDVQQKEwpNeSBDb21wYW55MRAwDgYD
+VQQLEwdNeSBVbml0MRcwFQYDVQQDEw5NeVNhbXBsZVNlcnZlcjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAJsQvrygLjZfFwU4Th8bjyGcOLXg0AQaynaa
+ZTcXojHAhapmt8AxeeoA4a+bN7tD1BUg25gh5iFs7sdJ26E1FeZsOlp5z4xWuSja
+Jy3PQ9SZd0hB+foZvAhBms8t5+BV6dS8aYXhYl90lQgB1dx/dapdkRbt3k7Iz1zp
+Q2/Oxs1Y0UMb8LbVHczXRLzcDJwSi0Syc3oc5vUIVsvaYnLW2lqINzi7rsJ0N7Pk
+rt4oscyebMrBde780U1sAbSf7rj0JSWzhqtfiJ8NQgMxxaJCRvgtEhXORT/wvEIe
+pu/32YtbqBwl7YO+S/SD5NN3zrr0iwk/GOzK2Ljd/FDNtA+ibAcCAwEAATANBgkq
+hkiG9w0BAQUFAAOCAQEAKURnSJwOP7DdZZWjCeFY2rURWW3gdP4zopvKRDIbEj0v
+egjQjfHMSmKloE4ifu9HbTIecZ3ojUxXNHIJoG0eKTFnLN4rdE7TyLMkdkTCe07Y
+ydh1uv4GadbCH0wf9JAaRD5EDSsYvBxn0x7s6SNk7fDLOdprkcuAetKG7pvKxckZ
+HRU7hH4L06Lb50yol1AswrDuB5avBosNx/aoZFtOPv7SXK5wlvAU3T8yNLK0o5M3
+ViM9nYCo41BP5JcrDyUFYd4ih8opwMgx/1lL+NgZZLvv9gImHodxS3KOjdDBpjwL
+TLJxThm42HbbSgn3ZoS01+as0+nQZ5L4s0THkOEIXg==
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAmxC+vKAuNl8XBThOHxuPIZw4teDQBBrKdpplNxeiMcCFqma3
+wDF56gDhr5s3u0PUFSDbmCHmIWzux0nboTUV5mw6WnnPjFa5KNonLc9D1Jl3SEH5
++hm8CEGazy3n4FXp1LxpheFiX3SVCAHV3H91ql2RFu3eTsjPXOlDb87GzVjRQxvw
+ttUdzNdEvNwMnBKLRLJzehzm9QhWy9pictbaWog3OLuuwnQ3s+Su3iixzJ5sysF1
+7vzRTWwBtJ/uuPQlJbOGq1+Inw1CAzHFokJG+C0SFc5FP/C8Qh6m7/fZi1uoHCXt
+g75L9IPk03fOuvSLCT8Y7MrYuN38UM20D6JsBwIDAQABAoIBABUtJj8wSN9YARbP
+Z6vL4bIfWYdNGltVJU0pLKVnbtkIh7iLqpBusU2JrUiEFApY6v+vqw2No5XxAHLq
+3TmYvFLpeNaeR//MYCD6GduhsIu6IZYWnILRPOKLww6EIGR8lyBcUrTb4MlUbH3Z
+clFYfsMzX/sXpQJxXhA8Mt90B6ZHQm8ky4dNlQnX3oAB04m3fGpmxiEo+3p46cWo
+Q8hzxX6EfDtifuT9Zo3x+WoHa3momxvi2b0jt2xdwSxNT4/phGw1uBWrcrt9BtS5
+l6EGaIFA6PsUrkie9vHelaaKhjF18uwpqjS9Zb7eNHQX9/hGtrNMhtJNBm8GrQex
+86V/AlECgYEAyuu+bNifb/xPyYxittV+xqGpyX8QUSu3wo5ULRplvscuygGv29dc
+N0XnzLQizyz13oHmsP2NEumzXw25unsMJMsa3YFQgXQaJzgHFYiTKIR3DIhIzBL5
+CiLwlHPAz8vDSwKi9Mn0zVSySMkLNPhO05MlmRrxZM3nG0rTojG2+jMCgYEAw6Bw
+t6Mj/gjouQiIyzvvo2cpXvwMDU6JuLjNu5bPVCUOLal++RcFIvGpm9tlqdgBNEjM
+a9C61wsTCP49crvYM+ep/GrjI5KddQQEoqObvUR5ms4stOtfey3z6B679ygblbsp
+NCbkQOQCtljmVa1ncqQsUR2JzNDKBv98AUrv2t0CgYBpgkI1Hj1oYOyrg08gecm9
+RfmeR28YhX66rn6eJQeaNr7hUhc6W7QbGUH5cgBXcK020Jw+ktdzaghV+DEGAUzD
+JMgHPGG7rb6bfcpRK/44Jwgvf/05/vN2jcxBpB4w7WXR7sEEPq4GxW8d4Uruc92o
+rO3zucqh+12bF0ELKIZXeQKBgGGbHIJTkLLASTWBL5ePmRqDb13oDi9Zf1e+RVAS
+h/Go53Ea/7JSrQppX0HXbtsWXktzAyPMKlz/NoknKQuk89O6A9NglWH7Vjq7PYDU
+dvExSCdYNXAzfBlerTKkmw5PYawMjRtrSDmkSkInCw22jkXh6gay4T1i81oYgQu4
+EwK1AoGBAMqAGXhtLRS8wmgM3riXcoGoq/34SHbnqf7mJ+25cIF5FAeOS7FtLMTA
+9Fml25ZkB2vBHBxP6quvEehpPJ64cu5/GXDeatwOS+rhhIA7Q4kpM0uyjLBBlAZv
+PdtX16f32bb/fj9lLCp3FFBHZ7HMFdX2MjYC8RWaGb0T7PpM+z86
+-----END RSA PRIVATE KEY-----