diff --git a/etc/certificates/ca.crt b/etc/certificates/ca.crt new file mode 100644 index 0000000..a5e78ba --- /dev/null +++ b/etc/certificates/ca.crt @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFrzCCA5egAwIBAgIUPmq2FSZvV2NBGIIxx5729SJN0FQwDQYJKoZIhvcNAQEL +BQAwZzELMAkGA1UEBhMCRVMxDzANBgNVBAgMBk1hZHJpZDEPMA0GA1UEBwwGTWFk +cmlkMRIwEAYDVQQKDAlPcGVuZ25zeXMxCzAJBgNVBAsMAkNBMRUwEwYDVQQDDAxv +cGVuZ25zeXMtY2EwHhcNMjUwNTE2MDgzNjM4WhcNMzUwNTE0MDgzNjM4WjBnMQsw +CQYDVQQGEwJFUzEPMA0GA1UECAwGTWFkcmlkMQ8wDQYDVQQHDAZNYWRyaWQxEjAQ +BgNVBAoMCU9wZW5nbnN5czELMAkGA1UECwwCQ0ExFTATBgNVBAMMDG9wZW5nbnN5 +cy1jYTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANSAiJFAU7wV6hYb +PKmjjuNFp07ITJC0vThRegIXcadAw9cblgYtD6e4KYT8LzrRpZDAazAWLSAY72W8 +i8/wWYcVIMDhtbhKy+pLFL0Z1LJpV6s6ged0wB5wQ37g1RDWeydrY9mEOr0LSC8X +7ye7mTqtSxECglloRJw5p/9Z5yDZf2t1U6+e3WfZqKLZl9IXBb5cdR9mxUAf23/T +ciAfTBNgltJ3noQERtjHZqxb9jrqpwaKhnZoGw4fb0poI9OQXitOzoR/b8ADMfUK +KJ/d9iyq9h6gv4GPEJlDJK89vQlBhJAy8tHR6Qjd0nG+Be6moCndBqiHLAehMxkq +8JS+bUOsAxq4XSsis5XQHOm/xZ4jlkerNQeeK+b0EDESjdNkKJXVy235FFJbCwGq +IR8fdYUJenhqsHOd7WEjm5HfYo41mPG3002Wxs8oN1oNbqIzR/fxTGHWJKXX0LVt +ZKg3s7h0MfmxMIJ5kHsh9wTO4qMIADmWPj5iCIXS15eAU3WJd4yYxTfcu1wwLBuv +ATtZXLc/LI56PAvU1kXgdIT+OeBctVuBxKy11vrb82LF7WUZI3cP3MoRbGOLnc93 +u8pMu59l+l7pA7wjGJHSyt/H5f52ZHdbz/BMSY96/ETgAUHERM9cMoN+AGrI4Yf8 +8ZiuiAkSmukAShOfa05P8zqcXXjZAgMBAAGjUzBRMB0GA1UdDgQWBBTTPskAqxZM +a7z7DBkb4MCspW7/bzAfBgNVHSMEGDAWgBTTPskAqxZMa7z7DBkb4MCspW7/bzAP +BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQC+PQBDayFqVA0BAupP +1ksZW3rXCIPIqSqbOG8BsgnOJXt+7Isql06/3LFEdaztjAptSEqX2K7Q7Ov4ZOF5 ++lF2pSuIJwsVbzFbmrejkSZScQmXzAvQmNwMcWjpplhe0DG6hYdLek6IOo7BP2mG +12l1mZbIkgmMbRK7Up6rQ5c9/PmcTqN5RXe3CEWPpBs5FEoD++k6wtYrZlaTCB2s +P6taQuN1waO3jfu8KApQlcVEmlxaosrJSu8tBAE/zN9GwpR3WsdrD2iUB2d+g2rB +RZ1P+DRnwpfIn7SEWUAezGW05Qu2gyfoZkiQ97zOYBXYCYwoNFVFtHnaRLO58cjz +QR8+CLjs9svsrNXw+1rvUJoYyzh0vEBc+SUxKQ/7EGN6m9P7iod936Eqy6ztvUSV +LdHxv8g0FOlmlLW1Afmiu2NopVsZqxOm1oZdurt7tYcNncu5AYwFmlP/iyDMmJBI +hIUHmEUf0+v0K52H/ziIFovI7MVmY1RHlL5DABH+MiM6MmSl0NtW5DbEWEZN1vZI +d3J6hsL/7o2wDYkLYkTolrBHbmvN5hoFu+b/YBAmrikJ027Lw1H04PvyW+PV1+DI +4uTQ0NEMLhYBBY0ucg1iw6wsEbHhJwmMmen8/b18ZBytRyTzuKCyD6g6iLMEoDNG +KOH0n1CGLevamLAYrLTwfXBTYQ== +-----END CERTIFICATE----- diff --git a/etc/certificates/ogcore.crt b/etc/certificates/ogcore.crt new file mode 100644 index 0000000..fc77390 --- /dev/null +++ b/etc/certificates/ogcore.crt @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFDjCCAvagAwIBAgIUEcS4b1cHsVkFGWqjVqHPrYkFl0owDQYJKoZIhvcNAQEL +BQAwZzELMAkGA1UEBhMCRVMxDzANBgNVBAgMBk1hZHJpZDEPMA0GA1UEBwwGTWFk +cmlkMRIwEAYDVQQKDAlPcGVuZ25zeXMxCzAJBgNVBAsMAkNBMRUwEwYDVQQDDAxv +cGVuZ25zeXMtY2EwHhcNMjUwNTE2MDkxMzA4WhcNMjcwODE5MDkxMzA4WjBrMQsw +CQYDVQQGEwJFUzEPMA0GA1UECAwGTWFkcmlkMQ8wDQYDVQQHDAZNYWRyaWQxEjAQ +BgNVBAoMCU9wZW5nbnN5czEPMA0GA1UECwwGb2djb3JlMRUwEwYDVQQDDAxvZ2Nv +cmUubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEtWnQU4vW +sNwy9jDP9ZGRMFB46xg7aXAU4KJwAlIMdth0y7TPhrPNgQOyO/fVF/qXYOAmRxuJ +8sDjWhxSXXG1ox36yB+UjJOPf9uFBKx+jIygn77A+7nhbh423YtfetwzLKloE1MD +BnRUSDqhohhVp98TY7kTPdckR6vZCcrzg5nijf/Nbde9NdMDl+iFpXggWS+GpP0L +pnQhdUEWaBLupIOFFdf1C7O4/DRNs8v3+S+OWNfqZ12xmiwVGmZGywELZ/jSAZBc +4VgeWMUekw1gbDZ3HV0FzC9L5RiR5ofyUH1O4LMfAgEQfr9wMwMBqmx49PuQLOLd +S/iaA83b7GBFAgMBAAGjga0wgaowHwYDVR0jBBgwFoAU0z7JAKsWTGu8+wwZG+DA +rKVu/28wCQYDVR0TBAIwADALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH +AwEGCCsGAQUFBwMCMDEGA1UdEQQqMCiCDG9nY29yZS5sb2NhbIISb3Blbmduc3lz +Lm5hdGkuY29thwTAqAEsMB0GA1UdDgQWBBQWnCzjmnQSBYG09VTAY8sAxRolGTAN +BgkqhkiG9w0BAQsFAAOCAgEAL8DL4gy2hAL30n0OX3VncLTCLw8C08LxoghfFNK5 +LThTLdo/SlC99fWSPayyKNCIpZHQbNsVlgGyizOagvly1BaxUA070uwSg8H7IhPA +Pbf+MCj+QnYV6HvmkPhML87Qin4yiV2QOMC7WiEk9nFcjoRU8nDXjtShsw1zCer8 +ow+Y0lsJ1RceIgtMgzIQnDJ5cnr+BL6EdzMOWu9UZv39nG3zkHVv4RxvgNckXyVQ +iqGiw6ZpII+M9IPcbaVLfnXWomnDRRXjs5BL/HkapTLrMw3VSjNR0Via9iXX6bft +PXolS3ifCRwtFFm7NfaEs915vZXgGIU8Lzeve3V4udK3vQhBJsXzFRvhfAD7+vIm +xg79N5DBi/KkRsIQ3xqgKv0FXrlJkcRBr//OBKl1QpypY+y+3FiqqntWHS19dCZW +V9A2snjG6NxoC2BQOwqM3j3mT1jEURoQ9p+Q/h8ibL1JltM32CUZkvC/BGCU/uan +WRefWBWd1iwVgi4ylxxW80BLG7pdgnaBsAcvWD073o8eGHle0aYJ0knUkxYilyD4 +jq9I5IPb0Vo3QUTDZAoKl3puDo0MSpznPw2fribLsjVD2GFT6I37wcvzH86dj8aT +y5nqKbFUihcS9Pupf5GNRU+4By+vFx+AcMqoybUWgyJiBtmGAhVg7jw4QGwbw4z2 +nWE= +-----END CERTIFICATE----- diff --git a/etc/certificates/ogcore.ext b/etc/certificates/ogcore.ext new file mode 100644 index 0000000..8f3db25 --- /dev/null +++ b/etc/certificates/ogcore.ext @@ -0,0 +1,10 @@ +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth, clientAuth +subjectAltName = @alt_names + +[alt_names] +DNS.1 = ogcore.local +DNS.2 = opengnsys.nati.com +IP.1 = 192.168.1.44 diff --git a/etc/certificates/ogcore.key b/etc/certificates/ogcore.key new file mode 100644 index 0000000..2db8b0b --- /dev/null +++ b/etc/certificates/ogcore.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDEtWnQU4vWsNwy +9jDP9ZGRMFB46xg7aXAU4KJwAlIMdth0y7TPhrPNgQOyO/fVF/qXYOAmRxuJ8sDj +WhxSXXG1ox36yB+UjJOPf9uFBKx+jIygn77A+7nhbh423YtfetwzLKloE1MDBnRU +SDqhohhVp98TY7kTPdckR6vZCcrzg5nijf/Nbde9NdMDl+iFpXggWS+GpP0LpnQh +dUEWaBLupIOFFdf1C7O4/DRNs8v3+S+OWNfqZ12xmiwVGmZGywELZ/jSAZBc4Vge +WMUekw1gbDZ3HV0FzC9L5RiR5ofyUH1O4LMfAgEQfr9wMwMBqmx49PuQLOLdS/ia +A83b7GBFAgMBAAECggEAHRnXkyXhALx+fx2T4Bgs1mVm6lSha5ywI66N6XM2bzif +0juWvsLnU8Y75UDg68oV3RJMZu1LIi/jIF9i5D6FxYDhvQmhPmlDpU2djMLBwCEL +5vFrF4LGH5caajSBW3lCHWIEl+yP8dkhGZzr66Ce6AEjS+uLZFDYRLpDrqK3vymc +v82ixmQO2QlxfrOmumYAKV7s3JSQbn7nQmHWJE5ttybEtIwSmPECeO7orjhNRiDT +LDJdqcgaRcdiFgALhZVA0sueGPnflkI00Kv5kW2+dgAp/rAzgsjLMXuyqT0jeJwT +dy6EUsetc3aEthLBwsltqH5CMaYMCJQ7ycKgIJSVCwKBgQD3w4CLC3Dgp1YrnbTL +YAAkvs10cn41vM8zG12kAJXlGAGzQ9X0pLHk5arkIUAMddUlJ9VD1Jm8qSUyfkrs +tJcwVeNLw3R6G9lFhzk32pb9gKKCMuDzFY4IsDafyqI9e624p1A7s/QUKpnw+cFu +Bz24XNx1I/QrRzQ2lm3K2axHEwKBgQDLP21Jj2OoQPhySFLzKdMl9NM2pjhqhdF9 +vtaovSQtFXOX/imxCk+17ZD7wbODj1cVtsf38PMOJpRs+ki4sx71ZWj7JOqEDTS4 +R1X9k9k2Lg8sV7eLKxN4JkrOWv0+0A09hnelhmHscgiolW37cBNrfNQ9ST47Eyy5 +5RrXDcvuRwKBgFRPLYWjHgUETDlJUAVIpKPcXZN7hmEI38T3UfUF0fwEIEf9FGhM +RtCqKm24ts/GpQIgvNx5Ett0/1hgS2SiyzPCdjcIyrDmmxeivSC5fFnFFQeTAqMV +OaDRPbVAQdcEKAhGvvGh+bOHD51Fj8G+Kw16Y/ZkhqjXcPgGVlQJoCsLAoGBAI5A +hVAf4MNJPdpWzl/MnTEKqq2sJv4/TMFyyTDuuJwpUG9H/4weyG1vqbLa/raMo4na +FRlu9d6ol+eyQSWskHV2lcR5MP5dc9Gqc//38+Yc1JfXiOoJqyXDv0Wwn2DQIwQ1 +0hXy+SSRJ4g+leyOo7judGm0kq6sG/i75k4wJNRPAoGAXtCh5qLEBgPp3iqBXk57 +q5Fq+kbsMZg7/YR4waKFL2pkAcWUwIpaKrxbw7/Ow2+9ZUXOygVn6Kar3I9ZfOzb +ayxtgUZOOHzvhl9OPiq8ny00nQgojYeFfaIdohDiqEnEWCEeX6NWJ/5O+gZjFkMX +4FV55ziMfHV4RE0S6JuvexA= +-----END PRIVATE KEY----- diff --git a/etc/nginx/sites-available/ogcore.conf b/etc/nginx/sites-available/ogcore.conf index 