├── .gitignore
├── Nginx
├── .dockerignore
├── html
│ ├── index.html
│ └── test.html
├── docker-app
│ ├── Dockerfile
│ ├── Gemfile
│ ├── Gemfile.lock
│ └── app.rb
├── docker-nginx
│ ├── Dockerfile
│ └── nginx.conf
└── bootstrap.sh
├── Nginx-ClientCertAccess
├── .dockerignore
├── docker-nginx
│ ├── CertificateManagement
│ │ ├── serial
│ │ ├── revoked
│ │ │ ├── crlnumber
│ │ │ ├── crlnumber.old
│ │ │ └── crl.pem
│ │ ├── serial.old
│ │ ├── certindex.txt.attr
│ │ ├── certindex.txt.attr.old
│ │ ├── certindex.txt.old
│ │ ├── certindex.txt
│ │ ├── private
│ │ │ ├── ca.key
│ │ │ ├── client.key
│ │ │ └── server.key
│ │ ├── client.csr
│ │ ├── server.csr
│ │ ├── ca.crt
│ │ ├── openssl.cnf
│ │ ├── client.crt
│ │ ├── server.crt
│ │ └── certs
│ │ │ ├── 100001.pem
│ │ │ └── 100002.pem
│ ├── Dockerfile
│ ├── certs
│ │ ├── client.csr
│ │ ├── ca.crt
│ │ ├── client.crt
│ │ ├── server.csr
│ │ ├── server.crt
│ │ ├── client.key
│ │ ├── setup-certs.sh
│ │ ├── server.key
│ │ └── ca.key
│ └── nginx.conf
├── html
│ ├── index.html
│ └── test.html
├── docker-app
│ ├── Dockerfile
│ ├── Gemfile
│ ├── Gemfile.lock
│ └── app.rb
└── README.md
├── Ruby
├── src
│ ├── Gemfile
│ ├── Gemfile.lock
│ └── app.rb
├── README.md
└── Dockerfile
├── Nginx-HTTP2
├── docker-app
│ ├── Dockerfile
│ ├── Gemfile
│ ├── Gemfile.lock
│ └── app.rb
├── docker-nginx
│ ├── nginx.conf
│ └── certs
│ │ ├── setup-certs.sh
│ │ ├── server.csr
│ │ ├── server.crt
│ │ ├── ca.crt
│ │ ├── server.key
│ │ └── ca.key
└── README.md
├── Node
├── src
│ ├── package.json
│ └── index.js
├── README.md
└── Dockerfile
├── provision.sh
├── Vagrantfile
└── README.md
/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 |
--------------------------------------------------------------------------------
/Nginx/.dockerignore:
--------------------------------------------------------------------------------
1 | html
2 | nginx.conf
3 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/.dockerignore:
--------------------------------------------------------------------------------
1 | html
2 | nginx.conf
3 |
--------------------------------------------------------------------------------
/Ruby/src/Gemfile:
--------------------------------------------------------------------------------
1 | source 'http://rubygems.org'
2 | gem 'sinatra'
3 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/CertificateManagement/serial:
--------------------------------------------------------------------------------
1 | 100003
2 |
--------------------------------------------------------------------------------
/Nginx/html/index.html:
--------------------------------------------------------------------------------
1 | Welcome
2 | This is my home page
3 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/CertificateManagement/revoked/crlnumber:
--------------------------------------------------------------------------------
1 | 03
2 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/CertificateManagement/serial.old:
--------------------------------------------------------------------------------
1 | 100002
2 |
--------------------------------------------------------------------------------
/Nginx/docker-app/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ruby:2.1-onbuild
2 | CMD ["ruby", "app.rb"]
3 |
--------------------------------------------------------------------------------
/Nginx/docker-app/Gemfile:
--------------------------------------------------------------------------------
1 | source "http://rubygems.org/"
2 |
3 | gem "sinatra"
4 |
--------------------------------------------------------------------------------
/Nginx/html/test.html:
--------------------------------------------------------------------------------
1 | Hey there!
2 | Here is my test HTML file
3 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/CertificateManagement/revoked/crlnumber.old:
--------------------------------------------------------------------------------
1 | 02
2 |
--------------------------------------------------------------------------------
/Nginx-HTTP2/docker-app/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ruby:2.1-onbuild
2 | CMD ["ruby", "app.rb"]
3 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/html/index.html:
--------------------------------------------------------------------------------
1 | Welcome
2 | This is my home page
3 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-app/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ruby:2.1-onbuild
2 | CMD ["ruby", "app.rb"]
3 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/html/test.html:
--------------------------------------------------------------------------------
1 | Hey there!
2 | Here is my test HTML file
3 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/CertificateManagement/certindex.txt.attr:
--------------------------------------------------------------------------------
1 | unique_subject = yes
2 |
--------------------------------------------------------------------------------
/Nginx-HTTP2/docker-app/Gemfile:
--------------------------------------------------------------------------------
1 | source "http://rubygems.org/"
2 |
3 | gem "sinatra"
4 | gem "thin"
5 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/CertificateManagement/certindex.txt.attr.old:
--------------------------------------------------------------------------------
1 | unique_subject = yes
2 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-app/Gemfile:
--------------------------------------------------------------------------------
1 | source "http://rubygems.org/"
2 |
3 | gem "sinatra"
4 | gem "thin"
5 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/CertificateManagement/certindex.txt.old:
--------------------------------------------------------------------------------
1 | V 161002141423Z 100001 unknown /C=UK/CN=TheServer/emailAddress=server@integralist.com
2 | V 161002142307Z 100002 unknown /C=UK/CN=TheClient/emailAddress=client@integralist.com
3 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/CertificateManagement/certindex.txt:
--------------------------------------------------------------------------------
1 | V 161002141423Z 100001 unknown /C=UK/CN=TheServer/emailAddress=server@integralist.com
2 | R 161002142307Z 151003151428Z 100002 unknown /C=UK/CN=TheClient/emailAddress=client@integralist.com
3 |
--------------------------------------------------------------------------------
/Node/src/package.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "docker-centos-hello",
3 | "private": true,
4 | "version": "0.0.1",
5 | "description": "Node.js Hello World app on CentOS using docker",
6 | "author": "Daniel Gasienica ",
7 | "dependencies": {
8 | "express": "3.2.4"
9 | }
10 | }
11 |
--------------------------------------------------------------------------------
/Node/src/index.js:
--------------------------------------------------------------------------------
1 | var express = require('express');
2 |
3 | // Constants
4 | var PORT = 8080;
5 |
6 | // App
7 | var app = express();
8 | app.get('/', function (req, res) {
9 | res.send('Hello World (from NodeJS)\n');
10 | });
11 |
12 | app.listen(PORT);
13 | console.log('Running on http://localhost:' + PORT);
14 |
--------------------------------------------------------------------------------
/Ruby/src/Gemfile.lock:
--------------------------------------------------------------------------------
1 | GEM
2 | remote: http://rubygems.org/
3 | specs:
4 | rack (1.5.2)
5 | rack-protection (1.5.3)
6 | rack
7 | sinatra (1.4.5)
8 | rack (~> 1.4)
9 | rack-protection (~> 1.4)
10 | tilt (~> 1.3, >= 1.3.4)
11 | tilt (1.4.1)
12 |
13 | PLATFORMS
14 | ruby
15 |
16 | DEPENDENCIES
17 | sinatra
18 |
--------------------------------------------------------------------------------
/Nginx/docker-app/Gemfile.lock:
--------------------------------------------------------------------------------
1 | GEM
2 | remote: http://rubygems.org/
3 | specs:
4 | rack (1.6.4)
5 | rack-protection (1.5.3)
6 | rack
7 | sinatra (1.4.6)
8 | rack (~> 1.4)
9 | rack-protection (~> 1.4)
10 | tilt (>= 1.3, < 3)
11 | tilt (2.0.1)
12 |
13 | PLATFORMS
14 | ruby
15 |
16 | DEPENDENCIES
17 | sinatra
18 |
19 | BUNDLED WITH
20 | 1.10.5
21 |
--------------------------------------------------------------------------------
/Nginx/docker-nginx/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM ubuntu
2 |
3 | # install nginx
4 | RUN apt-get update && apt-get install -y nginx
5 | RUN rm -rf /etc/nginx/sites-enabled/default
6 |
7 | # forward request and error logs to docker log collector
8 | RUN ln -sf /dev/stdout /var/log/nginx/access.log
9 | RUN ln -sf /dev/stderr /var/log/nginx/error.log
10 |
11 | EXPOSE 80 443
12 | CMD ["nginx", "-g", "daemon off;"]
13 |
--------------------------------------------------------------------------------
/provision.sh:
--------------------------------------------------------------------------------
1 | cat > /etc/systemd/system/docker-tcp.socket < 1.4)
11 | rack-protection (~> 1.4)
12 | tilt (>= 1.3, < 3)
13 | thin (1.6.4)
14 | daemons (~> 1.0, >= 1.0.9)
15 | eventmachine (~> 1.0, >= 1.0.4)
16 | rack (~> 1.0)
17 | tilt (2.0.1)
18 |
19 | PLATFORMS
20 | ruby
21 |
22 | DEPENDENCIES
23 | sinatra
24 | thin
25 |
26 | BUNDLED WITH
27 | 1.10.5
28 |
--------------------------------------------------------------------------------
/Nginx/bootstrap.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | docker build -t my-ruby-app ./docker-app
4 | docker build -t my-nginx ./docker-nginx
5 | docker run --name ruby-app -p 4567:4567 -d my-ruby-app
6 | docker run --name nginx-container \
7 | -v $(pwd)/html:/usr/share/nginx/html:ro \
8 | -v $(pwd)/docker-nginx/nginx.conf:/etc/nginx/nginx.conf:ro \
9 | --link ruby-app:app \
10 | -P -d my-nginx
11 | curl http://$(docker-machine ip dev):32769/
12 | curl http://$(docker-machine ip dev):32769/test.html
13 | curl http://$(docker-machine ip dev):32769/app/
14 | curl http://$(docker-machine ip dev):32769/app/foo
15 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-app/Gemfile.lock:
--------------------------------------------------------------------------------
1 | GEM
2 | remote: http://rubygems.org/
3 | specs:
4 | daemons (1.2.3)
5 | eventmachine (1.0.8)
6 | rack (1.6.4)
7 | rack-protection (1.5.3)
8 | rack
9 | sinatra (1.4.6)
10 | rack (~> 1.4)
11 | rack-protection (~> 1.4)
12 | tilt (>= 1.3, < 3)
13 | thin (1.6.4)
14 | daemons (~> 1.0, >= 1.0.9)
15 | eventmachine (~> 1.0, >= 1.0.4)
16 | rack (~> 1.0)
17 | tilt (2.0.1)
18 |
19 | PLATFORMS
20 | ruby
21 |
22 | DEPENDENCIES
23 | sinatra
24 | thin
25 |
26 | BUNDLED WITH
27 | 1.10.5
28 |
--------------------------------------------------------------------------------
/Nginx-HTTP2/docker-app/app.rb:
--------------------------------------------------------------------------------
1 | require "sinatra"
2 |
3 | # Utilise the Thin server in order to accept data passed from nginx
4 | set :server, %w[thin webrick]
5 |
6 | # Bind to ALL device interfaces
7 | # This is so the application localhost can be accessed outside the Docker container
8 | #
9 | # So although in the Dockerfile we expose port 4567 to the host machine
10 | # we're not exposing the Boot2Docker VM's localhost unless we set the application to
11 | # bind to all the available interfaces
12 | set :bind, "0.0.0.0"
13 |
14 | get "/" do
15 | "Hello World"
16 | end
17 |
18 | get "/foo" do
19 | "Foo!"
20 | end
21 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-app/app.rb:
--------------------------------------------------------------------------------
1 | require "sinatra"
2 |
3 | # Utilise the Thin server in order to accept data passed from nginx
4 | set :server, %w[thin webrick]
5 |
6 | # Bind to ALL device interfaces
7 | # This is so the application localhost can be accessed outside the Docker container
8 | #
9 | # So although in the Dockerfile we expose port 4567 to the host machine
10 | # we're not exposing the Boot2Docker VM's localhost unless we set the application to
11 | # bind to all the available interfaces
12 | set :bind, "0.0.0.0"
13 |
14 | get "/" do
15 | "Hello World"
16 | end
17 |
18 | get "/foo" do
19 | "Foo!"
20 | end
21 |
22 | get "/cert" do
23 | request.env["HTTP_X_CLIENTCERT_DN"]
24 | end
25 |
--------------------------------------------------------------------------------
/Node/README.md:
--------------------------------------------------------------------------------
1 | ```bash
2 | # Create an image from our Dockerfile
3 | docker build -t integralist/nodejs .
4 |
5 | # Check the image was created
6 | docker images
7 |
8 | # Run a container (in the background using -d) from our image
9 | # Make sure to expose the port to the CoreOS VM (using -p host:container)
10 | docker run -p 8080:8080 -d integralist/nodejs
11 |
12 | # Check the container is running
13 | docker ps
14 |
15 | # Check the output of the containers logs
16 | # You should see information about the localhost:port being used
17 | docker logs {container_id}
18 |
19 | # Test you get the relevant response
20 | # Note: the ip is a private range ip defined in the CoreOS Vagrantfile
21 | curl -i http://172.17.8.100:8080/
22 | ```
23 |
--------------------------------------------------------------------------------
/Ruby/README.md:
--------------------------------------------------------------------------------
1 | ```bash
2 | # Create an image from our Dockerfile
3 | docker build -t integralist/sinatra .
4 |
5 | # Check the image was created
6 | docker images
7 |
8 | # Run a container (in the background using -d) from our image
9 | # Make sure to expose the port to the CoreOS VM (using -p host:container)
10 | docker run -p 4567:4567 -d integralist/sinatra
11 |
12 | # Check the container is running
13 | docker ps
14 |
15 | # Check the output of the containers logs
16 | # You should see information about the localhost:port being used
17 | docker logs {container_id}
18 |
19 | # Test you get the relevant response
20 | # Note: the ip is a private range ip defined in the CoreOS Vagrantfile
21 | curl -i http://172.17.8.100:4567/
22 | ```
23 |
--------------------------------------------------------------------------------
/Nginx-HTTP2/docker-nginx/nginx.conf:
--------------------------------------------------------------------------------
1 | user nobody nogroup;
2 | worker_processes auto;
3 |
4 | events {
5 | worker_connections 512;
6 | }
7 |
8 | http {
9 | upstream app {
10 | server app:4567;
11 | }
12 |
13 | # REDIRECTION DOESN'T REALLY WORK WITH CONTAINERS
14 | server {
15 | listen *:80;
16 |
17 | location /app/ {
18 | return 301 https://$host$request_uri;
19 | }
20 | }
21 |
22 | server {
23 | listen *:443 ssl http2;
24 | server_name integralist.com;
25 |
26 | ssl_certificate /etc/nginx/certs/server.crt;
27 | ssl_certificate_key /etc/nginx/certs/server.key;
28 | ssl_trusted_certificate /etc/nginx/certs/ca.crt;
29 |
30 | location /app/ {
31 | proxy_pass http://app/;
32 | }
33 | }
34 | }
35 |
--------------------------------------------------------------------------------
/Ruby/Dockerfile:
--------------------------------------------------------------------------------
1 | # Build from...
2 | FROM ubuntu:14.04
3 | MAINTAINER Mark McDonnell
4 |
5 | # Install Ruby and Sinatra
6 | RUN apt-get -qq update
7 | RUN apt-get -qqy install ruby ruby-dev
8 | RUN gem install sinatra
9 |
10 | # Note:
11 | # We have a Gemfile that specifies Sinatra as a dependency,
12 | # so we probably should only install Ruby and change to `gem install bundler`
13 | # Then we could avoid using ENTRYPOINT and use CMD to construct a command like:
14 | # `bundle install && ruby /src/app.rb`
15 |
16 | # Add our current directory into the /src directory of the container
17 | ADD ./src /ruby-app
18 |
19 | # Make sure to expose the port so we can access the application outside of the VM
20 | EXPOSE 4567
21 |
22 | ENTRYPOINT ["ruby", "/ruby-app/app.rb"]
23 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/CertificateManagement/revoked/crl.pem:
--------------------------------------------------------------------------------
1 | -----BEGIN X509 CRL-----
2 | MIIB5jCCAU8CAQEwDQYJKoZIhvcNAQEEBQAwXzELMAkGA1UEBhMCVUsxFzAVBgNV
3 | BAoTDkludGVncmFsaXN0THRkMRQwEgYDVQQDEwtJbnRlZ3JhbGlzdDEhMB8GCSqG
4 | SIb3DQEJARYSY2FAaW50ZWdyYWxpc3QuY29tFw0xNTEwMDMxNTE3MjRaFw0xNTEx
5 | MDIxNTE3MjRaMBYwFAIDEAACFw0xNTEwMDMxNTE0MjhaoIGjMIGgMIGRBgNVHSME
6 | gYkwgYaAFEM6dUHhrkbwX6z0JGo629ExfidroWOkYTBfMQswCQYDVQQGEwJVSzEX
7 | MBUGA1UEChMOSW50ZWdyYWxpc3RMdGQxFDASBgNVBAMTC0ludGVncmFsaXN0MSEw
8 | HwYJKoZIhvcNAQkBFhJjYUBpbnRlZ3JhbGlzdC5jb22CCQDghojoygx/KTAKBgNV
9 | HRQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQCqGogao6GDqMida/k+eVNIFwbh+bJ9
10 | K0NADTVWgDQT9IjlM1kZY5yG+UoxQXr3usLZ0Sw/8X/M54bSTsZF/3KsPsR6dIYC
11 | jPHBYyWbNBZFJptnVsGe9sxO1Nx0HmoOuHpCH6nIwKM1L1PyqKLj6skYcyiUBER4
12 | +Tjwz9aCWx2kiA==
13 | -----END X509 CRL-----
14 |
--------------------------------------------------------------------------------
/Node/Dockerfile:
--------------------------------------------------------------------------------
1 | # Build from...
