From 083e10171368a6c884b5879bf2ccbe5ca187bcab Mon Sep 17 00:00:00 2001
From: Nicolas Arenas <narenas@qindel.com>
Date: Mon, 19 May 2025 14:12:24 +0200
Subject: [PATCH] Configure mtls as server for ogboot

---
 debian/ogboot.dirs        |  1 +
 etc/nginxServer.conf.tmpl | 66 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+)

diff --git a/debian/ogboot.dirs b/debian/ogboot.dirs
index 2a36bb8..dd011f6 100644
--- a/debian/ogboot.dirs
+++ b/debian/ogboot.dirs
@@ -1,3 +1,4 @@
 /opt/opengnsys/ogboot/client_log
 /opt/opengnsys/ogboot/mnt
 /opt/opengnsys/ogboot/tftpboot
+/opt/opengnsys/ogboot/etc/certificates
diff --git a/etc/nginxServer.conf.tmpl b/etc/nginxServer.conf.tmpl
index 3523612..9ff17ad 100644
--- a/etc/nginxServer.conf.tmpl
+++ b/etc/nginxServer.conf.tmpl
@@ -55,3 +55,69 @@ server {
         access_log /var/log/nginx/tftpboot_access.log;
     }
 }
+
+server {
+    listen 8085 ssl;
+    server_name __SERVERIP__ localhost;
+
+    # Raíz del documento para el proyecto Symfony
+    root __ROOT__/public;
+
+    # Certificados SSL
+    ssl_certificate     /opt/opengnsys/ogboot/etc/certificates/ogboot.crt;
+    ssl_certificate_key /opt/opengnsys/ogboot/etc/certificates/ogboot.key;
+
+    # CA para validar clientes
+    ssl_client_certificate /opt/opengnsys/ogboot/etc/certificates/ca.crt;
+    ssl_verify_client on;
+
+    # Bloque para manejar las solicitudes a /ogboot
+    location /ogboot {
+        try_files $uri $uri/ /index.php?$query_string;
+
+        # Aumentar el tiempo de espera por el install oglive
+        proxy_read_timeout 600;
+        proxy_connect_timeout 600;
+        proxy_send_timeout 600;
+        send_timeout 600;
+    }
+
+    # Bloque para manejar las solicitudes a index.php
+    location ~ ^/index.php(/|$) {
+        include fastcgi_params;
+        fastcgi_pass unix:/run/php/php__PHPVERSION__-fpm-ogboot.sock;
+        fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+        fastcgi_param DOCUMENT_ROOT $document_root;
+        internal;
+    }
+
+    # Bloque para devolver 404 en cualquier solicitud a archivos PHP que no sean index.php
+    location ~ \.php$ {
+        return 404;
+    }
+
+    # Logs de error y acceso para el proyecto Symfony
+    error_log /var/log/nginx/ogboot_ssl_error.log;
+    access_log /var/log/nginx/ogboot_ssl_access.log;
+
+    location /ogboot/api/doc {
+        try_files $uri /index.php?$query_string;
+    }
+
+    # Ruta base para servir archivos de TFTP
+    location /tftpboot {
+        alias __TFTPPATH__;
+        autoindex on;
+        try_files $uri $uri/ =404;
+
+        # Seguridad
+        location ~ \.php$ {
+            return 404;
+        }
+
+        error_log /var/log/nginx/tftpboot_ssl_error.log;
+        access_log /var/log/nginx/tftpboot_ssl_access.log;
+    }
+}