Configure mtls as server for ogboot

2025-05-19 14:12:24 +02:00 · 2025-05-19 14:12:24 +02:00 · 083e101713
parent f0b2380044
commit 083e101713
2 changed files with 67 additions and 0 deletions
--- a/debian/ogboot.dirs
+++ b/debian/ogboot.dirs
@ -1,3 +1,4 @@
 /opt/opengnsys/ogboot/client_log
 /opt/opengnsys/ogboot/mnt
 /opt/opengnsys/ogboot/tftpboot
+/opt/opengnsys/ogboot/etc/certificates
--- a/etc/nginxServer.conf.tmpl
+++ b/etc/nginxServer.conf.tmpl
@ -55,3 +55,69 @@ server {
        access_log /var/log/nginx/tftpboot_access.log;
    }
 }
+
+server {
+    listen 8085 ssl;
+    server_name __SERVERIP__ localhost;
+
+    # Raíz del documento para el proyecto Symfony
+    root __ROOT__/public;
+
+    # Certificados SSL
+    ssl_certificate     /opt/opengnsys/ogboot/etc/certificates/ogboot.crt;
+    ssl_certificate_key /opt/opengnsys/ogboot/etc/certificates/ogboot.key;
+
+    # CA para validar clientes
+    ssl_client_certificate /opt/opengnsys/ogboot/etc/certificates/ca.crt;
+    ssl_verify_client on;
+
+    # Bloque para manejar las solicitudes a /ogboot
+    location /ogboot {
+        try_files $uri $uri/ /index.php?$query_string;
+
+        # Aumentar el tiempo de espera por el install oglive
+        proxy_read_timeout 600;
+        proxy_connect_timeout 600;
+        proxy_send_timeout 600;
+        send_timeout 600;
+    }
+
+    # Bloque para manejar las solicitudes a index.php
+    location ~ ^/index.php(/|$) {
+        include fastcgi_params;
+        fastcgi_pass unix:/run/php/php__PHPVERSION__-fpm-ogboot.sock;
+        fastcgi_split_path_info ^(.+\.php)(/.*)$;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+        fastcgi_param DOCUMENT_ROOT $document_root;
+        internal;
+    }
+
+    # Bloque para devolver 404 en cualquier solicitud a archivos PHP que no sean index.php
+    location ~ \.php$ {
+        return 404;
+    }
+
+    # Logs de error y acceso para el proyecto Symfony
+    error_log /var/log/nginx/ogboot_ssl_error.log;
+    access_log /var/log/nginx/ogboot_ssl_access.log;
+
+    location /ogboot/api/doc {
+        try_files $uri /index.php?$query_string;
+    }
+
+    # Ruta base para servir archivos de TFTP
+    location /tftpboot {
+        alias __TFTPPATH__;
+        autoindex on;
+        try_files $uri $uri/ =404;
+
+        # Seguridad
+        location ~ \.php$ {
+            return 404;
+        }
+
+        error_log /var/log/nginx/tftpboot_ssl_error.log;
+        access_log /var/log/nginx/tftpboot_ssl_access.log;
+    }
+}