2 | FROM centos:centos6
3 |
4 | # Enable EPEL (Extra Packages for Enterprise Linux) for Node.js
5 | # https://github.com/joyent/node/wiki/Installing-Node.js-via-package-manager#enterprise-linux-rhel-centos-fedora-etc
6 | RUN rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
7 |
8 | # Install Node.js and npm
9 | RUN yum install -y nodejs npm --enablerepo=epel
10 |
11 | # Bundle app source
12 | ADD ./src /node-app
13 |
14 | # Install app dependencies
15 | RUN cd /node-app; npm install
16 |
17 | # The app binds to port 8080 so we'll expose it
18 | EXPOSE 8080
19 |
20 | # CMD doesn't run at build time
21 | # it is the intended command for the container when run with `docker run`
22 | # if the user specifies arguments to `docker run` then they override the below CMD
23 | CMD ["node", "/node-app/index.js"]
24 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/certs/client.csr:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE REQUEST-----
2 | MIICgzCCAWsCAQAwPjEXMBUGA1UEAxMOTWFyayBNY0Rvbm5lbGwxIzAhBgkqhkiG
3 | 9w0BCQEWFG1hcmtAaW50ZWdyYWxpc3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
4 | AQ8AMIIBCgKCAQEAwb/XVduOdCR1i5iAVhBZK/jTmPPjI34+BVOI1CRrljOh0/hh
5 | Gr8IsYmUOcUXx4wTK81AKBMcmU1Hint0joJP+J9A7TE8lqi76GK0AzzAdxBu0KCb
6 | u4hvISb2QW8Ugb/jGDj4zvWI375sLynLv3Abplf6e8iKnKQ7o2JujwpAKZwbgcKu
7 | n9Fyg+jjrvygqDaYHkF6HdxqdUaAHmvEBZpPesqYRxa+rOS3MAsIneCNwMNc+H9R
8 | 9QLsqbHCNtXOgxgTzlA6hRxlScalmPGIq2qR64E9lLwxqrQZb8GD019ENVo46IfX
9 | c5I9z/87QDyTrhVNJXHEkYBx2DQ4rGlSbBBIEwIDAQABoAAwDQYJKoZIhvcNAQEF
10 | BQADggEBAFfq395/dnX3qSbFX5dABRGzrvj6ypzkxmIYjMgkk4GTTqtOVN8nYuys
11 | Vs6UIGQ2J6QhRZxe8jjsjo0/J0+CnNELYtHNUYnI3AGXlSZ633lJ+oCS+mkCDK+g
12 | tNlWFUCGUODPpHnVSeu0RO3PUBjvD6dSH7Da2YSpXSN2jIwA58hPsSOnBzkpm2C0
13 | 7BWh+nLIUGcPe+uygReD0ypuTkuJZXNW25KueuEySan4Gk5L/bvkx6spmuiHqY7N
14 | qU9PCnclPh9/B23ZY3weIKY2uEEzg3pkaJ7V97rhjQijaO+u+fseDh/7DinncnF3
15 | OXnQ/ZCe4c3fg/uyUIoADgH19pa3qMk=
16 | -----END CERTIFICATE REQUEST-----
17 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/CertificateManagement/private/ca.key:
--------------------------------------------------------------------------------
1 | -----BEGIN RSA PRIVATE KEY-----
2 | Proc-Type: 4,ENCRYPTED
3 | DEK-Info: DES-EDE3-CBC,FC440F5BB39D7AF7
4 |
5 | iFoCG5LfvFOjlzrbstSobzHCfRqA7CJ1anZMgw+qZBzDQcovTmeSp7xfh1sUWZHR
6 | ByXqi3kuwnxYltxprzlv5m9e91KuV9SX02yioehlEqe1KqRSlwXTMLmBpmQnSSw8
7 | +5XUf5y/agiRfRNCV1Avk7ocJ6VxBd6uiCEmTiXgAxP4xSFbaxqKoulOrSpqjquQ
8 | 0F+CmknZDfYcXWc/DwOJXp7oRemztEbPTsDDRd448U32dTxflFP8wBCyBY86Fep5
9 | 9sOFlT+Nw/7Xms5NeH9zVfUljFmBl5lznbjozn7Vmn2NfphGdT0G0lbWlcLzDiUy
10 | VoM1fstEqgZlIREr3D7Jiu6Qk6cdEh++kLIUNXbpr4C+avXgpa/W4hRfyab8zt/y
11 | K8LZxOxqyzioe7H5UfIreW48V9QbM4gNFtj60xaOxY0yq7Pim7Q2paT/mo7KjOc9
12 | HYGdxwzDoW1MxrnHg1VrfLBIUzCQAUZQKu5Pp1Vm9HMU7tumlHcCvQlUQVKDQH1m
13 | sr8QOS+QCQn2O1udlLCPKkqUeNXCJZicQdn9DbWV6bcCgUznzk+3KqbVDqHXNXdk
14 | jxq/CE/nz2j9nzJpv7Rgyns1dIIYEIrjmkPjGmHS82Xn/Haljco2gn3IM/jPc+Gp
15 | 5t2XNYK0QwQXBO0UQnrcKBELhUZ0P2bOR0HUq3udEGXanuPnx5+YVfOWeRrHRSfF
16 | 5vQ6xnIjXu8skfqJy7ycQUZbnJXlzZdrPitU71WIU8m2Jg5Hsp5ZXmQaNE8q4xjA
17 | D9HNPPUsx1XXYEbfSvj1M2+gJ6Xm2wGc9VcSqB87pgN9fmvUDJhniw==
18 | -----END RSA PRIVATE KEY-----
19 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/CertificateManagement/client.csr:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE REQUEST-----
2 | MIICyDCCAbACAQAwSDElMCMGCSqGSIb3DQEJARYWY2xpZW50QGludGVncmFsaXN0
3 | LmNvbTELMAkGA1UEBhMCVUsxEjAQBgNVBAMTCVRoZUNsaWVudDCCASIwDQYJKoZI
4 | hvcNAQEBBQADggEPADCCAQoCggEBAK8P/EUMqBXVScI3j0/XZJfbMDaprO/GpAb+
5 | EasytQ0V4GS5abgOvIVzBbrAe1j+4WXztar9YxfEnGJ9Jzqc6EVF4Kc27sR/2jR4
6 | FdZyWHdhB9HEkWq4sOdTvljfyln04HA61PrX7NFRgrGk7Kitm0qLQMZhw+67bmFS
7 | +A+iPwbRTFXGcMo5/3R6UhDakpmDapMyE+5jt6NTEupgfAcPy6CEPOab9otaF/dW
8 | YMbLDKz+Kw32+vjUFMxmp5n9dbchizykpbAGHG75fSIIZoRn+IpE6EKL2vR6MexE
9 | DwQ9xTD08D/xFxaz+FxTA42E+y27L/aVB8R3vsoA+lnZjI58rYkCAwEAAaA7MDkG
10 | CSqGSIb3DQEJDjEsMCowCQYDVR0TBAIwADAdBgNVHQ4EFgQUbfZxVDjaxTolJCz1
11 | N7qYcuTCHAkwDQYJKoZIhvcNAQEEBQADggEBABzRQpNy+oC2yhdnEXrXRHkBiLbB
12 | o7lAmZXMq35esUpjjvoO6K/m3CS3YK+Th5XavsVsk0GHTInyRMwQ4o3x2nTJmKBG
13 | ARFDkfUCpqQESX23cuZ9WYYyYSR+w15XXOKTdCBfF6/fr7WKurbwNOkURWtTo5f8
14 | Rt5dFIlpgypIghWAjyQOooR86SYQAHk/qs4Myn/AYBgHBUeeFy15EW2iD1aFcOrr
15 | Gaw7LzD6gVOTyYfRuMsG71YHZQf8hidPx+KcejEGtfixSyzGfTLYr3QI/Khs3NcH
16 | NmzkQjpmaXa9DGfA9lQK4BuJd2ulXzewXUA9t5APeJncZMIwjLbZyWVQOpk=
17 | -----END CERTIFICATE REQUEST-----
18 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/CertificateManagement/server.csr:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE REQUEST-----
2 | MIICyDCCAbACAQAwSDElMCMGCSqGSIb3DQEJARYWc2VydmVyQGludGVncmFsaXN0
3 | LmNvbTELMAkGA1UEBhMCVUsxEjAQBgNVBAMTCVRoZVNlcnZlcjCCASIwDQYJKoZI
4 | hvcNAQEBBQADggEPADCCAQoCggEBALeV1MYu0Rnljtn8/pVmQTpy8O1WVwlyU/gU
5 | JzEwvMVMVQA0PLT5GeqB/pmfFeBr8/ui3dT45TKV3YVaVIToFvvSAPn4TtnupqPo
6 | oNeUHwt2V1sF97fnt+nWJstFPi+shTbLIv0OhM7BCjDLV0kHpWp5QSJBsjZRb381
7 | 08hDUOR8hnttpG3IsKFlOTGiEEeTWt6jH09JQOfz4aIoVKU12PplQBEHjLlFleNB
8 | o0ET+xG+ZnvcKcx60a/jUp869WDT9tByAICSZz8wGBp9Ebq8jPaHcM49y7OTHo6J
9 | ekHunw73/wpZd54MtaQgMvyFFK9Kqq7OBEpN4nljh3r4sENqkMUCAwEAAaA7MDkG
10 | CSqGSIb3DQEJDjEsMCowCQYDVR0TBAIwADAdBgNVHQ4EFgQUqbYPdq7l35NPZv8J
11 | I0PTu72QyNMwDQYJKoZIhvcNAQEEBQADggEBADzjNtrobo/oZlvCa5hHVQMhH8Xo
12 | +5bpw+mtFVFoSoXT75C2AhK+xPgdZHGXPwsYTFOLTzNDTs6gqE7dSkhYGa2BK4Uq
13 | P7dnDIBSqRxu9n5258/CWbmH3zzCbu/OCkUnGWV5EWMNxKBgtkEHeKEkPmDTyQm7
14 | ECLPCH305dkckaJj0KrqO/lIpquIm7bpBfJItq8x7vMnPsWy/C4GtmK7XahmJgyv
15 | MLPOsLSbokn/pqSYoi+B+4jfQBGHqR+dMyZzE5WK2GfAk57zj6CaPIp02BCgxHZD
16 | uJIuvFcjJm/MUjs+tY2oi9tlcIks5e9k79W2hWxupbYp5uvhpE5vdvba5qA=
17 | -----END CERTIFICATE REQUEST-----
18 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/certs/ca.crt:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIDATCCAmqgAwIBAgIJAPyodSLqJLVaMA0GCSqGSIb3DQEBBQUAMF8xCzAJBgNV
3 | BAYTAlVLMRQwEgYDVQQKEwtJbnRlZ3JhbGlzdDEXMBUGA1UEAxMOSW50ZWdyYWxp
4 | c3RMdGQxITAfBgkqhkiG9w0BCQEWEmNhQGludGVncmFsaXN0LmNvbTAeFw0xNTEw
5 | MDMxMTIzMDNaFw0yNTA5MzAxMTIzMDNaMF8xCzAJBgNVBAYTAlVLMRQwEgYDVQQK
6 | EwtJbnRlZ3JhbGlzdDEXMBUGA1UEAxMOSW50ZWdyYWxpc3RMdGQxITAfBgkqhkiG
7 | 9w0BCQEWEmNhQGludGVncmFsaXN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
8 | gYkCgYEAxiIJOfC+30TS6Nlg3Zh4K/YLyjLuf9nvXclbrC77Xm11Myw08P3MZKnT
9 | uFFWhS+3kbLocHEwd3YUG2Nti2KSB+g6tAVJx3n1Z0nQ4IVc7cBThMpt4B+Bvp1q
10 | MQN1xZqka/rIpRjHHa4JgteDR8PY8JSgu9pJ8yqg26DdA40RWg0CAwEAAaOBxDCB
11 | wTAdBgNVHQ4EFgQUvpsHxRJjiaubVCDNcZKf1A0kTVowgZEGA1UdIwSBiTCBhoAU
12 | vpsHxRJjiaubVCDNcZKf1A0kTVqhY6RhMF8xCzAJBgNVBAYTAlVLMRQwEgYDVQQK
13 | EwtJbnRlZ3JhbGlzdDEXMBUGA1UEAxMOSW50ZWdyYWxpc3RMdGQxITAfBgkqhkiG
14 | 9w0BCQEWEmNhQGludGVncmFsaXN0LmNvbYIJAPyodSLqJLVaMAwGA1UdEwQFMAMB
15 | Af8wDQYJKoZIhvcNAQEFBQADgYEAnUg/taaSFPyb6JvoNpq/4U4a3Y0/e1EQ0kZ/
16 | TPsyBbiI3osFs9dUltar0daxDJRlznRFbC4Ly52zCs3hq1n2VQf0c640uJ9meemo
17 | fWimApzs9cQhq5V/YDl2nvbE8Uy9dlUk2aU8uMVs3beIL3/I0RcVoF+tjPaayRbQ
18 | 7pmKqD8=
19 | -----END CERTIFICATE-----
20 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/CertificateManagement/ca.crt:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIDATCCAmqgAwIBAgIJAOCGiOjKDH8pMA0GCSqGSIb3DQEBBQUAMF8xCzAJBgNV
3 | BAYTAlVLMRcwFQYDVQQKEw5JbnRlZ3JhbGlzdEx0ZDEUMBIGA1UEAxMLSW50ZWdy
4 | YWxpc3QxITAfBgkqhkiG9w0BCQEWEmNhQGludGVncmFsaXN0LmNvbTAeFw0xNTEw
5 | MDMxNDA2MjJaFw0xNjEwMDIxNDA2MjJaMF8xCzAJBgNVBAYTAlVLMRcwFQYDVQQK
6 | Ew5JbnRlZ3JhbGlzdEx0ZDEUMBIGA1UEAxMLSW50ZWdyYWxpc3QxITAfBgkqhkiG
7 | 9w0BCQEWEmNhQGludGVncmFsaXN0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAw
8 | gYkCgYEAzDPMLpTzjCEHsf25GCjjyC2YsHIJA7sJvRkIy+8G10nZllSmqkB9Y5vR
9 | ZVTH2EjDKbPkrxNKkAtRPJrrBLZ74p6upQeBZoFGv7bnijM6h3lHMtqkLsLAHqq8
10 | dU1yzjcgHUSKwgImE/i2BnjakF1XyYep5KR6AOlyH4BIhM5QfnsCAwEAAaOBxDCB
11 | wTAdBgNVHQ4EFgQUQzp1QeGuRvBfrPQkajrb0TF+J2swgZEGA1UdIwSBiTCBhoAU
12 | Qzp1QeGuRvBfrPQkajrb0TF+J2uhY6RhMF8xCzAJBgNVBAYTAlVLMRcwFQYDVQQK
13 | Ew5JbnRlZ3JhbGlzdEx0ZDEUMBIGA1UEAxMLSW50ZWdyYWxpc3QxITAfBgkqhkiG
14 | 9w0BCQEWEmNhQGludGVncmFsaXN0LmNvbYIJAOCGiOjKDH8pMAwGA1UdEwQFMAMB
15 | Af8wDQYJKoZIhvcNAQEFBQADgYEAvCUkqSFPFtpywfhmf41fQZY++xMVtlviLO2k
16 | BP3vNBImfgVew+S3WJgnPpYm34F+rzXTCvZBxxR97fLzcX3sZ7QQQhxV5S3xB8Bl
17 | qnIGJ+zoxXoU1Z7qbwGGL6n5v/RCrmBa/vNFbng9xrjZPNZMSSSFKbnFLnxmGFQo
18 | oyaMhQo=
19 | -----END CERTIFICATE-----
20 |
--------------------------------------------------------------------------------
/Nginx-HTTP2/docker-nginx/certs/setup-certs.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | echo "Create the CA...\n"
4 | # Create the CA Key and Certificate for signing Client Certs
5 | # Just enter `pass` for the passphrase (doesn't matter as this isn't something you'd use in production)
6 | # For the ca.crt generation I pretty much entered . (which means 'no value') for all details
7 | # Only exception was the 'Common Name' field which I entered 'My Cool CA' (so I recognise it as the 'ca')
8 | openssl genrsa -des3 -out ca.key 4096
9 | openssl req -new -x509 -days 365 -key ca.key -out ca.crt
10 |
11 | echo "\nCreate the Server Key...\n"
12 | # Create the Server Key, CSR, and Certificate
13 | # Notice I don't specify -des3 as I don't want a passphrase
14 | # For the CSR I pretty much entered . (which means 'no value') for all details
15 | # Only exception was the 'Common Name' field which I entered 'Integralist' (so I recognise it as the 'server')
16 | openssl genrsa -out server.key 4096
17 |
18 | echo "\nCreate the Server CSR...\n"
19 | openssl req -new -key server.key -out server.csr
20 |
21 | echo "\nSelf-sign the Server CSR...\n"
22 | # We're self signing our own server cert here. This is a no-no in production.
