add CRL functionality from authnid

2018-07-30 17:32:09 -04:00
parent 0f8e303afa
commit f0a7bfcd0e
35 changed files with 2353 additions and 6 deletions
--- a/ssl/ssl.conf
+++ b/ssl/ssl.conf
@@ -0,0 +1,39 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    ssl_certificate /etc/ssl/dev.cac.atat.codes.crt;
+    ssl_certificate_key /etc/ssl/dev.cac.atat.codes.key;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+    ssl_prefer_server_ciphers on;
+
+    ssl_verify_client optional;
+    ssl_verify_depth 10;
+    ssl_client_certificate /etc/ssl/ca-chain.pem;
+    error_log /var/log/nginx/authnid.error.log debug;
+
+    add_header Strict-Transport-Security max-age=15768000;
+    #ssl_stapling on;
+    #ssl_stapling_verify on;
+
+    location / {
+      try_files $uri @app;
+    }
+
+    location @app {
+      include uwsgi_params;
+      uwsgi_pass unix:///tmp/uwsgi.sock;
+      uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
+      uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
+      uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
+    }
+
+    location /static {
+      alias /app/static;
+    }
+}