Skip to content

Commit 4369690

Browse files
dulanjaldulanjal
authored
Merge pull request #142 from wso2/ayomawdb-patch-1
Enable Nginx and configure self-signed TLS for DT
2 parents aad0268 + 23daedf commit 4369690

File tree

1 file changed

+58
-2
lines changed

1 file changed

+58
-2
lines changed

internal/dependency-track/setup.sh

Lines changed: 58 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -61,8 +61,7 @@ sudo ufw allow 'Nginx HTTP'
6161
sudo ufw allow 'Nginx HTTPS'
6262
sudo ufw allow 'Nginx Full'
6363
sudo ufw allow 'OpenSSH'
64-
# To be removed after Nginx setup is complete
65-
sudo ufw allow 8080/tcp
64+
sudo ufw deny 8080/tcp
6665
sudo ufw status verbose
6766
sudo ufw enable
6867

@@ -171,4 +170,61 @@ REVOKE ALL PRIVILEGES ON dependency_track.* TO 'dependency-track'@'localhost';
171170
GRANT DELETE,UPDATE,SELECT,INSERT ON dependency_track.* TO 'dependency-track'@'localhost';
172171
FLUSH PRIVILEGES;
173172

173+
# ---------------------------------------------------
174+
# Configure SSL Certs
175+
# ---------------------------------------------------
176+
177+
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
178+
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
179+
180+
# ---------------------------------------------------
181+
# Configure Nginx
182+
# ---------------------------------------------------
183+
184+
cat <<END > /etc/nginx/sites-enabled/dt
185+
server {
186+
listen 80;
187+
listen [::]:80;
188+
189+
server_name dt.private.wso2.com;
190+
191+
return 301 https://dt.private.wso2.com$request_uri;
192+
}
193+
194+
server {
195+
listen 443 ssl;
196+
197+
server_name dt.private.wso2.com;
198+
199+
client_max_body_size 50M;
200+
201+
# RSA certificat
202+
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
203+
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
204+
205+
ssl_protocols TLSv1.2;
206+
ssl_prefer_server_ciphers on;
207+
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
208+
ssl_ecdh_curve secp384r1;
209+
ssl_session_cache shared:SSL:10m;
210+
ssl_session_timeout 1d;
211+
ssl_session_tickets off;
212+
ssl_stapling on;
213+
ssl_stapling_verify on;
214+
215+
add_header X-Frame-Options DENY;
216+
add_header X-Content-Type-Options nosniff;
217+
add_header X-XSS-Protection "1; mode=block";
218+
219+
ssl_dhparam /etc/ssl/certs/dhparam.pem;
220+
221+
location / {
222+
proxy_pass http://localhost:8080/;
223+
}
224+
}
225+
END
226+
227+
nginx -s stop
228+
nginx
229+
174230
exit

0 commit comments

Comments
 (0)