23 | # Just need to enter `pass` for the CA key access
24 | openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
25 |
--------------------------------------------------------------------------------
/Nginx/docker-nginx/nginx.conf:
--------------------------------------------------------------------------------
1 | user nobody nogroup;
2 | worker_processes auto; # auto-detect number of logical CPU cores
3 |
4 | events {
5 | worker_connections 512; # set the max number of simultaneous connections (per worker process)
6 | }
7 |
8 | http {
9 | upstream app {
10 | server app:4567; # app is automatically defined inside /etc/hosts by Docker
11 | }
12 |
13 | server {
14 | listen *:80; # Listen for incoming connections from any interface on port 80
15 | server_name ""; # Don't worry if "Host" HTTP Header is empty or not set
16 | root /usr/share/nginx/html; # serve static files from here
17 |
18 | location /app/ { # catch any requests that start with /app/
19 | proxy_pass http://app/; # proxy requests onto our app server (i.e. a different container)
20 | #
21 | # NOTE: If you don't put a forward slash / at the end of the upstream name
22 | # then you'll find nginx passes the request as /app/ rather than just /
23 | # Putting / after the upstream name means it acts more like the alias directive
24 | # If I kept it as http://app; then I would've needed to add a /app/ route to Sinatra
25 | }
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/certs/client.crt:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIDxzCCAa8CAQEwDQYJKoZIhvcNAQEFBQAwFTETMBEGA1UEAxMKTXkgQ29vbCBD
3 | QTAeFw0xNTEwMDIwODMxMTdaFw0xNjEwMDEwODMxMTdaMD4xFzAVBgNVBAMTDk1h
4 | cmsgTWNEb25uZWxsMSMwIQYJKoZIhvcNAQkBFhRtYXJrQGludGVncmFsaXN0LmNv
5 | bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMG/11XbjnQkdYuYgFYQ
6 | WSv405jz4yN+PgVTiNQka5YzodP4YRq/CLGJlDnFF8eMEyvNQCgTHJlNR4p7dI6C
7 | T/ifQO0xPJaou+hitAM8wHcQbtCgm7uIbyEm9kFvFIG/4xg4+M71iN++bC8py79w
8 | G6ZX+nvIipykO6Nibo8KQCmcG4HCrp/RcoPo4678oKg2mB5Beh3canVGgB5rxAWa
9 | T3rKmEcWvqzktzALCJ3gjcDDXPh/UfUC7KmxwjbVzoMYE85QOoUcZUnGpZjxiKtq
10 | keuBPZS8Maq0GW/Bg9NfRDVaOOiH13OSPc//O0A8k64VTSVxxJGAcdg0OKxpUmwQ
11 | SBMCAwEAATANBgkqhkiG9w0BAQUFAAOCAgEAWtCZ3ER/EqYAfPsZrE+VNzJY4gZ6
12 | IRacQYBZaz9CViqJOVo+9ki4GcCqiJ/yaqNKZMFBu/VgsxV6y0zU+DX8vfA6hnmt
13 | HuPHMF+KUUvRIygdi4EaaC3gElX7tytLQQ6BPMC9NMazmsthjH7+UoaLRX+EV+Hs
14 | BBh/E3341C+RG72bufbBPe1Fv+FDPb4Rpk/yx7O3c/2CikmyGnU16nUzEHElA7BN
15 | OLzFC4XAv0xq0+cXUqgI9BCGhwBtXaoJsifRZAhBmWiriA5ZAqdozQAoWB35p/AE
16 | vqj0gdlAv3yzMbjJmon6i8MSP81y0GDbnHjOzi91x8lj0oHmxK+nsJOH0B11ayGR
17 | VtYOCrBoOfi0MYbZUP4kEalAP153fhXI6bKr/5Czi9sAWoWD0nWqZghoKwIicADA
18 | OJR6d5FBHclFZ3L+lqBgI+OhBW0fSSQ+tLKTeQ12j/mw9JDFVp0klysezZY6GoAT
19 | UFEc9lBQsFkgft8DWzP0wsuWWaly+Noh1nqhHtnCeZ6EaKuNXTCCrkLVfnyYUeVj
20 | eewWpXYH6QJUKAoABI5X7xJ69ZExGaEZCz/wN6oUYs8ThkuFdIgCoabkGqJttg1u
21 | 5u/6F7AMGA/wqxKVUlJJ/BzTqiqf8q7PuKW5Wi8qj+1X2jlqcQ58ZDmKk8RgczIO
22 | soAdkN34N7Ht53E=
23 | -----END CERTIFICATE-----
24 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/certs/server.csr:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE REQUEST-----
2 | MIIEWzCCAkMCAQAwFjEUMBIGA1UEAxMLSW50ZWdyYWxpc3QwggIiMA0GCSqGSIb3
3 | DQEBAQUAA4ICDwAwggIKAoICAQCzYD7uEaMwt2rJFwMx5wR70vIOv+FDzPwAYpvH
4 | XtIlKbE9X2as8TKtlHLJWlTxrBq+0goBDqzCkqrGL9Jg4cOFkiludF3HaZKklonu
5 | 8QY1/HHAYaK3AybiOoK37cyLPM64u3PORtjbcZqDljrNyHdtzt9ADeaUUYh5lQ0K
6 | Zd1gpHLkqsNcjVLgVbbOb6bt5Z4cDO5NSx1y8wS4hjjKokvdY8PrP7XfYBBcJp8F
7 | bzcTofLFivOUBHBLCJU7yZKLnBnma7WI76SG1FksIVtJGLK2ItTiI6se2+OU+Hup
8 | OYIdYMw5f7Vazfs5sWaMwSP5JCLsL3rDxLFkvEn2u8ZchrzCY7KiVJQWWbSL+yXg
9 | UrtroUpGKp0dSoM/16c2FDBv0T/rts2PCwrtTq0VnAIeAnxKLLSOPKkCDYttGQbV
10 | hySiaQVxcG4DXZYFVHLYeRKLeqwIyZqo6uZS9RwxI0qimwJOXf04wTxe6/qriH9s
11 | W8Swa/mU/5FU/dTt4xc8yCGObYIWBWjTHcuI3ZzWmVS6g2Xm0OKbldB5goqoP0Ps
12 | 9PJqpp52S4g/zmS82VN/bMv9NtePJKeQb0sxCqaV2IZNSsyRdmzi+3ifEBOkhVn5
13 | e/hpK70/x2t983lRuDewMPppaOq5WSrhW9TIxVFsdEg/x4ozDaxDjfmESmJGcxhL
14 | FGes6QIDAQABoAAwDQYJKoZIhvcNAQEFBQADggIBABiLex7EmxDcBW97sgMq9rSd
15 | spQl32cluHGD5av45qPvcTAvk41OsaJoWo7Sa/0woyJDbok7pXAcDtz0kOp9PX4K
16 | NH+Bdo8QNXTHF/xK4b8D1dmQ6UTP1OjN+SaeYpO+qdTZUX93ZQIT+VXkDAfdpaWm
17 | uOKKSAaev6dgPT92OGsGjHUwfgL7v5imG/lcqcoEPwTGZgOen01sjFMiY04N5pyG
18 | 4c26OPqBZBWGleQBSB6mtrfx0BsnDLKr6PT/i3XVYOg7Cime7egjvcMHa5+3i894
19 | NH/9X7Golr17Zjbh7S/AzkdXlk34TzZfFkobeHwEW3WwCl9PDO/cJXaDOPH+4cX8
20 | Vb5+jTLJ1yD7ojVw/uP/f2dOhk2XYAIwhkAlGQADv8FpSCskLex9uYB1ctQ0IqsF
21 | Ddzz2v0skPoek1le6TwA0K9h8hv2+sN8slk3FtW4EiVH8yTJPexFqSznxuY9AggF
22 | v/k+Nrz4KUh1M20kzoiMtkjubySXdOocIBr7q81DLs1J5vsd+YavS5GfzK0rAaI5
23 | cUb/N3youo7BePUXJgAKGIaXo+GUB4nIZnKeInXVftsHm8n2GKSk4VT52GxfvHqB
24 | 7zlTskSJ2En3fRxA5IXN/tHID/jNoDMrm3ZKvKbgFG5cf3XCbkKTcE+J2MLKjLQz
25 | Li/mwHURpmWkzy0CDR3y
26 | -----END CERTIFICATE REQUEST-----
27 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/certs/server.crt:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIEnzCCAocCAQEwDQYJKoZIhvcNAQEFBQAwFTETMBEGA1UEAxMKTXkgQ29vbCBD
3 | QTAeFw0xNTEwMDIwODI3MDFaFw0xNjEwMDEwODI3MDFaMBYxFDASBgNVBAMTC0lu
4 | dGVncmFsaXN0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAs2A+7hGj
5 | MLdqyRcDMecEe9LyDr/hQ8z8AGKbx17SJSmxPV9mrPEyrZRyyVpU8awavtIKAQ6s
6 | wpKqxi/SYOHDhZIpbnRdx2mSpJaJ7vEGNfxxwGGitwMm4jqCt+3MizzOuLtzzkbY
7 | 23Gag5Y6zch3bc7fQA3mlFGIeZUNCmXdYKRy5KrDXI1S4FW2zm+m7eWeHAzuTUsd
8 | cvMEuIY4yqJL3WPD6z+132AQXCafBW83E6HyxYrzlARwSwiVO8mSi5wZ5mu1iO+k
9 | htRZLCFbSRiytiLU4iOrHtvjlPh7qTmCHWDMOX+1Ws37ObFmjMEj+SQi7C96w8Sx
10 | ZLxJ9rvGXIa8wmOyolSUFlm0i/sl4FK7a6FKRiqdHUqDP9enNhQwb9E/67bNjwsK
11 | 7U6tFZwCHgJ8Siy0jjypAg2LbRkG1YckomkFcXBuA12WBVRy2HkSi3qsCMmaqOrm
12 | UvUcMSNKopsCTl39OME8Xuv6q4h/bFvEsGv5lP+RVP3U7eMXPMghjm2CFgVo0x3L
13 | iN2c1plUuoNl5tDim5XQeYKKqD9D7PTyaqaedkuIP85kvNlTf2zL/TbXjySnkG9L
14 | MQqmldiGTUrMkXZs4vt4nxATpIVZ+Xv4aSu9P8drffN5Ubg3sDD6aWjquVkq4VvU
15 | yMVRbHRIP8eKMw2sQ435hEpiRnMYSxRnrOkCAwEAATANBgkqhkiG9w0BAQUFAAOC
16 | AgEAMM53uFWlu4K0vkVhy5WHG/JoxqDQnBUjoasIob3Se8ABpba4U63IxDDxs8o1
17 | ObxssqwtYCsGhsCa2BEyORnHPPPkFZ8VkJo8wRQ2QqyO50bErxUPOKeFcRyQjdHB
18 | npSNNZ0gvP9KhTTob1Nk597aJETHNcDIp2+oHtNM+3LLPeMDnqsqDxa0oYeZSCK9
19 | M1G7LxNwrFtVrWCgd5wbnlaNIABi0KO6HIQxv6to1xB8xenln0RkmPj4eKN7ke5D
20 | 8eI5gjNXvLKm/9/LWcr7eHt31wnIodCRXpGdQklWLOXEQdD+26aUco1t9e6tQYcn
21 | Kaj9MwO52UAcon7QlFJMv0+QCIS28D/AXTzpVfZMW++VtGH9KWlXG8iXHgl9xjEj
22 | odoGG4Ld4aBhtfJ9W5PWNrmHSBt7uXcH5hatQmbl0dQqgpZuY7+iNyntDB5f8ujd
23 | DAnQ6rvaGN6UeLNVy13e4gYkEUbtGgDWgYk12qNlWBN1wTHYONjFSWVsoO8lnxt/
24 | KIg2Ys8YNwwuiAyi+iOLqwHqoO8YkL321fkdZfdl5OgTXTIDuzzRzLGoBV4Jzng7
25 | 5XFRMZ6JG68Kb7Ydt0p6UXMQZy6F6dq3MFCe30eh/X4i0YQM0Fjc/9he5QHWaM0e
26 | pqwLCmNMqaMBsJ+wHle1F8rUc0B2aKt22SQEDsDpUgn/5uQ=
27 | -----END CERTIFICATE-----
28 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/certs/client.key:
--------------------------------------------------------------------------------
1 | -----BEGIN RSA PRIVATE KEY-----
2 | MIIEpAIBAAKCAQEAwb/XVduOdCR1i5iAVhBZK/jTmPPjI34+BVOI1CRrljOh0/hh
3 | Gr8IsYmUOcUXx4wTK81AKBMcmU1Hint0joJP+J9A7TE8lqi76GK0AzzAdxBu0KCb
4 | u4hvISb2QW8Ugb/jGDj4zvWI375sLynLv3Abplf6e8iKnKQ7o2JujwpAKZwbgcKu
5 | n9Fyg+jjrvygqDaYHkF6HdxqdUaAHmvEBZpPesqYRxa+rOS3MAsIneCNwMNc+H9R
6 | 9QLsqbHCNtXOgxgTzlA6hRxlScalmPGIq2qR64E9lLwxqrQZb8GD019ENVo46IfX
7 | c5I9z/87QDyTrhVNJXHEkYBx2DQ4rGlSbBBIEwIDAQABAoIBAAMQ0wpzv+xMi2Ob
8 | FSTHe3G7rTV1Xnm4TKju6nJY5S7qQDxHaNnwfeW5RJQpbzfkGoWN6N75dnFijKg/
9 | TdfXbgaEFpXqOogzwU1rCmgmtPDtXKOGdxBfl0qSAEGGzW9EJwbCGAXGUtUfgTy5
10 | z5SG5JkcOUVuJetWme765r7yrZM68w2SublebRuPVlHsE13bl8tXfUgAo9wSZaqJ
11 | q+0wGgjg2k3JVN/7h4QPe5BKdTsvv0DpwfuhbTVeyf1q/x9ihteU/CRI9Bigvw62
12 | BK55fOq7fvrFTMjLyiQSP88R4d2D6JHpSs3JXEdG/yY8INB07z6tmJxGa93wyJM/
13 | ZlXJacECgYEA8pfI1o4lzQIkiUHpWjDSUjwKouEauUcUlYrTKkiz7RiX6vtBHO0a
14 | 7wR6rVMqwEME1i1cuzwzcFDb5fVsIVznXMqUL7q5MAmjZv1+ujnExu/upJmN5F6r
15 | 8PXha7wVrsuNlwHJYnw0Unnw3iimbHZA6SRqveNXTwvwQzh2+79/i2ECgYEAzHUE
16 | I5YzTh6p99zO0nSvpyo6owb1kWfl8j7WcwO+VkrGAs0JEESAliha4SYrLpjnpP66
17 | MKugIJAiTMZ6FTuB4LVGG8H4d8LExcbgz82v0VjJOd83TIhfUT5Iy3vWj2PuL2Zo
18 | XvnLgwBTYXqC4rEaU851jQHXJDCUT03vequj2/MCgYEAwswxAGBaaDltPy5HBB4p
19 | 9NCztcDOJbK3C7HTCKQinqNd8dlZmrGmLAHLxHwA2yu1qYn5aXvYzjqPqSMeddfV
20 | DIS642yrobBLnrq1VTJoGVq2pUOMVbHTnYTDQzBftOFMy9IqdMPJe+ThDnNT18pJ
21 | Ky0L7XitNhMfFcs0d8h40WECgYAQhAtXjJSMZPG58f5LBd4ClOizrqY7nrb2gJj2
22 | JYFEmzmvlDx9MetpNc1RjrHCS9u6elE0CUkgGESNCyNlf68YJcyKBXs6wWL/zvbu
23 | EmF3ecKXiC6BYirA91UOCuzkHGBrN8yKj4cfB/G0WB8mjMPhrTXVtCZa6Amy9kq4
24 | EBFmfQKBgQCQqPdOrMzxkiXsqwa0Q+L0WisGBF03CAk/GWcQ66iJfLL6ODMxt4gX
25 | p4fJShNd6u1NX7/ygiHcBqE29KrNHoR2k1+lk7JRLLdhmHhrZAt8kznBy+2UMUNK
26 | KpEc+5r7Y0qO2ci3/ZhTCxLn2+3rbgfomMKkOlGAGIpJF9ozZ1Ivlw==
27 | -----END RSA PRIVATE KEY-----
28 |
--------------------------------------------------------------------------------
/Nginx-HTTP2/docker-nginx/certs/server.csr:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE REQUEST-----
2 | MIIEpzCCAo8CAQAwYjELMAkGA1UEBhMCVUsxFDASBgNVBAoTC0ludGVncmFsaXN0
3 | MRgwFgYDVQQDEw9pbnRlZ3JhbGlzdC5jb20xIzAhBgkqhkiG9w0BCQEWFG1hcmtA
4 | aW50ZWdyYWxpc3QuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
5 | plhW3Wc8TeaiWCCu2UwZTYMxvMYSDOMCP7nspv6dgtHgAI32K8ZyKNxRJcTUrEvO
6 | A4Ic31cxn28/nizpJD3cvVY7BLA38KKXzbLRWx0/1+x5k/IoJWiuryX1bimV6ZP/
7 | vZrR4IcYhLHYUYLkR6i+xLfSvD5izdoAMN58I11Bu6HyB+rVs/PzBvCwspN7L+lO
8 | TBJfpBFxv3yx7dih7PdftWk52WhyXfD55WRLY/u5+fCFcxDOR7EZk67iDy2Mw/CS
9 | PRWmHKNxrr+GcxppCkn9AGSMWfSS4aA8wW3YHw0cto5iH0m/t/yrHlAJCEpFSEdb
10 | XoZUkZSUHcbX4iy/sJahvvIUSsXRsyoVoVPAoLHf2fhiGBy6q260+7sd6e0/eZX8
11 | qtIadzGaI7Cqo+rMshJHRFPp5Rmy0cy6cssTg5aRwSt9kGzr9JC9hcq8TLP/Hh5G
12 | 23yyDJW1iq/iUiqxbS8aHxB2FpSxd7MX3AlWjCJQ+gWb7Lh67oZv1gE6As1lYuEK
13 | Bdy5vikGWdt2ZN2UHHZ/DJPuuKFrOhSQ5MlMRegNapYaLRK5Bkip4cQFDTrju0Y2
14 | ati0+B5mo3j2tv7bxMxgVZGJfBxNmotPZG5LZDyxrir7Emu9/VLWYW1NLywRoprb
15 | FKIiubZSu3n6fttcGjn+cy0pBk5xnGoFlq3zkdQmIAcCAwEAAaAAMA0GCSqGSIb3
16 | DQEBBQUAA4ICAQAS7LJeJ6kp8vTDQunLhcJyx/iWnsvrfrLWaljnBMnMCNi62HEi
17 | awrxl2EPP9dUgMvgtpGVK3HkGU3CYN6vrWi/bXlCmwDcivDaTdTDXNowWdlcIzNz
18 | wgFDNKzYdFW/hR3jvrP1NaAFmHYIg3ElZEddOMYvvjIuQ1JbD0h6BY/3h6os6MoP
19 | t45vi8BCCB5j3xplxxbUH9e1RzaiY2e5UMtMpSoHjXh2AXCPkcOzChVN1jg7XKrw
20 | ro7yNmIKNKSX53rEUK9CfaOfH3dQYjGrQZ5BP6vf7bXp1h4H3SQahdI2NuhGXLhD
21 | 54KArnGfpAkMmzXOIi1pYOwkmAEWmcz14NB/pkL/JcHCGTKgv7xVJxphPdJNNYoI
22 | Q9Y8EI+jdZRIOlSitbGyc9Wi07Gqqqq/FPVVhsiPmo66oEq1qAQJvqBoSeLbu3cd
23 | KzNXyW81UGH5ZYaAHggzuVJyGZE+NZlTA2qxp732HXwVDeczzi1OUxV8EFHJUHiS
24 | Lsc7xVIHh8rR/rtWt6ov46tI1VePffoZwqh7ZkmXVTTs04ydrWv3V+r/dvtPPgwe
25 | I+F8MOem/sV6GsXlRIhmW/ees0utkdzyRhPwGplarIhjz0LJEOr1v+C04izDfwAl
26 | Uf/tqdJCel+US9mc3R9zZMqRzEmtSzqG97VmmP3kXBWmXPS01Ment7y3kg==
27 | -----END CERTIFICATE REQUEST-----
28 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/CertificateManagement/private/client.key:
--------------------------------------------------------------------------------
1 | -----BEGIN RSA PRIVATE KEY-----
2 | MIIEowIBAAKCAQEArw/8RQyoFdVJwjePT9dkl9swNqms78akBv4RqzK1DRXgZLlp
3 | uA68hXMFusB7WP7hZfO1qv1jF8ScYn0nOpzoRUXgpzbuxH/aNHgV1nJYd2EH0cSR
4 | ariw51O+WN/KWfTgcDrU+tfs0VGCsaTsqK2bSotAxmHD7rtuYVL4D6I/BtFMVcZw
5 | yjn/dHpSENqSmYNqkzIT7mO3o1MS6mB8Bw/LoIQ85pv2i1oX91ZgxssMrP4rDfb6
6 | +NQUzGanmf11tyGLPKSlsAYcbvl9IghmhGf4ikToQova9Hox7EQPBD3FMPTwP/EX
7 | FrP4XFMDjYT7Lbsv9pUHxHe+ygD6WdmMjnytiQIDAQABAoIBAH9ogfB7GqXxOiI4
8 | r3urRpHiu389FBjaGCzioldXqz8fydVkwBVt3DS/ls7pIZyOu9qoeXI9we3dcPeZ
9 | IIDfC4jHJ45rQ3ENn/CJ6VLOm6Yen0NC7ZafXlitsR4bmbjIqMPlfXYmyjs5OIYz
10 | gu3sk9W37We0ZZYNIXOBn/o42egKHO/qwIRXKsLzFeoKxkZNOfWkrmcO5D5yRxUL
11 | GDOgtLCN496pqWg56sNLVNcX6mMnFptYZw5cyxThVeB3AYQU2I7Xec0MguZbrYd+
12 | 28Y2zPVJ8gKmKhb04K7vSBWRh02yHtGoR6sC3WeJflHQGfWHGULGWpU/GM5gFyuY
13 | CGxKuVUCgYEA4OAduy1zj+I/JVvDWHWLyKqNEiSQ9vJc8G6XHaGnZBZtwmc/HcSM
14 | Bw+f40snxV3NWda0fqJyiwsJ6XxS8+hi61CA0cLrwjGSr1Zxh3SNOSbYzTBu0s/D
15 | 97J6JGUWMAVhkZXa3vwKetvBPnsSoUqVHC5ME8CU5P6SwNp0LjpIRncCgYEAx0rf
16 | jf267Y+BY6afVSR9mMIkYEeR8+SFgDm/WMnzzM59Zd5LjEG+nodWsgaUhuDVNf/D
17 | PjUzoqO0yEhPJt10R60mcC828EUxEWT3VFctIifFhvxzTOmxsa9QlyxNvoi8y+pM
18 | szMbW9u+Ka3IRqy20kl0VD8Amdd9wn9aGOQ7q/8CgYAKIC1Wi1JjzTU4smwWZJyZ
19 | uYxGn9zjMcCblu85B1lpOVVR5qJB7eK8QqjZbD3rNjET9YYFGb18o0+b8twtXW5u
20 | 2B4k09kX0nGfcY4FImtlgmlKu/6RgYd6dM/pKaAZI3TkQFItrj2ukIygCpypJJmY
21 | PkFwtkA+G3RyOKP4nOk6OwKBgQDDu0eg/yhOFXlw0779Ml+gXly3qtMwBKsRaqYB
22 | oCcwaUVDfXYZhKCgti9xnYDWj48X/+BUApB6FeqCInKKq0l+9BIicFy20l4ExXMc
23 | hJoxR3p6vwrG6Wa6KoMuVjbtAQLcC3vVLEaci09TQ/jFYPAVzErSSyZd8gTzt3xX
24 | oiDxJQKBgACfyWR/cx4FNJ9EI8ylGPnyGq2hnTO/SCACXUg/FiGSDdDrfxFSBQUd
25 | Cyj8Zkx3OD8pnicB5K8dY6TzcTNc43DO5MxtpSTpkldxG5a4/BbtSGHqC5E/cHPc
26 | e+2PzGcnBpYGYHuHi0PixOKPCnqMoEB4Y6xrzGWtQwx6KPqPMKlS
