- NGINX + PHP Demo
- NGINX
http_ssl_module
- Relevant NGINX
http_ssl_module
methods and corresponding headers:ssl_client_verify
,X-Client-Verify
,SSL_CLIENT_VERIFY
ssl_client_s_dn
,X-Client-S-Dn
, Subjectssl_client_i_dn
,X-Client-I-Dn
, Issuerssl_client_serial
,X-Client-Serial
, Serial Numberssl_client_fingerprint
,X-Client-Fingerprint
SSL_CLIENT_CERT
ssl_client_raw_cert
- SSL Script Rails,
OpenSSL::SSL::VERIFY_NONE
- Mini tutorial for configuring client-side SSL certificates
- A Case for Native Smart Card Support in Browsers - "Now, signature is one thing, identification (TLS client auth) is another. Allegedly, things should work there – PKCS#11 is a standard that should allow TLS client auth to happen with a smart card. Reality is – it doesn’t. You often need a vendor-specific PKCS#11 library. OpenSC, which is a cool tool that works with many smart cards, only works with Firefox and Safari"
- OpenSC - Using Smart Cards with Applications
- Installing OpenSC PKCS#11 Module in Firefox, Step by Step
Install opensc:
brew install opensc
Detect if a card-reader is present:
opensc-tool -n
pkcs15-tool --list-public-keys
pkcs15-tool --read-public-key 1
pkcs15-tool --read-certificate 1 | openssl x509 -noout -text
- Web Authentication W3 Working Draft
- Web Cryptography API W3 Recommendation
- Browser Support for Web Crypto
- Security Analysis of the W3C Web Cryptography API (NIST 2016)
- What’s wrong with in-browser cryptography? (2013) - "If ample precautions are taken (which includes a large laundry list of things like TLS, CSP, CORS, proper HTTP headers, JS strict mode, and more), this can allow for the successful development of cryptographic applications"
- Web Cryptography API Examples
- Introducing TLS with Client Authentication
cfssl
- "command line tool and an HTTP API server for signing, verifying, and bundling TLS certificates"
- MAX.gov Login - "Users with a working PIV or CAC card can associate their card with an existing MAX account. This provides 2-factor authentication that is more secure than a User ID and Password for accessing sensitive-but-unclassified (SBU) content setup to require MAX Secure+. To associate your PIV or CAC card you will need your MAX UserID and a working password. (Thereafter you will be able to login to MAX using just your PIV or CAC card and its built-in PIN number.)"
brew install nginx
######################################################################## 100.0%
==> Pouring nginx-1.13.9.sierra.bottle.tar.gz
==> Caveats
Docroot is: /usr/local/var/www
The default port has been set in /usr/local/etc/nginx/nginx.conf to 8080 so that
nginx can run without sudo.
nginx will load all files in /usr/local/etc/nginx/servers/.
To have launchd start nginx now and restart at login:
brew services start nginx
Or, if you don't want/need a background service you can just run:
nginx
==> Summary
🍺 /usr/local/Cellar/nginx/1.13.9: 23 files, 1.4MB
- Installing and configuring NGINX on Mac OS w/ homebrew:
Inspect the configuration file:
atom /usr/local/etc/nginx/nginx.conf
Start the server to test the installation:
brew services start nginx # then visit http://localhost:8080/ to find a welcome message
Stop the server, then make adjustments to the config file:
brew services stop nginx
- How HTTP Headers Get Passed from NGINX to Ruby App
- How to Deploy Rack App w/ NGINX - Passenger, Thin, Unicorn, etc.
- How to make Sinatra work over HTTPS / SSL
- Deploying a Ruby application on Passenger + Nginx
- Quickstart: Ruby + Phusion Passenger
- Passenger Ruby Bundle Support
- Ruby debugging console on Passenger + Nginx
- Thin (identity-idp uses this in development)
- Can I enable SSL in Sinatra with Thin?
- Deploying Sinatra on DigitalOcean with Nginx and Thin
brew tap cloudfoundry/tap
brew install cf-cli
Logging in:
cf login -a api.fr.cloud.gov --sso
Verify target space:
cf target
Deploy from any branch (git-unaware):
cf push card-reader-web-client # then visit https://card-reader-web-client.app.cloud.gov/
Checking logs:
cf logs card-reader-web-client --recent
- Cloud Foundry Nginx Buildpack (deprecated)
- Cloud Foundry Staticile Buildpack (supersedes Nginx Buildpack)
- Staticfile Docs - will detect an
nginx.conf
in the application's root directory
Icons made by Kirill Kazachek from www.flaticon.com licensed under Creative Commons BY 3.0