Loading README.md +10 −0 Original line number Diff line number Diff line Loading @@ -15,6 +15,13 @@ The recommended deployment process is using Docker-compose. ```sh # MANUAL STEP: Fill in docker.env file (use .env.dist as a template) # Setup TLS Client Auth: # Option 1: Disable it # touch nginx/trusted_client_certs.pem # sed -i 's/ssl_verify_client on;/ssl_verify_client off;/' nginx/nginx.conf # Option 2: Set it up. # MANUAL STEP: create file nginx/trusted_client_certs.pem and put CA certificate(s) there docker-compose up --build -d ``` Loading Loading @@ -58,6 +65,9 @@ git pull --recurse-submodules -X ours docker-compose up --build -d ``` #### Version 2022-09-29 This version needs a manual step - TLS Client Auth. See the first-run section above. ## How to export scan2report plugins folder Loading nginx/.gitignore 0 → 100644 +2 −0 Original line number Diff line number Diff line trusted_client_certs.pem certs/ nginx/Dockerfile +2 −0 Original line number Diff line number Diff line Loading @@ -11,3 +11,5 @@ RUN openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/private/key.pem -out /et RUN rm /etc/nginx/conf.d/default.conf COPY nginx.conf /etc/nginx/conf.d/main-proxy.conf COPY keys.pass /etc/ssl/private/keys.pass COPY trusted_client_certs.pem /etc/ssl/certs/trusted_client_certs.pem nginx/nginx.conf +7 −1 Original line number Diff line number Diff line Loading @@ -8,11 +8,12 @@ upstream importer { } server { listen 80; # Beware that PwnDoc sends cookies with Secure attr. # They will be passed along, but most likely ignored by client (unless the response is wrapped in HTTPS - see 443 ssl below). # Security: This can bypass the TLS client auth, so don't expose the port outside of docker. location / { proxy_pass https://pwndoc; Loading Loading @@ -42,6 +43,11 @@ server { ssl_certificate_key /etc/ssl/private/key.pem; ssl_password_file /etc/ssl/private/keys.pass; ssl_verify_client on; # on | off | optional | optional_no_ca; ssl_verify_depth 10; ssl_client_certificate /etc/ssl/certs/trusted_client_certs.pem; # note: The list of certificates will be sent to clients. If this is not desired, the ssl_trusted_certificate directive can be used. location / { proxy_pass http://127.0.0.1; Loading nginx/readme.md 0 → 100644 +5 −0 Original line number Diff line number Diff line The CA and Client certs can be created for example using the following tutorial. https://www.makethenmakeinstall.com/2014/05/ssl-client-authentication-step-by-step/ Be sure to set different Common names during cert generation - otherwise the certs look self signed in openssl. https://stackoverflow.com/questions/19726138/openssl-error-18-at-0-depth-lookupself-signed-certificate Loading
README.md +10 −0 Original line number Diff line number Diff line Loading @@ -15,6 +15,13 @@ The recommended deployment process is using Docker-compose. ```sh # MANUAL STEP: Fill in docker.env file (use .env.dist as a template) # Setup TLS Client Auth: # Option 1: Disable it # touch nginx/trusted_client_certs.pem # sed -i 's/ssl_verify_client on;/ssl_verify_client off;/' nginx/nginx.conf # Option 2: Set it up. # MANUAL STEP: create file nginx/trusted_client_certs.pem and put CA certificate(s) there docker-compose up --build -d ``` Loading Loading @@ -58,6 +65,9 @@ git pull --recurse-submodules -X ours docker-compose up --build -d ``` #### Version 2022-09-29 This version needs a manual step - TLS Client Auth. See the first-run section above. ## How to export scan2report plugins folder Loading
nginx/.gitignore 0 → 100644 +2 −0 Original line number Diff line number Diff line trusted_client_certs.pem certs/
nginx/Dockerfile +2 −0 Original line number Diff line number Diff line Loading @@ -11,3 +11,5 @@ RUN openssl req -x509 -newkey rsa:4096 -keyout /etc/ssl/private/key.pem -out /et RUN rm /etc/nginx/conf.d/default.conf COPY nginx.conf /etc/nginx/conf.d/main-proxy.conf COPY keys.pass /etc/ssl/private/keys.pass COPY trusted_client_certs.pem /etc/ssl/certs/trusted_client_certs.pem
nginx/nginx.conf +7 −1 Original line number Diff line number Diff line Loading @@ -8,11 +8,12 @@ upstream importer { } server { listen 80; # Beware that PwnDoc sends cookies with Secure attr. # They will be passed along, but most likely ignored by client (unless the response is wrapped in HTTPS - see 443 ssl below). # Security: This can bypass the TLS client auth, so don't expose the port outside of docker. location / { proxy_pass https://pwndoc; Loading Loading @@ -42,6 +43,11 @@ server { ssl_certificate_key /etc/ssl/private/key.pem; ssl_password_file /etc/ssl/private/keys.pass; ssl_verify_client on; # on | off | optional | optional_no_ca; ssl_verify_depth 10; ssl_client_certificate /etc/ssl/certs/trusted_client_certs.pem; # note: The list of certificates will be sent to clients. If this is not desired, the ssl_trusted_certificate directive can be used. location / { proxy_pass http://127.0.0.1; Loading
nginx/readme.md 0 → 100644 +5 −0 Original line number Diff line number Diff line The CA and Client certs can be created for example using the following tutorial. https://www.makethenmakeinstall.com/2014/05/ssl-client-authentication-step-by-step/ Be sure to set different Common names during cert generation - otherwise the certs look self signed in openssl. https://stackoverflow.com/questions/19726138/openssl-error-18-at-0-depth-lookupself-signed-certificate