27 | -----END RSA PRIVATE KEY-----
28 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/CertificateManagement/private/server.key:
--------------------------------------------------------------------------------
1 | -----BEGIN RSA PRIVATE KEY-----
2 | MIIEpAIBAAKCAQEAt5XUxi7RGeWO2fz+lWZBOnLw7VZXCXJT+BQnMTC8xUxVADQ8
3 | tPkZ6oH+mZ8V4Gvz+6Ld1PjlMpXdhVpUhOgW+9IA+fhO2e6mo+ig15QfC3ZXWwX3
4 | t+e36dYmy0U+L6yFNssi/Q6EzsEKMMtXSQelanlBIkGyNlFvfzXTyENQ5HyGe22k
5 | bciwoWU5MaIQR5Na3qMfT0lA5/PhoihUpTXY+mVAEQeMuUWV40GjQRP7Eb5me9wp
6 | zHrRr+NSnzr1YNP20HIAgJJnPzAYGn0RuryM9odwzj3Ls5Mejol6Qe6fDvf/Cll3
7 | ngy1pCAy/IUUr0qqrs4ESk3ieWOHeviwQ2qQxQIDAQABAoIBAQCnEbJ93LMsJw2W
8 | cbdZTKJFx75brrwse5/Q3r4/9MOFpY6hTeiFJUChekWxleX5wyRZNwE7xHoIS/w5
9 | VFggT3pDFv0Ofxt7FsUN2zEsnr6V1s9upYKnGTf0lI/fYpdSGWVt1PV1Z9YStfhJ
10 | KXO4oT23JLvSqgi9h+S41spxsFkYZHJMVbHaGlQmfP3DVEHRYczJ3mSI86KLW0tv
11 | ojLvGbKuJw9IhsyWJ8CnnjS2mryzh3GpMQTe6riryqVaafU7Flwa0f5tGEJDNGXR
12 | T+q8OqL4bbBPI5xsxryB/q/sF/oMqeA50UEhPVU5rbBaq1CXTd9007u+aHe/2wzp
13 | bgN9c2SNAoGBAO4IbDAaIg2u9AoSZB0y+c/LaXMKanvYvx+hh1RUFB81K0KzqwIl
14 | Ej5oQFpIa1T7rc8UYHYUll+ZF6IJsrMinOVEMUNNXE13nVwQ0DCGMtNnV29z7Dxs
15 | zF0Hl3LKhQrlp6XTxPjSr7jHK4/QtGXopjOu/9TCts8D5T6M3rZ9PBCTAoGBAMVx
16 | TTjeuOY9Lg4QtllrkrAJtnDygOpY2cGxl1YzhTkntP5iPdVX3sDSXQ7vbr5hNvJx
17 | NgdBnTheHJdjRHvtfrT/74FbETBzJOXCu4VNFZcWUhrWVEY5K0Bjf5UmNc7gwrbd
18 | cFQDxFqmoLIxXdkvnThrBwkOhOxJHHwVkM4wCShHAoGBAJv5aOscNLRCsCbpZjC7
19 | 9nXzFGYNrTj6DkLr1YGsloLclDxg/u2o3QuHxKNkUPCe+oV3FL5LPz3lU1cag75e
20 | L/ELfjxbtOAOQU7StZkWVrewP9sIWwQ9RqyvDM5rZkJ9uh0vZyKk7ABogmL6nzsn
21 | 98BmK71+2ctNAiq6pDVwWquBAoGABUKZfhRg9LFYksNbOFKnW81GcQfk61lmo8Rp
22 | dcB1oioupkBTyWVH5/cyx30VhDjuz9K4T8UtvRy0wkvAvVR8dbID3XxhntrSdtST
23 | Tl/ZXWcY1OI06JIJVvPPqFeWQ2a1iU2o+nQHPSsHSPgLugeMtr4TN+iNHgZsndmt
24 | O/EHrW0CgYAJGoAezZg8WIgpjNuokim7j/ax/hU86FTHwfZGNiqDcgEA8R/R4E/o
25 | ujoNOoQG+KR2XXYfujaJw1A1IUSynqQf2D98J6ZUdBc3/288K0sGaB2dUUG/EHe4
26 | 0bqHk3qbQ2xUTKFUoweg6mTLoaf4frBAUD04Z7kC67v0u0YIAy/QwA==
27 | -----END RSA PRIVATE KEY-----
28 |
--------------------------------------------------------------------------------
/Vagrantfile:
--------------------------------------------------------------------------------
1 | $update_channel = "alpha"
2 |
3 | Vagrant.configure("2") do |config|
4 |
5 | config.vm.box = "coreos-%s" % $update_channel
6 | config.vm.box_version = ">= 308.0.1"
7 |
8 | # Box URL (overridden for VMware)
9 | config.vm.box_url = "http://%s.release.core-os.net/amd64-usr/current/coreos_production_vagrant.json" % $update_channel
10 | config.vm.provider :vmware_fusion do |vb, override|
11 | override.vm.box_url = "http://%s.release.core-os.net/amd64-usr/current/coreos_production_vagrant_vmware_fusion.json" % $update_channel
12 | end
13 |
14 | # VirtualBox doesn't have guest additions (or a functional vboxsf) in CoreOS
15 | # So here we're helping Vagrant to be smarter with its configuration
16 | config.vm.provider :virtualbox do |v|
17 | v.check_guest_additions = false
18 | v.functional_vboxsf = false
19 | end
20 |
21 | # Resolve issue with a specific Vagrant plugin by preventing it from updating
22 | if Vagrant.has_plugin?("vagrant-vbguest") then
23 | config.vbguest.auto_update = false
24 | end
25 |
26 | # Sets a hostname for the VM
27 | config.vm.hostname = "coreos-%s" % $update_channel
28 |
29 | # Configure the VM's Memory and CPU allocation
30 | config.vm.provider :virtualbox do |vb|
31 | vb.memory = 1024
32 | vb.cpus = 1
33 | end
34 |
35 | # 172 is a private network range (we add this in ~/.zshrc like so: `export DOCKER_HOST=tcp://172.17.8.100:2375`)
36 | config.vm.network :private_network, ip: "172.17.8.100"
37 |
38 | # Enable NFS for sharing the host machine into the coreos-vagrant VM
39 | config.vm.synced_folder ".", "/home/core/share",
40 | id: "core",
41 | :nfs => true,
42 | :mount_options => ['nolock,vers=3,udp']
43 |
44 | config.vm.provision "shell" do |s|
45 | s.privileged = true
46 | s.path = "provision.sh"
47 | end
48 |
49 | end
50 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/nginx.conf:
--------------------------------------------------------------------------------
1 | user nobody nogroup;
2 | worker_processes auto; # auto-detect number of logical CPU cores
3 |
4 | events {
5 | worker_connections 512; # set the max number of simultaneous connections (per worker process)
6 | }
7 |
8 | http {
9 | upstream app {
10 | server app:4567; # app is automatically defined inside /etc/hosts by Docker
11 | }
12 |
13 | server {
14 | listen *:443; # Listen for incoming connections from any interface on port 443 (TLS)
15 | ssl on;
16 | server_name ""; # Don't worry if "Host" HTTP Header is empty or not set
17 |
18 | ssl_certificate /etc/nginx/certs/server.crt;
19 | ssl_certificate_key /etc/nginx/certs/server.key;
20 | ssl_client_certificate /etc/nginx/certs/ca.crt; # the cert used to sign the client certificates
21 | ssl_verify_client on; # force SSL verification (can also be set to 'optional')
22 | ssl_crl /etc/nginx/certs/crl.pem;
23 |
24 | root /usr/share/nginx/html; # serve static files from here
25 |
26 | location /app/ { # catch any requests that start with /app/
27 | proxy_pass http://app/; # proxy requests onto our app server (i.e. a different container)
28 | proxy_set_header X-ClientCert-DN $ssl_client_s_dn; # Thin server Request gets this as `HTTP_X_CLIENTCERT_DN`
29 | #
30 | # NOTE: If you don't put a forward slash / at the end of the upstream name
31 | # then you'll find nginx passes the request as /app/ rather than just /
32 | # Putting / after the upstream name means it acts more like the alias directive
33 | # If I kept it as http://app; then I would've needed to add a /app/ route to Sinatra
34 | }
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/Nginx-HTTP2/docker-nginx/certs/server.crt:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIFITCCAwkCAQEwDQYJKoZIhvcNAQEFBQAwSzELMAkGA1UEBhMCVUsxDjAMBgNV
3 | BAoTBVRoZUNBMQ8wDQYDVQQDEwZUaGUgQ0ExGzAZBgkqhkiG9w0BCQEWDGNhQHRo
4 | ZWNhLmNvbTAeFw0xNTEwMTkwOTM5MDJaFw0xNjEwMTgwOTM5MDJaMGIxCzAJBgNV
5 | BAYTAlVLMRQwEgYDVQQKEwtJbnRlZ3JhbGlzdDEYMBYGA1UEAxMPaW50ZWdyYWxp
6 | c3QuY29tMSMwIQYJKoZIhvcNAQkBFhRtYXJrQGludGVncmFsaXN0LmNvbTCCAiIw
7 | DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKZYVt1nPE3molggrtlMGU2DMbzG
8 | EgzjAj+57Kb+nYLR4ACN9ivGcijcUSXE1KxLzgOCHN9XMZ9vP54s6SQ93L1WOwSw
9 | N/Cil82y0VsdP9fseZPyKCVorq8l9W4plemT/72a0eCHGISx2FGC5EeovsS30rw+
10 | Ys3aADDefCNdQbuh8gfq1bPz8wbwsLKTey/pTkwSX6QRcb98se3Yoez3X7VpOdlo
11 | cl3w+eVkS2P7ufnwhXMQzkexGZOu4g8tjMPwkj0Vphyjca6/hnMaaQpJ/QBkjFn0
12 | kuGgPMFt2B8NHLaOYh9Jv7f8qx5QCQhKRUhHW16GVJGUlB3G1+Isv7CWob7yFErF
13 | 0bMqFaFTwKCx39n4YhgcuqtutPu7HentP3mV/KrSGncxmiOwqqPqzLISR0RT6eUZ
14 | stHMunLLE4OWkcErfZBs6/SQvYXKvEyz/x4eRtt8sgyVtYqv4lIqsW0vGh8QdhaU
15 | sXezF9wJVowiUPoFm+y4eu6Gb9YBOgLNZWLhCgXcub4pBlnbdmTdlBx2fwyT7rih
16 | azoUkOTJTEXoDWqWGi0SuQZIqeHEBQ0647tGNmrYtPgeZqN49rb+28TMYFWRiXwc
17 | TZqLT2RuS2Q8sa4q+xJrvf1S1mFtTS8sEaKa2xSiIrm2Urt5+n7bXBo5/nMtKQZO
18 | cZxqBZat85HUJiAHAgMBAAEwDQYJKoZIhvcNAQEFBQADggIBAEkgMaX/KQi5wOhM
19 | 0OqHSefnLNepFMuhhx/xWdQ6aaHFHvt6921rX1IiKrVaHsbrGwKalps4j/+FwIKL
20 | Uh6Vhxke5T1k1mOLN7JFKx8RgBZ14ES9gH71rcq86uyzGd8/tVJ9vwkK1lrjtLXk
21 | fedPOQM69/mePDitZUGz7MidCipavDWBU/eg07WYHQa+5uubAuR8YEb3Dm1VsH7I
22 | G1zwNi3iLNuMJ43sG7x/oXZDG6cP3UfD1try8ouL+QO6ds4ajq+gThdn1IaJKUwE
23 | 9ITS+t0lEUkXqkjx+KZ5H5J425YoWLnU59FU6vkZLPTj3E/rAi+ejGbRLskl8UGl
24 | /9MDGk7r2kxm7dr6ijaZa/LgRkNlNaseXz4q7d+OTnldX/BEoTXYVZW9yzqoDps3
25 | U4nygxGkXziVowXVe+xkgve25BZJgEg/+KGD6cChSsjfaQXq5HDHrWg4Rju88xvY
26 | xrqAJD8+mn9/oDWDZ4D9B/eRumugypBlVDOhTLwcry67dfe+/8P2j0veR5FTyics
27 | ul7QqMZ4HnUNWz9ZD6XgBlyeK+REXM12wFeneG9ESK8EdKZ5bO4f9+fFh6RXSVYW
28 | 65Njy3AqAthW86skSPFr+D1eRVgIF43jrV7rmfpdq2GFB60HkXZIcQaRPzwycERR
29 | 6ANMXS5piXsxwlv9gH6zDzCLb/fW
30 | -----END CERTIFICATE-----
31 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/certs/setup-certs.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # Create the CA Key and Certificate for signing Client Certs
4 | # Just enter `pass` for the passphrase (doesn't matter as this isn't something you'd use in production)
5 | # For the ca.crt generation I pretty much entered . (which means 'no value') for all details
6 | # Only exception was the 'Common Name' field which I entered 'My Cool CA' (so I recognise it as the 'ca')
7 | openssl genrsa -des3 -out ca.key 4096
8 | openssl req -new -x509 -days 365 -key ca.key -out ca.crt
9 |
10 | # Create the Server Key, CSR, and Certificate
11 | # Notice I don't specify -des3 as I don't want a passphrase
12 | # For the CSR I pretty much entered . (which means 'no value') for all details
13 | # Only exception was the 'Common Name' field which I entered 'Integralist' (so I recognise it as the 'server')
14 | openssl genrsa -out server.key 4096
15 | openssl req -new -key server.key -out server.csr
16 |
17 | # We're self signing our own server cert here. This is a no-no in production.
18 | # Just need to enter `pass` for the CA key access
19 | openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
20 |
21 | # Create the Client Key and CSR
22 | # Notice I don't specify -des3 as I don't want a passphrase
23 | # I've made the encryption length 2048 instead of 4096 as a speed/perf compromise
24 | # For the CSR I pretty much entered . (which means 'no value') for all details
25 | # Only exception was the 'Common Name' field which I entered 'Mark McDonnell' (so I recognise it as the 'client')
26 | # The other exception was the 'Email Address' field, as I want to parse out the email in my Ruby application
27 | openssl genrsa -out client.key 2048
28 | openssl req -new -key client.key -out client.csr
29 |
30 | # Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.
31 | # Just need to enter `pass` for the CA key access
32 | openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
33 |
--------------------------------------------------------------------------------
/Nginx-HTTP2/docker-nginx/certs/ca.crt:
--------------------------------------------------------------------------------
1 | -----BEGIN CERTIFICATE-----
2 | MIIFxzCCA6+gAwIBAgIJAIIfueqPzSlAMA0GCSqGSIb3DQEBBQUAMEsxCzAJBgNV
3 | BAYTAlVLMQ4wDAYDVQQKEwVUaGVDQTEPMA0GA1UEAxMGVGhlIENBMRswGQYJKoZI
4 | hvcNAQkBFgxjYUB0aGVjYS5jb20wHhcNMTUxMDE5MDkzODA4WhcNMTYxMDE4MDkz
5 | ODA4WjBLMQswCQYDVQQGEwJVSzEOMAwGA1UEChMFVGhlQ0ExDzANBgNVBAMTBlRo
6 | ZSBDQTEbMBkGCSqGSIb3DQEJARYMY2FAdGhlY2EuY29tMIICIjANBgkqhkiG9w0B
7 | AQEFAAOCAg8AMIICCgKCAgEA9b0kUskGpKzlYP+SLN0b8Ujx7FgrtRmgMgRuFH2w
8 | tDsgzHeaWZXYgSdAAjdibuN1MoPqPqPSslc/yvP8gSH4giJB3yIfmYjkQhtiKrJD
9 | 4YBIljH7U0PTMRnziXd9HzS6uRl5MwGqZM3rWastLHFm94HCGgfftFAsVtmfsH3C
10 | MjkrHiJed4OJ/5xXddUqZ8L+kOqC8NC1je+arCmZBSzndDGrdeHZFoeMjyvIWiO/
11 | dhDDvkZDB/BkQmZ4rLXQcWScpu0ffo8ZhrlzXty2/XEZaGNavEFPFkqJzlf+t04G
12 | fSwZLptIw0TDs+2WA35f14hBxUorW1Fd2lz/ACD3ICI8v4GUI53ejyNXxFnufgck
13 | 3twIVLbmNwuimSPyfKEuzeSawvMSyneu3vJ1xEJyd0oJ/fNU/CXSYsHMuA4E7jXM
14 | KBp7Pbz3NtoPG/O9NM9V+b4aEL1uLeZ8jZnC5Nc/nex61HsSBPEUC47bDWu2mmrd
15 | /sjRzpbTBDGoJv5kUTiU7Tlf7W+k49UZBfBBoTqWLvm+H4dtjO4dZ1BcGwKifjWy
16 | BFw0PWDQZH0AB5NjN9Sr9z/U4DwaF+hsky708NjOTCtZa98DnmVpos6KcWcAzVKC
17 | oHHqZWY1HbWRKiD83ATTdKFrdiXNGbOCAGOHj8EYyVmu/oaLm0IAv0+7hkgRKz9E
18 | NJ0CAwEAAaOBrTCBqjAdBgNVHQ4EFgQUGns2fq3BArc7IZGtieY3q0bjAzwwewYD
19 | VR0jBHQwcoAUGns2fq3BArc7IZGtieY3q0bjAzyhT6RNMEsxCzAJBgNVBAYTAlVL
20 | MQ4wDAYDVQQKEwVUaGVDQTEPMA0GA1UEAxMGVGhlIENBMRswGQYJKoZIhvcNAQkB
21 | FgxjYUB0aGVjYS5jb22CCQCCH7nqj80pQDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
22 | DQEBBQUAA4ICAQAv3gV2yzvSPrf+WA/QWAkXrKXmdjou6P2OwRBZxPXwn5EK6qmD
23 | UElgddHIC1hl5+xjgZljvp1nCKkU6Kh+jpV2pfM4Ko/uJnX/7jjxwkYWBQQb42tY
24 | MAsgdbFr0cozxXQzfcuhHMzuCS33yyHiYIPrlyIVlKWqLWUr6Wdm9//bSBHnAyS0
25 | G/V5lFVphOe+mAir6/d/JyHGYq4pqmyTNBpJ2a8sPyqX32MqoyINM/ayYp/D4+/L
26 | kHJEJBMciE/zncl8TC2VcawEn5OrInqA+VE3odGbPpvIrT9T2tq4wIht3YILEnF8
27 | v7xLJWMCWvWm5/+zZvodd7Iph+LgPsKNObxArnjPcmIocY7ZaMDo5oKSB0kiD2GF
28 | 96tzM7UXqegm2BH/t4HWSqqmCYMJVxwnH2Xjw9ArKfEbPPPw9XBqCTpvb5i8LlG5
29 | 2rwWkPK3JNXzG9aOiS2C8nRDXSNRcg+YAUaEhebaBmSw3U2SIiXRFVvQKFBf8IBg
30 | j4BMhOIBVFaVqMN0pBx8qk62bmDS/uBkzhzhfcF97LpkBCSgZXFTFbnrYsUBAWHz
31 | IFUmSFRVCEfNH7z9Flgur8X95+SLp0q3mGkVTF4IF7FbLVi1OJe6NV2eMDp0FO4u
32 | ijw82Y1NCwGLr6vQT4tB5bCNM3+T+1uNrv11vpalAlVgJ/FZnkF2mF8frQ==
33 | -----END CERTIFICATE-----
34 |
--------------------------------------------------------------------------------
/Nginx-HTTP2/README.md:
--------------------------------------------------------------------------------
1 | ## Certificates
2 |
3 | Run `sh setup-certs.sh`
4 |
5 | The CA details entered should be something like...
6 |
7 | ```
8 | Country Name: UK
9 | Organization Name: TheCA
10 | Common Name: The CA
11 | Email Address: ca@theca.com
12 | ```
13 |
14 | The CSR details entered should be something like...
15 |
16 | ```
17 | Country Name: UK
18 | Organization Name: Integralist
19 | Common Name: integralist.com
20 | Email Address: mark@integralist.com
21 | ```
22 |
23 | Which should result in a certificate with:
24 |
25 | ```
26 | subject=/C=UK/O=Integralist/CN=integralist.com/emailAddress=mark@integralist.com
27 | ```
28 |
29 | ## Building
30 |
31 | - `docker build -t my-ruby-app ./docker-app`
32 |
33 | ## Running
34 |
35 | Run the Ruby app:
36 |
37 | ```bash
38 | docker run --name ruby-app -p 4567:4567 -d my-ruby-app
39 | ```
40 |
41 | > Note: this will be accessible via http://<docker_ip>:4567/
42 |
43 | Run nginx (using latest/standard nginx container):
44 |
45 | ```bash
46 | docker run --name nginx-container \
47 | -v $(pwd)/docker-nginx/certs/server.crt:/etc/nginx/certs/server.crt \
48 | -v $(pwd)/docker-nginx/certs/server.key:/etc/nginx/certs/server.key \
49 | -v $(pwd)/docker-nginx/certs/ca.crt:/etc/nginx/certs/ca.crt \
50 | -v $(pwd)/docker-nginx/nginx.conf:/etc/nginx/nginx.conf:ro \
51 | --link ruby-app:app \
52 | -p 60080:80 \
53 | -p 60443:443 \
54 | -d nginx
55 | ```
56 |
57 | > Note: I switched to using explicit ports (`-p`) from dynamic ports (`-P`) because nginx needed access to the port for redirecting HTTP to HTTPS, but it seems A.) that didn't work and B.) there is no other easy solution (see https://github.com/docker/docker/issues/3778)
58 |
59 | Curl the service endpoint:
60 |
61 | ```bash
62 | export dev_ip=$(docker-machine ip dev)
63 | export dev_pt=$(docker port nginx-container 443 | awk -F ':' '{ print $2 }')
64 |
65 | curl --insecure https://$dev_ip:$dev_pt/app/
66 | curl --insecure https://$dev_ip:$dev_pt/app/foo
67 | ```
68 |
69 | ## View in browser
70 |
71 | There are two issues visting the above service endpoint via the browser:
72 |
73 | 1. The domain doesn't match the certificate
74 | 2. The certificate isn't verified/trusted
75 |
76 | The first problem we can solve locally by opening up `/etc/hosts` and adding `192.168.99.100 integralist.com` (the ip might be different for you, but that ip is effectively the result of running `docker-machine ip dev`). You can now access the service endpoint via `https://integralist.com:32772/app/foo`
77 |
78 | The second problem is solved by `curl` using the `--insecure` flag and in the browser you either ignore the 'warning' presented, OR you can add the certificate to your operating system's certificate keychain (so it knows the issuing CA is trusted).
79 |
80 | ## Debugging
81 |
82 | ```
83 | docker exec -it nginx-container bash
84 | ```
85 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/CertificateManagement/openssl.cnf:
--------------------------------------------------------------------------------
1 | #
2 | # OpenSSL configuration file.
3 | #
4 |
5 | # Establish working directory.
6 | dir = .
7 |
8 | [ ca ]
9 | default_ca = CA_default
10 |
11 | [ CA_default ]
12 | serial = $dir/serial
13 | database = $dir/certindex.txt
14 | new_certs_dir = $dir/certs
15 | certificate = $dir/ca.crt
16 | private_key = $dir/private/ca.key
17 | default_days = 365
18 | default_md = md5
19 | default_crl_days = 30
20 | preserve = no
21 | email_in_dn = yes
22 | nameopt = default_ca
23 | certopt = default_ca
24 | policy = policy_match
25 | crl_dir = $dir/revoked
26 | crlnumber = $crl_dir/crlnumber
27 | crl_extensions = crl_ext
28 | x509_extensions = usr_cert
29 | copy_extensions = copy
30 |
31 | [ policy_match ]
32 | countryName = match # Must be the same as the CA
33 | stateOrProvinceName = optional # not required
34 | organizationName = optional # not required
35 | organizationalUnitName = optional # not required
36 | commonName = supplied # must be there, whatever it is
37 | emailAddress = supplied # must be there, whatever it is
38 |
39 | [ crl_ext ]
40 | authorityKeyIdentifier = keyid:always,issuer:always
41 |
42 | [ usr_cert ]
43 | basicConstraints = CA:FALSE
44 | subjectKeyIdentifier = hash
45 | authorityKeyIdentifier = keyid, issuer
46 | crlDistributionPoints = URI:http://www.yourdomain.com/ca/crl.pem # this should be updated to be unique to the CA
47 |
48 | [ req ]
49 | default_bits = 2048 # Size of keys
50 | default_keyfile = key.pem # name of generated keys
51 | default_md = md5 # message digest algorithm
52 | string_mask = nombstr # permitted characters
53 | distinguished_name = req_distinguished_name
54 | req_extensions = v3_req
55 |
56 | [ req_distinguished_name ]
57 | # Variable name Prompt string
58 | #------------------------- ----------------------------------
59 | 0.organizationName = Organization Name (company)
60 | organizationalUnitName = Organizational Unit Name (department, division)
61 | emailAddress = Email Address
62 | emailAddress_max = 40
63 | localityName = Locality Name (city, district)
64 | stateOrProvinceName = State or Province Name (full name)
65 | countryName = Country Name (2 letter code)
66 | countryName_min = 2
67 | countryName_max = 2
68 | commonName = Common Name (hostname, IP, or your name)
69 | commonName_max = 64
70 |
71 | # Default values for the above, for consistency and less typing.
72 | # Variable name Value
73 | #------------------------ ------------------------------
74 | 0.organizationName_default = My Company
75 | localityName_default = My Town
76 | stateOrProvinceName_default = State or Providence
77 | countryName_default = US
78 |
79 | [ v3_ca ]
80 | basicConstraints = CA:TRUE
81 | subjectKeyIdentifier = hash
82 | authorityKeyIdentifier = keyid:always,issuer:always
83 |
84 | [ v3_req ]
85 | basicConstraints = CA:FALSE
86 | subjectKeyIdentifier = hash
87 |
88 |
--------------------------------------------------------------------------------
/Nginx-HTTP2/docker-nginx/certs/server.key:
--------------------------------------------------------------------------------
1 | -----BEGIN RSA PRIVATE KEY-----
2 | MIIJKQIBAAKCAgEAplhW3Wc8TeaiWCCu2UwZTYMxvMYSDOMCP7nspv6dgtHgAI32
3 | K8ZyKNxRJcTUrEvOA4Ic31cxn28/nizpJD3cvVY7BLA38KKXzbLRWx0/1+x5k/Io
4 | JWiuryX1bimV6ZP/vZrR4IcYhLHYUYLkR6i+xLfSvD5izdoAMN58I11Bu6HyB+rV
5 | s/PzBvCwspN7L+lOTBJfpBFxv3yx7dih7PdftWk52WhyXfD55WRLY/u5+fCFcxDO
6 | R7EZk67iDy2Mw/CSPRWmHKNxrr+GcxppCkn9AGSMWfSS4aA8wW3YHw0cto5iH0m/
7 | t/yrHlAJCEpFSEdbXoZUkZSUHcbX4iy/sJahvvIUSsXRsyoVoVPAoLHf2fhiGBy6
8 | q260+7sd6e0/eZX8qtIadzGaI7Cqo+rMshJHRFPp5Rmy0cy6cssTg5aRwSt9kGzr
9 | 9JC9hcq8TLP/Hh5G23yyDJW1iq/iUiqxbS8aHxB2FpSxd7MX3AlWjCJQ+gWb7Lh6
10 | 7oZv1gE6As1lYuEKBdy5vikGWdt2ZN2UHHZ/DJPuuKFrOhSQ5MlMRegNapYaLRK5
11 | Bkip4cQFDTrju0Y2ati0+B5mo3j2tv7bxMxgVZGJfBxNmotPZG5LZDyxrir7Emu9
12 | /VLWYW1NLywRoprbFKIiubZSu3n6fttcGjn+cy0pBk5xnGoFlq3zkdQmIAcCAwEA
13 | AQKCAgEAkrMToFx8FWORxtDEAsUXB4HtKkMwBgdpo1PPvhKMTKPUvgh0knSHlzt9
14 | oSZuPKj5vaRQ3DKkg6vz2gZXcevQsXXLxL24B9MMt469DXLFLCLTscL83sjsTXDX
15 | etjX6c/o2YkhELdzywqg8HnT4tKRsyE+i18lec+JHZAIwJNs9hHDRnI3F2XL7VH1
16 | MvfXyxAhSftmN2Ze/3Xz4QONAlPDJ1TufKqdOfXcHQ6PYlTM1fzlY+3tTdKE8PZp
17 | TONp4h9WiOJ/xX/rMSadZwNioX1Qz7jdAjQsGSlci2XZFMFWkjUNmfRLTPJa4vfI
18 | j3QYl76+eKVVDbKP0ZbcKw4124FskHGv+hJc1q7CDialoyphNG2P+Xbyxks642oE
19 | t9bPTDMgFxmKjKQN1oaSj237SZC4kflCyqk84208H2uA0Qo44TLs72YoTqqXfWDk
20 | sBC1vbrF4lamPzCslWhRBNe2gUktjUitHPh6cue7n0eteNh2u6jkjt399VcJBs5E
21 | lPAqvQWp7Sewj0afJvKTKGlOjQpH14xX83nH+pkFCTUWu/Lok3//e3xnA5+UO9rz
22 | B5/317Ww1hln5g3Ss9r/sSR8Gs6D96tyMEDD7j4ti4eXnjCvHr4yP1HWWA6qd9ba
23 | hP0A1awHYgjgGYO7cz9DSP/MS7ERGuSWlzTZD+Zrly34kF1JBmkCggEBANkcq4c1
24 | 7FzD+CccdQoeq+cAwesMoyQWVAjSjlgtMvVdP2McMP/vkfe+DwHIMZE7S+j+iN3d
25 | 8MMXydrDPMlLCr5g4e43DhfTIyGk03I3l8il4rcFExRreov6hV82yz5qViiyS/IX
26 | 2biN2tJHPN3BHyJuGJotT8oxqFXc4eLZE8ewtvKDTuvhWiUC5jqOXttHCorJMX1B
27 | tZUDrvPzP1fz2kwyLfkPuj1UwMl5iXgtCJLkY7IRZ7etcf7qExHOWeZTf0ZLST3i
28 | DlSAguarJ5LJ5rR9Q6vCQ5UsWS5Kb6U+DNKwJAIUYc6ykeqs1HyPR6xoeyaXed/y
29 | cwpPFiICfR2/3RUCggEBAMQj1PhtPN3fV1Olh/mbOeZKTeKSUBKXwFmvi2u5KtKn
30 | nykXd5vmnDWIe+isYPMizgRKCW2LJWPV52pkjS3DrKkViANH/BQxVF2QJCILWmA5
31 | sqQJegxIF3Za2+0vNwgcB8GK68N/v5HUBKoHF0ppFJbqGMvtjTVouPTF8UjgNBQa
32 | 1FTXIAZG5e927o8BsNQb8vmtYlE5TCc3IV6W+T28GorMx98yY1gbLIrzCuF1sxZ/
33 | sMLI7pdqbbQFoe+7JYPxNxXiRR9F5g60yzE20hkSCqZByvVE6419JLvjgk+9ebkR
34 | aeOrK3LdeQXKAyxCsVYPogcevNnKcWstnLJfFd1iZ6sCggEAeZZCwUADlJfy+wRG
35 | z1oJ7x5PezDilC0k9qPkL6FwblTAUOLS1iH2XwXDJb5Vc/3/LwaM46ONV9SUqLy5
36 | 6AjshV2AaYXPkKwfepHyEH7ts+KiqtherQrb4FR2KLJo9BVdFwFy4qtUtLRMnYJj
37 | pdSneQKrKHzDuHpCyYMfxYjIOQbQDdRXeGYFs8CB6r0chjSsxLiTzI/l/wPHELti
38 | +ACKei2H7XlPVVWHec1knTarHIhnBKwWp5isxJOWBlzHn+OW3WkAJXXZjJ1Dsaac
39 | TOphFycnpKLwcjQZ5YCuMZ4kVEFsiPWdKMJ8US5k+TTMcNM6VIx0JmSC5H0R6g32
40 | v5hZWQKCAQAqnVplS16hGihgDSP48GfpCBXZ904cbAonskNJeWa7dB3ZkLa1Eaq4
41 | 2tmJGQLLcLFwLyHTQhsykMQB0qz114DJD9uIUviK7pjU5z9igjL1mzOb/k8dIgCu
42 | /1ivNMXxJh3tSCCnTjcyGO2Wf4no6eHGVEBk9kzq4MDmtacR3VyTTaz6be8QThEh
43 | MSbtvUFNJHFrG+eznA5Wqty+L3Ehn5/orktyzADXoLfRzLJ9f9QUPFQMThnAnigN
44 | p/eiHXguLZd5UrsP62Drqw5GuBF3zvqvWrYdCgdfq2PyyqCCcLlko0rtY0BCaaok
45 | vtpnoGnlN+pNP7lqXFi+H5/fBVe7zOiXAoIBAQCRfdVauvYK2gQ/d3I8EaJiWUv6
46 | NMncnKkJ72HgztE8i7A/C0giFIzyO44uaJBHbl5Nodufz1wJma/X1VJOHlXWwiqC
47 | 5/ts9523DNOUB9mFKBhNBvyRC1qMGKpfq9bccfdoNQJugbYxz5jMv2Npluu4NNfE
48 | EUBg0w0+mqdwHZ1yA6w7GWu3ZgrHClJmoVIiQXN6rG2urDD1EMc9EMeAUz6XDFtq
49 | AEX1vgDRMxx0cTxXntimEan5FdQo/G+udafvsMUSBkJQPwDkn4LjRsbHmOonYrsM
50 | vV1u9TEB3AaTlotPR6DvDBLm+MHVCb+Wy6yc/o3RjIQ9d1aOiayMguxeUkfO
51 | -----END RSA PRIVATE KEY-----
52 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/certs/server.key:
--------------------------------------------------------------------------------
1 | -----BEGIN RSA PRIVATE KEY-----
2 | MIIJKgIBAAKCAgEAs2A+7hGjMLdqyRcDMecEe9LyDr/hQ8z8AGKbx17SJSmxPV9m
3 | rPEyrZRyyVpU8awavtIKAQ6swpKqxi/SYOHDhZIpbnRdx2mSpJaJ7vEGNfxxwGGi
4 | twMm4jqCt+3MizzOuLtzzkbY23Gag5Y6zch3bc7fQA3mlFGIeZUNCmXdYKRy5KrD
5 | XI1S4FW2zm+m7eWeHAzuTUsdcvMEuIY4yqJL3WPD6z+132AQXCafBW83E6HyxYrz
6 | lARwSwiVO8mSi5wZ5mu1iO+khtRZLCFbSRiytiLU4iOrHtvjlPh7qTmCHWDMOX+1
7 | Ws37ObFmjMEj+SQi7C96w8SxZLxJ9rvGXIa8wmOyolSUFlm0i/sl4FK7a6FKRiqd
8 | HUqDP9enNhQwb9E/67bNjwsK7U6tFZwCHgJ8Siy0jjypAg2LbRkG1YckomkFcXBu
9 | A12WBVRy2HkSi3qsCMmaqOrmUvUcMSNKopsCTl39OME8Xuv6q4h/bFvEsGv5lP+R
10 | VP3U7eMXPMghjm2CFgVo0x3LiN2c1plUuoNl5tDim5XQeYKKqD9D7PTyaqaedkuI
11 | P85kvNlTf2zL/TbXjySnkG9LMQqmldiGTUrMkXZs4vt4nxATpIVZ+Xv4aSu9P8dr
12 | ffN5Ubg3sDD6aWjquVkq4VvUyMVRbHRIP8eKMw2sQ435hEpiRnMYSxRnrOkCAwEA
13 | AQKCAgEApy4H2OjVWP1J6HurPaJbmnCDq92IPSHaqR0+pTWp1HskNtgooPz4R7F4
14 | vlOTod7O2pR2QIAF4h7CTY6anDMugNo2BT0tfkLWKtInYmx/ZmePOUeGWN32Kplv
15 | 5a8bmZYl8SS8jT+YtAYQhZ3J1quFK/HIPzH1erz23qJdkhhYmM8MSjUheaw51t3s
16 | UEDdqxH8J5ahr6ZXnyACgVyPp8RVwtRN8H7jqnolJU3VnkIGaiThWN3loUn1wukP
17 | 9bYsADSQKyKuAh+gDw3wwmGga+M6BOk30kB+J3e3h8uDrbfsnibukJSHWUdrY10F
18 | ACCuv3C/n7OszrMOxp16rhxahzgIyfB+r0PJQH32kGZbVJ0ygo/Yk5//yAhvXFl8
19 | n1fbCTWtGWPGNb+dzFIqzRL3t+M6xTFoAwCs3IgkNsByOPJ+7hMmx0zwCO+BcTxI
20 | GJkJC1gsW/A2VpumWxtHVwyxXMtoFJq2rGZvxAnkheUK743oysz10/RgxHMwIEij
21 | SK6gW17yA+aAqqqpISNzC2LO+LSZrlRpJIv2o1jjxFTXeeuXV2CcIFo2YHnGeFFU
22 | W1tisd47OaYFoG/iAHXHmoVKqTGmDrtBw5lahI5ea+IY2umogUsW6pAeDZpjix5i
23 | ALBBFvo7w9JbPQ7Cx5mnfv4FQMGv4UIx5QlwG1DWZin+8sn4keUCggEBANv0WXJN
24 | wewP6hgP3xv/yIfL1/pyq2GJi2lWP3SnzQatXH2O1r3vQF8wkrbfE07l8JHiOVbr
25 | s2/5o5uonZnm3SC1rna0HQgSA2imde5qEizTCfO5YfRP5mT0SI8MSOMUD/ZydTRq
26 | bsTs3r213sHiUoZZQK0Biuf4KjqI6IEZVpNaEcNlB8KiEbpd1xM4COiyYJ7HwFMr
27 | xQyougKo6TA4VFP76ATGEN6r1daErq9nF7VbGuSl4OGyj8lh1WawtVnDBaBwjKMj
28 | 2oxaa8ICeyNUph2zrjRv3gh54WCiUciIgU8EMVHHUCXBVoibOIyUGYMNKosf9WKL
29 | 7msDTHZZ+EDWKCsCggEBANDFhholFZoaRs8zNokhbK4clxD3EuZbxTeWmJAxSJcn
30 | czO7Km1XChE7qRkyM6qE4joypZl08ieG0bsf9QqPFtihZSL+vXFfaD/TUmFGsDpw
31 | jBRH7G4ccyt+uhhGm/PI+ditTGuSKMbI7ol14fC9hPSU9pyQ6uPHontyyJlkcLzK
32 | nPkZUcYDHOqbJUUhgu3fhfPGuB32K9sdgLX9l3oixAEnEVUaD4TUzXIdH8+uD3ny
33 | JGuH1IVq3G02aq51asJ0qpj/g8j58QRHaOrRwgXbwYfsd3rY/58EBqmVOuyxkK0u
34 | 2XqyHbt5Bpka+OIQyZwVyMqfa5TvhUv4ICNBaUZMwTsCggEBALwibL+QMuavVhPu
35 | v287gVJl0P6vRlfPRid7Vht5y6yCbDIZEySyl+TTryor9F/v3a1qSpFGWdzVMlPa
36 | DbOt/EYWIHv34z0b6z5/4y9iGtmsST7muho2nWKMb+OrJkzUxDKQBCApSUW3NW4f
37 | OcGsy9mOTfus7hsr8TLQF88U1TCEQd1XdSPNbEx0J5qQu04OBQbK5H4/WfRR/Yh4
38 | 4bwU8kxDk1lB8PwFDorGQoRVMbo1ivM3zvo9uS8PN3D2hKeaYB2zJxgDetPCI5l2
39 | dczqgou1PLQtW0T0uwnkzP8xgykK9QR17t/cVx/RZLUZmBi4EkOduk3oUq3FzIkO
40 | u4D5rLECggEAFYMU82K43B0zCKytROoVyccWZeAfqW7xXm39IHaDlVeyTjVOBOBA
41 | IFB2dysuGbcBnJ+VYr+jKCGDQPXlCQZ/gyj2Q+nd2W3MTy9WQMHI7Oyl8n0KxrnV
42 | wDiZsmCsNy2RWRtaUYdI/lq8AZwNAQJ2TcF/u9hO69OpUXEdbHjmCP4TuLM8Mtwl
43 | QaNk7r+qPxqWMe1bEXNJR5W9qoML9cDZU4kUByHdUYGf/c80dPDplVY3HIFti6Xc
44 | OsCts3ZT3t+oqIVDrhTbGebFz9R3WqUvRvM9yIHNrTP7/8Npw/P0BXRbYoIyABxT
45 | arlVxe2W6Kdx/jb5HeqkYJSbsyZNU7oa+wKCAQEAgfgKh/f4t1qmERf3p1vZeMwT
46 | y0jiU9Rofxi/97kp7KJ6s2QHL25jWESSjAanSoYfy0/kbmrvicr06KsvCIsjtaOL
47 | BcS6nxrRvPcjYUSPe6LEMgm9sLEcympNvshaRlh/blIkBafQNUq3DTK6W6/d6HfN
48 | NlrpaReiePXuACfTHq8WftZD5O1oVVVwVeOpGp7r6aRRFF1Jjj6ueoX0tr4Uqi11
49 | 8ZHJUTV6NJ+XubAXA8E+K+pTqc/NHTbC5lw75+93oh/WkFPtc/YXV5zDyUWty7DU
50 | XO1Eh2fLKaIGx+yamUl0uvAuryLsBku7Msem+T6rIISH2Bq9UijxxYwOFyZpsg==
51 | -----END RSA PRIVATE KEY-----
52 |
--------------------------------------------------------------------------------
/Nginx-HTTP2/docker-nginx/certs/ca.key:
--------------------------------------------------------------------------------
1 | -----BEGIN RSA PRIVATE KEY-----
2 | Proc-Type: 4,ENCRYPTED
3 | DEK-Info: DES-EDE3-CBC,E1E612FC062C11F8
4 |
5 | Sl3FcK2JZmRR7K9fzcV0VFggQCosXrHFi1HQMYS1yUhocrJsigs2wxR4y4q0PLa7
6 | Rv+Mtwt+FdYti/3BA3rZUVP39GzzBBAoM0iZ855o2NJhprTEAV+ALBGzaaatkxQk
7 | boOhcbvrSKjSwe6yKR75oky+nMQWK4F9rVsHLsTvjuRlwF/qB3hI+11dhKEFqQWI
8 | BQiwR1pc+4VflkdNEjqSSPUoHcBH7uLF2YObCXM3HEkY0x0lzVgIkUEMNoCwdArR
9 | eBT3L8EZAXvI9fqR+zV0ev6CrNnT8hD8JNk014OEx4VStJbjVNihtSO0VVwIv+hi
10 | /FPw5CF0i0kR5ez6ebhVw1FNBrh2A982SwgjmCCpeKKpf4JZ7t5+OOMrA5F7qd/Y
11 | nbr3Xp62a7CRid0feq8l+8sh045O3LAqDul8T6fhN9HQt/Xk0Lgmjs6uVvpe/FDb
12 | D/HkYuw3T4SlBZguRB6J2ihCixVguoPBHVBnM96LyVHDZKEUUB+uP7XY4Qb1K85h
13 | QsIjRtXio7xpTIB01Y5ffH3E7zWUr86cZPCJknwBjikKQ9cYvWAI0to6jz+vwWpU
14 | RQWALfcAiH8popNHj2MN/4RgKI5cRFYuyHleJGjxkxtoVk4EBicg3dDz3fQHt6lM
15 | 5YWJGJlLN09sE+Kgyz/+arCtFwafnZv0HjcRyeWYMcMvUUB+ZtLy9E93bt64sHkF
16 | ALE6m27ItU7nCLogVBM7bEAIfvgSqLLkOwkbaCe41CQj/4SURGh+D9zZFRiB1/9t
17 | PeV0gyoTX6iDKWDCDYvVrxXzWkNTfyelI6g6PVbzR0n3mIpJCug7684rModeaZAi
18 | T5w08l1Lq0DwjeYEo3RN3lwpWY0dhKI4QJC83MN1iW/ETgrLgsqueuIjMwc9bqoo
19 | Kki//t0+ZfDQ3htYY8yQ70cQ5J6MkkwHIfFU7aXdtRI/29eJNO9EddCIzWD8G90i
20 | 0QwTWq2fTUs2MW4yB1vggswhCGfo/riJ2jCeXh1unNPTvb8g9pkclXeP6s98jJX9
21 | 26hCSkCQ1leQ3xEHeBSaFVFyCaM6QfkvaYIA+u7IO1GpT6EhYGlVXIYpoqxvRU7+
22 | 2uHr6kihEhOAYX+HIJE1HWjr4rociUoINmKNAzGiQ19BnSnKJ9qfDF6xPrv4Rl01
23 | HJDcRm2bb7fHZek0BzcMYutatlke8Ph7lgo/a2t/AtrNMnmog8Egv7EzNBQrw7vo
24 | vgQ9hj7CQoMSmXm158teyaE/3WZCOC//4ovU9myRsirNtFIyrX/z0I5WB4TDttuY
25 | oP7uQtevYDqaNyXcZfLTQzmOBu/P/gRJgLJWFUVJjP7PWkkSWek3YjILEhJAiReG
26 | 2gnaJliFe1AoMkpZYRw50EU42qMF+meBQcjo9oTbXJ6VKySZwYu3YW2PbmY13dAw
27 | 5AUl6lG444VwOtSZAg3kPx05nibMu7VZSFtxRbvhnxrU/EZbcNRTVx7J5sPEYl6J
28 | Ih1/LgATURcLwVwV8zwmzvIo0XdeOQ2EQe0pnqCGyR7RApLLiiN4Hi6RhKEKfTu9
29 | OFZKC7qf4t/ycbqAJcQ36l0KPlfApkGeiQRYgytqIRsfhtfdUNeivSe2wxfT3j95
30 | 7vNKpH0g6aZTgFHhFcADDdNWfVpMhLMiQUvB8Vgj4SAzqMSNX1sQXCRhp4vTfl2D
31 | Rxnuo0y9z9D/y5u1KtHNBzWMcoYrDWYiPjiAARcnoXPibVtkOYJSPUzp2GvVoqXM
32 | mch/VCwIJYYy7a39Fy+fctmZmChwrOsKI2sG7YUUVal1bvvslIfjcSDRmKeD+Afm
33 | ITvXq3LAgLZorfhjlyBAKqAtLj5sTcEKj8THUsp820BmocxQYZt/izkNU/E6TCjl
34 | xTX3XAXCLHrPqkAAgLBUoP29kh1+5vcJXjvKNRREDudWbXcPkOz7LvWmeVNZa0dN
35 | U4xMsYYioalSnLhboAfgHZEmwGScHzpm1v5npx8XM8a0Fu8KVbxhnx0k82IDtGlz
36 | 0KU8+IA3qY1gWZxFUiws/f6SfnM6Aai58lcAUkk7rGlgMaC2HIp0efy5qa41e4Fu
37 | ij29QrbZEpyvzZTdRD5vW2u2o4stSI6bvDEFbgvZhvtf5rDLAzq2561iFtNVqCDw
38 | UObXNf6ER5fPWrIrrAgm2kZOk5Cv9LrTeMqE4uz7q1Bvowizcrdu0egAmPF+tkCq
39 | omRvRc5d5D5GDmwdqoj7wmQcMLYpZ1m2KKoaYMUF3bA/VlNBookhsaWUmMIayTQd
40 | GRPklxmczKcE5jSS8qcRDeuFQ2R2q6uZlPG4TsIuo34PKvteoss40C8p33+BfrtB
41 | J4u86rXeYNeKcwyXHcfCVbM4KGAzTgp8JiTWF8KxMCWI6520IntweV5BEjpJhR8I
42 | TzuhQmuCOV0UAZZeNLzO+UavvY3dqOY0Rr2fmrIyppe44FN6J2uu1Ql+o8JOYy7p
43 | 3IaeMRTZ58uq0oCrBgJlHgEetxcVEbQhdVatQPORt3lW6CJwQ3twApn+spyTiQPv
44 | q85Hpn4yAEyBCoIuYCuaV7ySXSFeAMkZgeEtd+BorPKGwsZC+L2eRlKAQkOaUknZ
45 | 34GK8jvdyqMz/Lf4fJcXzOshNILOa1A3xIinHp0r7SI342+2FFqZ8HCRyfvyhQqP
46 | rVp1zQC3kVx56MM1LB5lEeTCMgsEuneRm8RdIZVDSO1wAj21Mqb0TzQ50waWI4EA
47 | VSuLpM26YxYoWQz0I7D+pPkJqbee8PZRl6JBetHyfXEs9jcEPMMpp1vDCSpBLqPu
48 | 35tLCoVjB25c3kE1fzaDjI0gk1Iny+ILAtz6WZ4O+VBS+GAZlfYOdwJQyDuVjzmq
49 | sFU0N2XiXz8QBZDzrPj2/AcGYzQjkrKL6FV+7QAFKn/Hwa5kMEEaL9BIn/vIyT/8
50 | zCuV4/2hoAbrXEXtWUhMhRT/a2Uc1ZqtEfBo49xezkml3SSLltc7nPc5pUi+vj9C
51 | UvvFghGW3+Z2bmi25Nk6fD8T2gBGN1haq0C5t5ebbwXDxCW0zEhsk+RuNVBk92KO
52 | nDvu/TwUtUdxzrbV/YLp8CQZpwYCjXmOU8DnU3Ok1a7yWGrR70gR+Xt66ybJK4Gd
53 | CGCy6HFMxDABUAfxU1WWrwA5+RNSMzS1+o8wWHzewwPYXw1JFE7fwrQsWA8CoWRq
54 | -----END RSA PRIVATE KEY-----
55 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/certs/ca.key:
--------------------------------------------------------------------------------
1 | -----BEGIN RSA PRIVATE KEY-----
2 | Proc-Type: 4,ENCRYPTED
3 | DEK-Info: DES-EDE3-CBC,BB4B268376960593
4 |
5 | M/V3O06oZjULFX+Wp20B3q7Fo4hTMZT+APuDXulaANCFm98NJRrZam1AdBzva0/g
6 | ssREhHKXHWeYD+vuq4cNJcGE316HYv+JtVbxWFD8Cq2FXBxiHRMTnKp3L2+iDFT+
7 | yhB0QkVDDU0WMxWfTqrf9XM3/5wQ0QbsoHZe07avpg8afYyxwc1Vti8y+zp3Alx6
8 | R8sFM+0MhlSVe/DnrfflYTI643jUnyfZp4Dc++SNBIB7ht3OLNiz8vlfAVF68r0Y
9 | fjP5DQ8Hlf/OnOnX1xQitwlQAqCun27zumGFAtBFj3dmWgubLOSYwzxoUCaT81mA
10 | 9tuOHSwT+De3S33fQxXsnzHya6TvfFrBVBqDuxT0D4cEU4mnck8i7PRahAk9/MPt
11 | SlZ8KXIpazokmwuy7DkQDPPV7Ylq0ZK4OhUTKghXAL+6Z8PdhYW/msUxD/jST2nA
12 | MVF7HiKoG6pjG6eEhtUKC4ZHuwhe6djDcCmYVOoka93AnjohjBt5GBBMH9xZmJTC
13 | JfoTRoHZPIdO6jpS3YvLrzKyid9Bry1C9m95uSa7MEFKK7JNgOYy4v4lQk+1sykv
14 | qP5b5Hi28OlrziSPLJXwT4+3JPNHhxBGdz6/ay9zOWPA3qXgjXjXlgDtlA7LS9LW
15 | k3Sjboqnq+YlIpcjRV1+QgZOuzONhA61a0JVoYZKqGzYvgv7GPepCVW99L0iZ3VA
16 | ZYtZDv4uztAP1x6cnG+pSJ4qygvdvqTfmw4TUBHkaU+2wK8gKJzrGcmSpg/wfN4C
17 | ZvNl13dS0A3+WHATiETbRiPF4geTA//ntM27suhVlAtX8aWQ482nwLwensiVwAqq
18 | hrS34o+IJWk3jVGAAkqj8xD8HynIWVQ21IIVz7IjU1iaQGUNEbmpaYyeYBqM7WOh
19 | TfM2p9OwPirNOO4X/invG1xytapYGU94xiaofNs9oYVigqjPJoadsRDT0eM47Ltk
20 | nNPqtpb5/V7lEpakG8SrCIg94iV+yraXyh5amECNBC+ad6LTfl7Jntf/FsnJyZyI
21 | DFoLQ+yu4pSIkyOSiQtuMkSE6orSop1KuFJbYzp+MeQUwhDQ4n+GaLDBJN/8vlRb
22 | XWXn5ZlrIIPuR144mSMP1vq8uw+cClClB9yOGn90aPAD3wb0a7cSNIttSvYoY4sA
23 | iUU3gwyCPtraoY7QEKr4hYITyNGslCabLw0jX8Fp0m2NKaRBBvh2Xb5suAXurtvS
24 | H1tgyMNixViVZzSq5ilxfH3R42v0ozWMYxyuG3kxToG3OmNjP3ZUcr55IeYoFkoh
25 | 8vHJXB6zyiwLZA1MVSJkhR/0icNugrwUQN4bJpJqXsE1+xrwKVHdkGH13Di4d1ZI
26 | xp133TipWcy5ALEQKKr/P0gazd4f0rMzu7S3k5/h2bM60C0EdZYRlU3jyCTyt8KI
27 | TC4FIl42jxeNnXSYpu5D/3uPA9X4aEyR+SglsBUXiAfOKldfF3pPXR6XDIMfTdz/
28 | SwVDL9rluWagKHZCMQACRi12SC4puGuGG3TSuLumortvUhZetayFS5UT22lIlfBf
29 | f9HE1KXayQPtart/M4ydqAaUjRlkKxaKI+COpKj9D0QGuBZcShw7sTf2vvOouw8N
30 | 3flSeD7thClUt5aySlIkVRdzDmwd7hqxeKEIN6JQrHwnrZOsuKCOhH4LToATBPHp
31 | +ESm/HmpRrEvTVBt0vVkpwP8JOv2V5gzHcM9LZacKEAdhrTZifqeXpe4FDZh+d2L
32 | 1mt9nUxJ/UhYyMrlBtliWU3cycv5gXmTdDOKFkLJUiaRRCJsX+1s62K6kj75BshS
33 | K09Zw+fWzIQhjGVX4zjAx03KX79axGs4kPfq7+LS4s/JAv7GFyeBwDwUKsVpLVSW
34 | pfutnej29GTfFkrZrO1HeEid7LXFvgNWED7LcovOldtaCS2ox5UHwtDf1i+KAd8Y
35 | FaPSOz0S03Pu3PG3eKJFuTeLA2F0mie75RNgXUiyCzw20n6GTmCjxGCRGsHt+2zR
36 | f7+8AgbMJ1PwEz5iuPnwu+NYDNEvxkZHqG565fC+jvksGpZaB6s0SlNXp8nnCY5C
37 | DhxHz8JwCRbIOcDBsVAU86R0WBJ8uhXE/TbaKRb5yFsBYnhqGj2EUZkNv6UHMPSs
38 | R8nAJlazBRsixcfZnEQpo0Ckxz5a7K/cG7sX/w/Prh8SFPMnwk5ifyDEL176w6uf
39 | 1U3Lkvv58l7W1DVNO4yrWlp1Km/8Znm76qbh3nLKvBVCFPA8QCLzqytSrK0SE49x
40 | eId8v28ckNfVOIlzqdlP8jDVid8XcntVu0Au+gd/Kqf0lHh7LqNNTau5Oqqmu6CT
41 | 3rG6u6EKUEkoQLZZdRwJ21scx7Fgj1qpBgbeXA5BDO2KmgMTT83CWoJeXA9M4mrK
42 | K7V6qq6KkvZ1MTvI+B2MMalpBG6bG31yCvOEbOMBtPrMb3FZnDpoOE4UrVAkiADx
43 | BmuoWjS3Va/nVrUSzCXA82ugR+IGVSyVFYQs3qLoX0tlFpT2/lw37qILiJvQv9o3
44 | XnacTX82n6hs5lYPYBsmlJoSKOUlLxC2aRMlwF2jkDHAvsHtP5YRm37SWoyPSyai
45 | R4ZcasZYvqBs1M3g74iIWVGpw6La3o6coYTETZubFOgZxU2Ucbwdnnd2cZpSDyMU
46 | tLTOfjyT0R0TOe3G/ba4UAX5YH5UnsnIEaoxEoP5IT/uqWknbr26eq1HNYMdZBRe
47 | ruFcefuVoImwnwiYuLl8Onx1spX+F8JNY2sXFKjYMuawnMS8H7NHeCuigPLHcYBR
48 | OV6r8Ni1KTQ4lP2JVwrNX89EcAPjlPdcplNTQ/g3iZCa5iS0hUMGvZufuAfWXUlw
49 | Qr2xjRou1r5mVIg8vYY5pPCEJlP0MVqa7GK4LINQF1KDXBzVTOZS2b0EornYVMjx
50 | u/up1MvyTzHIv4JUGq34T+CFB+0N+MaAs2qzSbJRNocI0ZxJR42O8Wz7pTpF1g6F
51 | FaOIR/L6gLH8Nd71QziWQ1Ex7TdpeLDKrTJiWSM4GON3rHTSgWoOU7ONeNkkxN5Y
52 | WqKGEcAPO38g0j92hULbl4OgV4E0pn9Wg0z7QSzjW0PWjvDdUESzSaleYbnqUEZY
53 | AuTRSTY6/KFeYLm4konO+DolLmxf8g+bdjUbYX/2KT62NQ95Y86Cr1OQoP7WXMx8
54 | -----END RSA PRIVATE KEY-----
55 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/README.md:
--------------------------------------------------------------------------------
1 | Make sure all the following commands are run from this project's root directory.
2 |
3 | Build the Docker images:
4 |
5 | ```bash
6 | docker build -t my-ruby-app ./docker-app
7 | docker build -t my-nginx ./docker-nginx
8 | ```
9 |
10 | Run the Docker containers:
11 |
12 | ```bash
13 | docker run --name ruby-app -p 4567:4567 -d my-ruby-app
14 | docker run --name nginx-container \
15 | -v $(pwd)/html:/usr/share/nginx/html:ro \
16 | -v $(pwd)/docker-nginx/certs:/etc/nginx/certs/ \
17 | -v $(pwd)/docker-nginx/nginx.conf:/etc/nginx/nginx.conf:ro \
18 | --link ruby-app:app \
19 | -P -d my-nginx
20 | ```
21 |
22 | Test the application is accessible via HTTPS:
23 |
24 | > Note: `` can be found by running `docker ps`
25 |
26 | ```bash
27 | # Should error as HTTP used instead of HTTPS (nginx is setup to only listen on 443 not 80)
28 | curl http://$(docker-machine ip dev):/
29 |
30 | # Should error as server's cert isn't trusted (i.e. it's self-signed)
31 | curl https://$(docker-machine ip dev):/
32 |
33 | # We can use --insecure to trust the self-signed certificate
34 |
35 | # Should show an error as no client certificate provided
36 | curl --insecure https://$(docker-machine ip dev):/
37 |
38 | # Define some local variables for client cert location
39 | client_key=$(pwd)/docker-nginx/certs/client.key
40 | client_crt=$(pwd)/docker-nginx/certs/client.crt
41 |
42 | # Following curl's should work as client cert are provided as flags
43 | # Make sure to change to whatever Docker has exposed it as
44 | curl --insecure --key $client_key --cert $client_crt https://$(docker-machine ip dev):/
45 | curl --insecure --key $client_key --cert $client_crt https://$(docker-machine ip dev):/test.html
46 | curl --insecure --key $client_key --cert $client_crt https://$(docker-machine ip dev):/app/
47 | curl --insecure --key $client_key --cert $client_crt https://$(docker-machine ip dev):/app/foo
48 |
49 | # Finally, let's test the client cert is being proxied through the HTTP request to the Ruby app:
50 | curl --insecure --key $client_key --cert $client_crt https://$(docker-machine ip dev):/app/cert
51 | ```
52 |
53 | If you get an error, such as:
54 |
55 | ```
56 | curl: (58) SSL: Can't load the certificate "/path/to/docker-nginx/certs/client.crt" and its private key: OSStatus -25299
57 | ```
58 |
59 | Then this is because the `curl` command on Mac OSX is fucked.
60 |
61 | Use a Docker container instead, like so:
62 |
63 | ```bash
64 | docker run \
65 | -it \
66 | -v $(pwd)/docker-nginx/certs:/var/cert \
67 | speg03/curl --insecure \
68 | --key /var/cert/client.key \
69 | --cert /var/cert/client.crt \
70 | https://$(docker-machine ip dev):$(docker port nginx-container 443 | awk -F ':' '{ print $2 }')/app/cert
71 | ```
72 |
73 | You should see something like the following output by the Ruby application
74 |
75 | ```
76 | /CN=Mark McDonnell/emailAddress=mark@integralist.com
77 | ```
78 |
79 | Now at this point you can parse your client certificate's CommonName (CN) however you like. In my application I just print it back out to the user, but in a real-world application you might want to use the details to present some nice personalised welcome message like "Hello Mark!" or whatever.
80 |
81 | Either way, you can only access the Ruby application if you provide a cert/key that was signed by the self-signed CA that is specified in the nginx configuration.
82 |
83 | If you were to try and provide a different cert/key (one that wasn't signed by the self-signed CA), then you'll see the following error response:
84 |
85 | ```html
86 |
87 | 400 The SSL certificate error
88 |
89 | 400 Bad Request
90 | The SSL certificate error
91 |
nginx/1.4.6 (Ubuntu)
92 |
93 |
94 | ```
95 |
96 | Which is great. That is exactly what we want to see: denying access to our service unless properly authorised.
97 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/CertificateManagement/client.crt:
--------------------------------------------------------------------------------
1 | Certificate:
2 | Data:
3 | Version: 3 (0x2)
4 | Serial Number: 1048578 (0x100002)
5 | Signature Algorithm: md5WithRSAEncryption
6 | Issuer: C=UK, O=IntegralistLtd, CN=Integralist/emailAddress=ca@integralist.com
7 | Validity
8 | Not Before: Oct 3 14:23:07 2015 GMT
9 | Not After : Oct 2 14:23:07 2016 GMT
10 | Subject: C=UK, CN=TheClient/emailAddress=client@integralist.com
11 | Subject Public Key Info:
12 | Public Key Algorithm: rsaEncryption
13 | RSA Public Key: (2048 bit)
14 | Modulus (2048 bit):
15 | 00:af:0f:fc:45:0c:a8:15:d5:49:c2:37:8f:4f:d7:
16 | 64:97:db:30:36:a9:ac:ef:c6:a4:06:fe:11:ab:32:
17 | b5:0d:15:e0:64:b9:69:b8:0e:bc:85:73:05:ba:c0:
18 | 7b:58:fe:e1:65:f3:b5:aa:fd:63:17:c4:9c:62:7d:
19 | 27:3a:9c:e8:45:45:e0:a7:36:ee:c4:7f:da:34:78:
20 | 15:d6:72:58:77:61:07:d1:c4:91:6a:b8:b0:e7:53:
21 | be:58:df:ca:59:f4:e0:70:3a:d4:fa:d7:ec:d1:51:
22 | 82:b1:a4:ec:a8:ad:9b:4a:8b:40:c6:61:c3:ee:bb:
23 | 6e:61:52:f8:0f:a2:3f:06:d1:4c:55:c6:70:ca:39:
24 | ff:74:7a:52:10:da:92:99:83:6a:93:32:13:ee:63:
25 | b7:a3:53:12:ea:60:7c:07:0f:cb:a0:84:3c:e6:9b:
26 | f6:8b:5a:17:f7:56:60:c6:cb:0c:ac:fe:2b:0d:f6:
27 | fa:f8:d4:14:cc:66:a7:99:fd:75:b7:21:8b:3c:a4:
28 | a5:b0:06:1c:6e:f9:7d:22:08:66:84:67:f8:8a:44:
29 | e8:42:8b:da:f4:7a:31:ec:44:0f:04:3d:c5:30:f4:
30 | f0:3f:f1:17:16:b3:f8:5c:53:03:8d:84:fb:2d:bb:
31 | 2f:f6:95:07:c4:77:be:ca:00:fa:59:d9:8c:8e:7c:
32 | ad:89
33 | Exponent: 65537 (0x10001)
34 | X509v3 extensions:
35 | X509v3 Basic Constraints:
36 | CA:FALSE
37 | X509v3 Subject Key Identifier:
38 | 6D:F6:71:54:38:DA:C5:3A:25:24:2C:F5:37:BA:98:72:E4:C2:1C:09
39 | X509v3 Authority Key Identifier:
40 | keyid:43:3A:75:41:E1:AE:46:F0:5F:AC:F4:24:6A:3A:DB:D1:31:7E:27:6B
41 |
42 | X509v3 CRL Distribution Points:
43 | URI:http://www.yourdomain.com/ca/crl.pem
44 |
45 | Signature Algorithm: md5WithRSAEncryption
46 | 09:f8:64:1f:82:a1:bc:57:ce:b6:66:ba:cc:5e:f3:04:3e:d0:
47 | 82:96:20:ae:d0:80:2e:71:49:5c:01:38:46:bf:71:49:24:44:
48 | 3d:88:63:29:d1:12:9b:9f:bb:49:a5:47:0a:a2:10:4d:55:92:
49 | 84:37:7c:ee:96:18:18:6b:3d:6a:2e:e5:65:6e:c8:38:81:11:
50 | d2:aa:c6:c8:17:f5:0b:0e:b3:b4:4e:ae:6c:50:13:2e:e6:d2:
51 | d9:50:f2:3b:26:1b:a6:94:26:5a:a6:06:2a:a7:65:0a:7d:15:
52 | 5f:e5:4e:d5:f0:7d:1a:e7:07:0b:b0:c8:2c:63:b5:47:d8:cb:
53 | 61:38
54 | -----BEGIN CERTIFICATE-----
55 | MIIDKTCCApKgAwIBAgIDEAACMA0GCSqGSIb3DQEBBAUAMF8xCzAJBgNVBAYTAlVL
56 | MRcwFQYDVQQKEw5JbnRlZ3JhbGlzdEx0ZDEUMBIGA1UEAxMLSW50ZWdyYWxpc3Qx
57 | ITAfBgkqhkiG9w0BCQEWEmNhQGludGVncmFsaXN0LmNvbTAeFw0xNTEwMDMxNDIz
58 | MDdaFw0xNjEwMDIxNDIzMDdaMEgxCzAJBgNVBAYTAlVLMRIwEAYDVQQDEwlUaGVD
59 | bGllbnQxJTAjBgkqhkiG9w0BCQEWFmNsaWVudEBpbnRlZ3JhbGlzdC5jb20wggEi
60 | MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvD/xFDKgV1UnCN49P12SX2zA2
61 | qazvxqQG/hGrMrUNFeBkuWm4DryFcwW6wHtY/uFl87Wq/WMXxJxifSc6nOhFReCn
62 | Nu7Ef9o0eBXWclh3YQfRxJFquLDnU75Y38pZ9OBwOtT61+zRUYKxpOyorZtKi0DG
63 | YcPuu25hUvgPoj8G0UxVxnDKOf90elIQ2pKZg2qTMhPuY7ejUxLqYHwHD8ughDzm
64 | m/aLWhf3VmDGywys/isN9vr41BTMZqeZ/XW3IYs8pKWwBhxu+X0iCGaEZ/iKROhC
65 | i9r0ejHsRA8EPcUw9PA/8RcWs/hcUwONhPstuy/2lQfEd77KAPpZ2YyOfK2JAgMB
66 | AAGjgYUwgYIwCQYDVR0TBAIwADAdBgNVHQ4EFgQUbfZxVDjaxTolJCz1N7qYcuTC
67 | HAkwHwYDVR0jBBgwFoAUQzp1QeGuRvBfrPQkajrb0TF+J2swNQYDVR0fBC4wLDAq
68 | oCigJoYkaHR0cDovL3d3dy55b3VyZG9tYWluLmNvbS9jYS9jcmwucGVtMA0GCSqG
69 | SIb3DQEBBAUAA4GBAAn4ZB+CobxXzrZmusxe8wQ+0IKWIK7QgC5xSVwBOEa/cUkk
70 | RD2IYynREpufu0mlRwqiEE1VkoQ3fO6WGBhrPWou5WVuyDiBEdKqxsgX9QsOs7RO
71 | rmxQEy7m0tlQ8jsmG6aUJlqmBiqnZQp9FV/lTtXwfRrnBwuwyCxjtUfYy2E4
72 | -----END CERTIFICATE-----
73 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/CertificateManagement/server.crt:
--------------------------------------------------------------------------------
1 | Certificate:
2 | Data:
3 | Version: 3 (0x2)
4 | Serial Number: 1048577 (0x100001)
5 | Signature Algorithm: md5WithRSAEncryption
6 | Issuer: C=UK, O=IntegralistLtd, CN=Integralist/emailAddress=ca@integralist.com
7 | Validity
8 | Not Before: Oct 3 14:14:23 2015 GMT
9 | Not After : Oct 2 14:14:23 2016 GMT
10 | Subject: C=UK, CN=TheServer/emailAddress=server@integralist.com
11 | Subject Public Key Info:
12 | Public Key Algorithm: rsaEncryption
13 | RSA Public Key: (2048 bit)
14 | Modulus (2048 bit):
15 | 00:b7:95:d4:c6:2e:d1:19:e5:8e:d9:fc:fe:95:66:
16 | 41:3a:72:f0:ed:56:57:09:72:53:f8:14:27:31:30:
17 | bc:c5:4c:55:00:34:3c:b4:f9:19:ea:81:fe:99:9f:
18 | 15:e0:6b:f3:fb:a2:dd:d4:f8:e5:32:95:dd:85:5a:
19 | 54:84:e8:16:fb:d2:00:f9:f8:4e:d9:ee:a6:a3:e8:
20 | a0:d7:94:1f:0b:76:57:5b:05:f7:b7:e7:b7:e9:d6:
21 | 26:cb:45:3e:2f:ac:85:36:cb:22:fd:0e:84:ce:c1:
22 | 0a:30:cb:57:49:07:a5:6a:79:41:22:41:b2:36:51:
23 | 6f:7f:35:d3:c8:43:50:e4:7c:86:7b:6d:a4:6d:c8:
24 | b0:a1:65:39:31:a2:10:47:93:5a:de:a3:1f:4f:49:
25 | 40:e7:f3:e1:a2:28:54:a5:35:d8:fa:65:40:11:07:
26 | 8c:b9:45:95:e3:41:a3:41:13:fb:11:be:66:7b:dc:
27 | 29:cc:7a:d1:af:e3:52:9f:3a:f5:60:d3:f6:d0:72:
28 | 00:80:92:67:3f:30:18:1a:7d:11:ba:bc:8c:f6:87:
29 | 70:ce:3d:cb:b3:93:1e:8e:89:7a:41:ee:9f:0e:f7:
30 | ff:0a:59:77:9e:0c:b5:a4:20:32:fc:85:14:af:4a:
31 | aa:ae:ce:04:4a:4d:e2:79:63:87:7a:f8:b0:43:6a:
32 | 90:c5
33 | Exponent: 65537 (0x10001)
34 | X509v3 extensions:
35 | X509v3 Basic Constraints:
36 | CA:FALSE
37 | X509v3 Subject Key Identifier:
38 | A9:B6:0F:76:AE:E5:DF:93:4F:66:FF:09:23:43:D3:BB:BD:90:C8:D3
39 | X509v3 Authority Key Identifier:
40 | keyid:43:3A:75:41:E1:AE:46:F0:5F:AC:F4:24:6A:3A:DB:D1:31:7E:27:6B
41 |
42 | X509v3 CRL Distribution Points:
43 | URI:http://www.yourdomain.com/ca/crl.pem
44 |
45 | Signature Algorithm: md5WithRSAEncryption
46 | 6c:82:da:eb:74:83:ad:e0:6f:44:73:68:7e:88:7e:dc:8b:7b:
47 | 4b:af:ae:e7:b5:21:f1:31:30:e7:ca:b4:aa:58:83:76:01:0c:
48 | c5:3f:aa:34:3b:eb:d3:62:c0:b9:db:95:c1:4a:cc:a0:13:c4:
49 | a4:be:73:f7:a5:85:29:dd:18:3f:b3:aa:bf:8e:26:f6:3a:cb:
50 | 7b:f2:eb:2a:73:ba:1e:04:be:da:ff:e9:cb:00:a7:2c:08:94:
51 | 31:1d:96:62:5f:de:99:30:23:cc:3a:15:8d:8a:65:4c:77:6a:
52 | b4:f6:9b:a5:12:50:62:45:5e:a4:d0:70:e0:a2:fa:f6:45:05:
53 | b3:87
54 | -----BEGIN CERTIFICATE-----
55 | MIIDKTCCApKgAwIBAgIDEAABMA0GCSqGSIb3DQEBBAUAMF8xCzAJBgNVBAYTAlVL
56 | MRcwFQYDVQQKEw5JbnRlZ3JhbGlzdEx0ZDEUMBIGA1UEAxMLSW50ZWdyYWxpc3Qx
57 | ITAfBgkqhkiG9w0BCQEWEmNhQGludGVncmFsaXN0LmNvbTAeFw0xNTEwMDMxNDE0
58 | MjNaFw0xNjEwMDIxNDE0MjNaMEgxCzAJBgNVBAYTAlVLMRIwEAYDVQQDEwlUaGVT
59 | ZXJ2ZXIxJTAjBgkqhkiG9w0BCQEWFnNlcnZlckBpbnRlZ3JhbGlzdC5jb20wggEi
60 | MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3ldTGLtEZ5Y7Z/P6VZkE6cvDt
61 | VlcJclP4FCcxMLzFTFUANDy0+Rnqgf6ZnxXga/P7ot3U+OUyld2FWlSE6Bb70gD5
62 | +E7Z7qaj6KDXlB8LdldbBfe357fp1ibLRT4vrIU2yyL9DoTOwQowy1dJB6VqeUEi
63 | QbI2UW9/NdPIQ1DkfIZ7baRtyLChZTkxohBHk1reox9PSUDn8+GiKFSlNdj6ZUAR
64 | B4y5RZXjQaNBE/sRvmZ73CnMetGv41KfOvVg0/bQcgCAkmc/MBgafRG6vIz2h3DO
65 | Pcuzkx6OiXpB7p8O9/8KWXeeDLWkIDL8hRSvSqquzgRKTeJ5Y4d6+LBDapDFAgMB
66 | AAGjgYUwgYIwCQYDVR0TBAIwADAdBgNVHQ4EFgQUqbYPdq7l35NPZv8JI0PTu72Q
67 | yNMwHwYDVR0jBBgwFoAUQzp1QeGuRvBfrPQkajrb0TF+J2swNQYDVR0fBC4wLDAq
68 | oCigJoYkaHR0cDovL3d3dy55b3VyZG9tYWluLmNvbS9jYS9jcmwucGVtMA0GCSqG
69 | SIb3DQEBBAUAA4GBAGyC2ut0g63gb0RzaH6IftyLe0uvrue1IfExMOfKtKpYg3YB
70 | DMU/qjQ769NiwLnblcFKzKATxKS+c/elhSndGD+zqr+OJvY6y3vy6ypzuh4Evtr/
71 | 6csApywIlDEdlmJf3pkwI8w6FY2KZUx3arT2m6USUGJFXqTQcOCi+vZFBbOH
72 | -----END CERTIFICATE-----
73 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/CertificateManagement/certs/100001.pem:
--------------------------------------------------------------------------------
1 | Certificate:
2 | Data:
3 | Version: 3 (0x2)
4 | Serial Number: 1048577 (0x100001)
5 | Signature Algorithm: md5WithRSAEncryption
6 | Issuer: C=UK, O=IntegralistLtd, CN=Integralist/emailAddress=ca@integralist.com
7 | Validity
8 | Not Before: Oct 3 14:14:23 2015 GMT
9 | Not After : Oct 2 14:14:23 2016 GMT
10 | Subject: C=UK, CN=TheServer/emailAddress=server@integralist.com
11 | Subject Public Key Info:
12 | Public Key Algorithm: rsaEncryption
13 | RSA Public Key: (2048 bit)
14 | Modulus (2048 bit):
15 | 00:b7:95:d4:c6:2e:d1:19:e5:8e:d9:fc:fe:95:66:
16 | 41:3a:72:f0:ed:56:57:09:72:53:f8:14:27:31:30:
17 | bc:c5:4c:55:00:34:3c:b4:f9:19:ea:81:fe:99:9f:
18 | 15:e0:6b:f3:fb:a2:dd:d4:f8:e5:32:95:dd:85:5a:
19 | 54:84:e8:16:fb:d2:00:f9:f8:4e:d9:ee:a6:a3:e8:
20 | a0:d7:94:1f:0b:76:57:5b:05:f7:b7:e7:b7:e9:d6:
21 | 26:cb:45:3e:2f:ac:85:36:cb:22:fd:0e:84:ce:c1:
22 | 0a:30:cb:57:49:07:a5:6a:79:41:22:41:b2:36:51:
23 | 6f:7f:35:d3:c8:43:50:e4:7c:86:7b:6d:a4:6d:c8:
24 | b0:a1:65:39:31:a2:10:47:93:5a:de:a3:1f:4f:49:
25 | 40:e7:f3:e1:a2:28:54:a5:35:d8:fa:65:40:11:07:
26 | 8c:b9:45:95:e3:41:a3:41:13:fb:11:be:66:7b:dc:
27 | 29:cc:7a:d1:af:e3:52:9f:3a:f5:60:d3:f6:d0:72:
28 | 00:80:92:67:3f:30:18:1a:7d:11:ba:bc:8c:f6:87:
29 | 70:ce:3d:cb:b3:93:1e:8e:89:7a:41:ee:9f:0e:f7:
30 | ff:0a:59:77:9e:0c:b5:a4:20:32:fc:85:14:af:4a:
31 | aa:ae:ce:04:4a:4d:e2:79:63:87:7a:f8:b0:43:6a:
32 | 90:c5
33 | Exponent: 65537 (0x10001)
34 | X509v3 extensions:
35 | X509v3 Basic Constraints:
36 | CA:FALSE
37 | X509v3 Subject Key Identifier:
38 | A9:B6:0F:76:AE:E5:DF:93:4F:66:FF:09:23:43:D3:BB:BD:90:C8:D3
39 | X509v3 Authority Key Identifier:
40 | keyid:43:3A:75:41:E1:AE:46:F0:5F:AC:F4:24:6A:3A:DB:D1:31:7E:27:6B
41 |
42 | X509v3 CRL Distribution Points:
43 | URI:http://www.yourdomain.com/ca/crl.pem
44 |
45 | Signature Algorithm: md5WithRSAEncryption
46 | 6c:82:da:eb:74:83:ad:e0:6f:44:73:68:7e:88:7e:dc:8b:7b:
47 | 4b:af:ae:e7:b5:21:f1:31:30:e7:ca:b4:aa:58:83:76:01:0c:
48 | c5:3f:aa:34:3b:eb:d3:62:c0:b9:db:95:c1:4a:cc:a0:13:c4:
49 | a4:be:73:f7:a5:85:29:dd:18:3f:b3:aa:bf:8e:26:f6:3a:cb:
50 | 7b:f2:eb:2a:73:ba:1e:04:be:da:ff:e9:cb:00:a7:2c:08:94:
51 | 31:1d:96:62:5f:de:99:30:23:cc:3a:15:8d:8a:65:4c:77:6a:
52 | b4:f6:9b:a5:12:50:62:45:5e:a4:d0:70:e0:a2:fa:f6:45:05:
53 | b3:87
54 | -----BEGIN CERTIFICATE-----
55 | MIIDKTCCApKgAwIBAgIDEAABMA0GCSqGSIb3DQEBBAUAMF8xCzAJBgNVBAYTAlVL
56 | MRcwFQYDVQQKEw5JbnRlZ3JhbGlzdEx0ZDEUMBIGA1UEAxMLSW50ZWdyYWxpc3Qx
57 | ITAfBgkqhkiG9w0BCQEWEmNhQGludGVncmFsaXN0LmNvbTAeFw0xNTEwMDMxNDE0
58 | MjNaFw0xNjEwMDIxNDE0MjNaMEgxCzAJBgNVBAYTAlVLMRIwEAYDVQQDEwlUaGVT
59 | ZXJ2ZXIxJTAjBgkqhkiG9w0BCQEWFnNlcnZlckBpbnRlZ3JhbGlzdC5jb20wggEi
60 | MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3ldTGLtEZ5Y7Z/P6VZkE6cvDt
61 | VlcJclP4FCcxMLzFTFUANDy0+Rnqgf6ZnxXga/P7ot3U+OUyld2FWlSE6Bb70gD5
62 | +E7Z7qaj6KDXlB8LdldbBfe357fp1ibLRT4vrIU2yyL9DoTOwQowy1dJB6VqeUEi
63 | QbI2UW9/NdPIQ1DkfIZ7baRtyLChZTkxohBHk1reox9PSUDn8+GiKFSlNdj6ZUAR
64 | B4y5RZXjQaNBE/sRvmZ73CnMetGv41KfOvVg0/bQcgCAkmc/MBgafRG6vIz2h3DO
65 | Pcuzkx6OiXpB7p8O9/8KWXeeDLWkIDL8hRSvSqquzgRKTeJ5Y4d6+LBDapDFAgMB
66 | AAGjgYUwgYIwCQYDVR0TBAIwADAdBgNVHQ4EFgQUqbYPdq7l35NPZv8JI0PTu72Q
67 | yNMwHwYDVR0jBBgwFoAUQzp1QeGuRvBfrPQkajrb0TF+J2swNQYDVR0fBC4wLDAq
68 | oCigJoYkaHR0cDovL3d3dy55b3VyZG9tYWluLmNvbS9jYS9jcmwucGVtMA0GCSqG
69 | SIb3DQEBBAUAA4GBAGyC2ut0g63gb0RzaH6IftyLe0uvrue1IfExMOfKtKpYg3YB
70 | DMU/qjQ769NiwLnblcFKzKATxKS+c/elhSndGD+zqr+OJvY6y3vy6ypzuh4Evtr/
71 | 6csApywIlDEdlmJf3pkwI8w6FY2KZUx3arT2m6USUGJFXqTQcOCi+vZFBbOH
72 | -----END CERTIFICATE-----
73 |
--------------------------------------------------------------------------------
/Nginx-ClientCertAccess/docker-nginx/CertificateManagement/certs/100002.pem:
--------------------------------------------------------------------------------
1 | Certificate:
2 | Data:
3 | Version: 3 (0x2)
4 | Serial Number: 1048578 (0x100002)
5 | Signature Algorithm: md5WithRSAEncryption
6 | Issuer: C=UK, O=IntegralistLtd, CN=Integralist/emailAddress=ca@integralist.com
7 | Validity
8 | Not Before: Oct 3 14:23:07 2015 GMT
9 | Not After : Oct 2 14:23:07 2016 GMT
10 | Subject: C=UK, CN=TheClient/emailAddress=client@integralist.com
11 | Subject Public Key Info:
12 | Public Key Algorithm: rsaEncryption
13 | RSA Public Key: (2048 bit)
14 | Modulus (2048 bit):
15 | 00:af:0f:fc:45:0c:a8:15:d5:49:c2:37:8f:4f:d7:
16 | 64:97:db:30:36:a9:ac:ef:c6:a4:06:fe:11:ab:32:
17 | b5:0d:15:e0:64:b9:69:b8:0e:bc:85:73:05:ba:c0:
18 | 7b:58:fe:e1:65:f3:b5:aa:fd:63:17:c4:9c:62:7d:
19 | 27:3a:9c:e8:45:45:e0:a7:36:ee:c4:7f:da:34:78:
20 | 15:d6:72:58:77:61:07:d1:c4:91:6a:b8:b0:e7:53:
21 | be:58:df:ca:59:f4:e0:70:3a:d4:fa:d7:ec:d1:51:
22 | 82:b1:a4:ec:a8:ad:9b:4a:8b:40:c6:61:c3:ee:bb:
23 | 6e:61:52:f8:0f:a2:3f:06:d1:4c:55:c6:70:ca:39:
24 | ff:74:7a:52:10:da:92:99:83:6a:93:32:13:ee:63:
25 | b7:a3:53:12:ea:60:7c:07:0f:cb:a0:84:3c:e6:9b:
26 | f6:8b:5a:17:f7:56:60:c6:cb:0c:ac:fe:2b:0d:f6:
27 | fa:f8:d4:14:cc:66:a7:99:fd:75:b7:21:8b:3c:a4:
28 | a5:b0:06:1c:6e:f9:7d:22:08:66:84:67:f8:8a:44:
29 | e8:42:8b:da:f4:7a:31:ec:44:0f:04:3d:c5:30:f4:
30 | f0:3f:f1:17:16:b3:f8:5c:53:03:8d:84:fb:2d:bb:
31 | 2f:f6:95:07:c4:77:be:ca:00:fa:59:d9:8c:8e:7c:
32 | ad:89
33 | Exponent: 65537 (0x10001)
34 | X509v3 extensions:
35 | X509v3 Basic Constraints:
36 | CA:FALSE
37 | X509v3 Subject Key Identifier:
38 | 6D:F6:71:54:38:DA:C5:3A:25:24:2C:F5:37:BA:98:72:E4:C2:1C:09
39 | X509v3 Authority Key Identifier:
40 | keyid:43:3A:75:41:E1:AE:46:F0:5F:AC:F4:24:6A:3A:DB:D1:31:7E:27:6B
41 |
42 | X509v3 CRL Distribution Points:
43 | URI:http://www.yourdomain.com/ca/crl.pem
44 |
45 | Signature Algorithm: md5WithRSAEncryption
46 | 09:f8:64:1f:82:a1:bc:57:ce:b6:66:ba:cc:5e:f3:04:3e:d0:
47 | 82:96:20:ae:d0:80:2e:71:49:5c:01:38:46:bf:71:49:24:44:
48 | 3d:88:63:29:d1:12:9b:9f:bb:49:a5:47:0a:a2:10:4d:55:92:
49 | 84:37:7c:ee:96:18:18:6b:3d:6a:2e:e5:65:6e:c8:38:81:11:
50 | d2:aa:c6:c8:17:f5:0b:0e:b3:b4:4e:ae:6c:50:13:2e:e6:d2:
51 | d9:50:f2:3b:26:1b:a6:94:26:5a:a6:06:2a:a7:65:0a:7d:15:
52 | 5f:e5:4e:d5:f0:7d:1a:e7:07:0b:b0:c8:2c:63:b5:47:d8:cb:
53 | 61:38
54 | -----BEGIN CERTIFICATE-----
55 | MIIDKTCCApKgAwIBAgIDEAACMA0GCSqGSIb3DQEBBAUAMF8xCzAJBgNVBAYTAlVL
56 | MRcwFQYDVQQKEw5JbnRlZ3JhbGlzdEx0ZDEUMBIGA1UEAxMLSW50ZWdyYWxpc3Qx
57 | ITAfBgkqhkiG9w0BCQEWEmNhQGludGVncmFsaXN0LmNvbTAeFw0xNTEwMDMxNDIz
58 | MDdaFw0xNjEwMDIxNDIzMDdaMEgxCzAJBgNVBAYTAlVLMRIwEAYDVQQDEwlUaGVD
59 | bGllbnQxJTAjBgkqhkiG9w0BCQEWFmNsaWVudEBpbnRlZ3JhbGlzdC5jb20wggEi
60 | MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvD/xFDKgV1UnCN49P12SX2zA2
61 | qazvxqQG/hGrMrUNFeBkuWm4DryFcwW6wHtY/uFl87Wq/WMXxJxifSc6nOhFReCn
62 | Nu7Ef9o0eBXWclh3YQfRxJFquLDnU75Y38pZ9OBwOtT61+zRUYKxpOyorZtKi0DG
63 | YcPuu25hUvgPoj8G0UxVxnDKOf90elIQ2pKZg2qTMhPuY7ejUxLqYHwHD8ughDzm
64 | m/aLWhf3VmDGywys/isN9vr41BTMZqeZ/XW3IYs8pKWwBhxu+X0iCGaEZ/iKROhC
65 | i9r0ejHsRA8EPcUw9PA/8RcWs/hcUwONhPstuy/2lQfEd77KAPpZ2YyOfK2JAgMB
66 | AAGjgYUwgYIwCQYDVR0TBAIwADAdBgNVHQ4EFgQUbfZxVDjaxTolJCz1N7qYcuTC
67 | HAkwHwYDVR0jBBgwFoAUQzp1QeGuRvBfrPQkajrb0TF+J2swNQYDVR0fBC4wLDAq
68 | oCigJoYkaHR0cDovL3d3dy55b3VyZG9tYWluLmNvbS9jYS9jcmwucGVtMA0GCSqG
69 | SIb3DQEBBAUAA4GBAAn4ZB+CobxXzrZmusxe8wQ+0IKWIK7QgC5xSVwBOEa/cUkk
70 | RD2IYynREpufu0mlRwqiEE1VkoQ3fO6WGBhrPWou5WVuyDiBEdKqxsgX9QsOs7RO
71 | rmxQEy7m0tlQ8jsmG6aUJlqmBiqnZQp9FV/lTtXwfRrnBwuwyCxjtUfYy2E4
72 | -----END CERTIFICATE-----
73 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Docker
2 |
3 | - [Introduction](#introduction)
4 | - [Exposing the Docker daemon](#exposing-the-docker-daemon)
5 | - [Help with Docker commands](#help-with-docker-commands)
6 | - [CMD vs ENTRYPOINT](#cmd-vs-entrypoint)
7 | - [Alternative CoreOS/Vagrantfile](#alternative-coreosvagrantfile)
8 | - [Example Docker Containers](#example-docker-containers)
9 | - [VMWare Provider](#vmware-provider)
10 |
11 | ## Introduction
12 |
13 | Getting Docker set-up on a non-Linux environment (such as a Mac) can be done in a few ways; below are a few popular options:
14 |
15 | 1. Use Docker's "Boot2Docker" VM (uses VirtualBox to set-up the VM)
16 | 2. Use a CoreOS VM via Vagrant (with some modifications, such as exposing a private ip)
17 |
18 | We're going to use the latter option. The host will attempt to connect directly to the VM's private ip (although, as we'll see in the next section, the Docker daemon needs to be exposed too for that to happen).
19 |
20 | ## Exposing the Docker daemon
21 |
22 | > UPDATE: the Vagrantfile executes a `provision.sh` which automates all of the below steps for you
23 |
24 | If you just do a `vagrant up` and try to run a Docker command (such as `docker ps`) then you'll get an error, like: `Cannot connect to the Docker daemon. Is 'docker -d' running on this host?`.
25 |
26 | For the host to be able to use the Docker CLI, the Docker daemon on CoreOS needs to be exposed via a TCP port (as we're setting an ip address to access the CLI like so: `export DOCKER_HOST=tcp://172.17.8.100:2375`).
27 |
28 | The following are the steps required to do this:
29 |
30 | Add `export DOCKER_HOST=tcp://172.17.8.100:2375` to your `.zshrc` (or `.bashrc`) configuration file (as per the private ip defined inside the CoreOS Vagrantfile).
31 |
32 | Read: http://coreos.com/docs/launching-containers/building/customizing-docker/ but effectively the steps are:
33 |
34 | - `vagrant up`
35 | - `vagrant ssh`
36 | - `sudo touch /etc/systemd/system/docker-tcp.socket`
37 | - Add following content into above socket file:
38 |
39 | ```
40 | [Unit]
41 | Description=Docker Socket for the API
42 |
43 | [Socket]
44 | ListenStream=2375
45 | Service=docker.service
46 | BindIPv6Only=both
47 |
48 | [Install]
49 | WantedBy=sockets.target
50 | ```
51 |
52 | - `sudo systemctl enable docker-tcp.socket`
53 | - `sudo systemctl stop docker`
54 | - `sudo systemctl start docker-tcp.socket`
55 | - `sudo systemctl start docker`
56 | - `exit`
57 | - `docker ps`
58 |
59 | > Note: if you're using Ubuntu and not CoreOS then see https://github.com/Integralist/Linux-and-Docker-Development-Environment/blob/master/provision.sh#L49-L55 for example of exposing the Docker daemon ip
60 |
61 | ## Help with Docker commands
62 |
63 | - `docker help` lists all commands
64 | - `docker help [command]` lists all options for specified command
65 |
66 | ## CMD vs ENTRYPOINT
67 |
68 | http://stackoverflow.com/questions/21553353/what-is-the-difference-between-cmd-and-entrypoint-in-a-dockerfile
69 |
70 | Effectively, Docker has a default `ENTRYPOINT` which is `/bin/sh -c`.
71 |
72 | A typical Docker command will look like (where, for example `{COMMAND}` is `bash`):
73 |
74 | `docker run -i -t {IMAGE_NAME} {COMMAND}`
75 |
76 | e.g. `docker run -i -t MY_IMAGE bash`
77 |
78 | In the above example you're passing the command `bash` to the default `ENTRYPOINT` (`/bin/sh -c`) which would drop us into a Bash shell ready to execute some more commands within the Docker container.
79 |
80 | In the `Dockerfile` you can change the `ENTRYPOINT` to be something else, so you could change it to be the `cat` command instead of `sh` (e.g. `ENTRYPOINT ["/bin/cat"]`).
81 |
82 | If you did that for your Docker container then you could pass in a "command" to the container like so:
83 |
84 | `docker run -i -t MY_IMAGE /etc/passwd` which would pass the command `/etc/passwd` to the `cat` command
85 |
86 | > You can also override the ENTRYPOINT via the command-line using the `--entrypoint` flag:
87 | `docker run --rm -it --entrypoint=/bin/bash my_image`
88 |
89 | ## Alternative CoreOS/Vagrantfile
90 |
91 | The following is a simplified `Vagrantfile`. It's similiar but minus the comments and also doesn't work-around everything that the `Vagrantfile` within this repo caters for:
92 |
93 | ```rb
94 | Vagrant.configure('2') do |config|
95 | config.vm.box = "coreos"
96 | config.vm.box_url = "http://storage.core-os.net/coreos/amd64-generic/dev-channel/coreos_production_vagrant.box"
97 | config.vm.network "private_network", ip: "172.17.8.100"
98 | config.vm.synced_folder ".", "/home/core/share",
99 | id: "core",
100 | :nfs => true,
101 | :mount_options => ['nolock,vers=3,udp']
102 | end
103 | ```
104 |
105 | ## Example Docker Containers
106 |
107 | This repository has basic Dockerfiles for both NodeJS and Ruby Sinatra applications. To build the containers please read the instructions for each container.
108 |
109 | ## VMWare Provider
110 |
111 | If you're using VMWare as your provider (e.g. `vagrant up --provider=vmware_fusion`) then you might run into an issue mounting your folders into the CoreOS VM.
112 |
113 | The error might look something like the following...
114 |
115 | ```
116 | Bringing machine 'default' up with 'vmware_fusion' provider...
117 | ==> default: Cloning VMware VM: 'coreos-alpha'. This can take some time...
118 | ==> default: Checking if box 'coreos-alpha' is up to date...
119 | ==> default: Verifying vmnet devices are healthy...
120 | ==> default: Preparing network adapters...
121 | ==> default: Fixed port collision for 22 => 2222. Now on port 2200.
122 | ==> default: Starting the VMware VM...
123 | ==> default: Waiting for machine to boot. This may take a few minutes...
124 | default: SSH address: 172.16.82.134:22
125 | default: SSH username: core
126 | default: SSH auth method: private key
127 | ==> default: Machine booted and ready!
128 | ==> default: Forwarding ports...
129 | default: -- 22 => 2200
130 | ==> default: Setting hostname...
131 | ==> default: Configuring network adapters within the VM...
132 | ==> default: Exporting NFS shared folders...
133 | ==> default: Preparing to edit /etc/exports. Administrator privileges will be required...
134 | ==> default: Mounting NFS shared folders...
135 | The following SSH command responded with a non-zero exit status.
136 | Vagrant assumes that this means the command failed!
137 |
138 | mount -o 'nolock,vers=3,udp' 172.17.8.1:'/Users/foobar/path/to/current/directory' /home/core/share
139 |
140 | Stdout from the command:
141 |
142 |
143 |
144 | Stderr from the command:
145 |
146 | mount.nfs: access denied by server while mounting 172.17.8.1:/Users/foobar/path/to/current/directory
147 | ```
148 |
149 | It turns out this might be an issue with CoreOS not assigning the private "host-only" network ip address properly: https://github.com/coreos/coreos-vagrant/issues/159#issuecomment-54267821
150 |
151 | If you were to `vagrant ssh` onto the box and run `ifconfig` you would notice the ip address assigned is not the one requested in the `Vagrantfile`. But if you then checked the CoreOS network settings (run `cat /etc/systemd/network/50-vagrant1.network`) then you'll see that the ip address listed matches what is defined inside our `Vagrantfile`.
152 |
153 | ### Work around
154 |
155 | To work around this issue (temporarily, until an official fix is found) I would suggest running through the following steps:
156 |
157 | #### Host machine (i.e. your Mac)
158 |
159 | - Run `sudo vim /etc/exports/` and edit the relevant command so that the ip address (the one that matches what's defined in the `Vagrantfile`) is removed -> this means the VM makes the mount available to all users
160 | - Run `sudo nfsd restart`
161 |
162 | #### CoreOS VM
163 |
164 | - `sudo mount -o 'nolock,vers=3,udp' 172.17.8.1:'/Users/foo/path/to/directory' /home/core/share` (make sure to change `/Users/foo/path/to/directory` to your directory -> you can get this command out of the failed `vagrant up` output)
165 |
--------------------------------------------------------------------------------