031ae72..7c1a07c 100644 --- a/etc/nginx/sites-available/ogcore.conf +++ b/etc/nginx/sites-available/ogcore.conf @@ -4,8 +4,8 @@ server { root /opt/opengnsys/ogcore/api/public/; index index.html index.php; - ssl_certificate /opt/opengnsys/ogcore/etc/nginx/certs/ogcore.uds-test.net.crt.pem; - ssl_certificate_key /opt/opengnsys/ogcore/etc/nginx/certs/ogcore.uds-test.net.key.pem; + ssl_certificate /opt/opengnsys/ogcore/etc/certificates/ogcore.crt; + ssl_certificate_key /opt/opengnsys/ogcore/etc/certificates/ogcore.key; location /opengnsys/rest/ous// { rewrite ^/opengnsys/rest/ous//([0-9]+)/images /opengnsys/rest/ous/$1/images; @@ -34,3 +34,93 @@ server { error_log /var/log/nginx/ogcore-error.log; access_log /var/log/nginx/ogcore-access.log; } + + +server { + listen 8444 ssl; + server_name _; + + root /opt/opengnsys/ogcore/api/public/; + index index.html index.php; + + # Certificados del servidor + ssl_certificate /opt/opengnsys/ogcore/etc/certificates/ogcore.crt; + ssl_certificate_key /opt/opengnsys/ogcore/etc/certificates/ogcore.key; + + # CA para validar cliente (opcional) + ssl_client_certificate /opt/opengnsys/ogcore/etc/certificates/ca.crt; + ssl_verify_client optional; + + # ================================ + # 1. RUTA ABIERTA: /auth/login + # ================================ + location = /auth/login { + try_files $uri $uri/ /index.php?$args; + } + + # ============================================ + # 2. RUTA ABIERTA: / (documentación Swagger) + # ============================================ + location = / { + try_files $uri $uri/ /index.php?$args; + } + + # ================================================== + # 3. VALIDACIÓN DE ACCESO: Certificado o Bearer token + # ================================================== + location = /check-auth { + internal; + proxy_pass http://127.0.0.1:5001/validate; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + proxy_set_header SSL_CLIENT_VERIFY $ssl_client_verify; + proxy_set_header Authorization $http_authorization; + } + + # ============================================ + # 4. TODAS LAS DEMÁS RUTAS → AUTENTICACIÓN + # ============================================ + location / { + # Permitir preflight sin autenticación + if ($request_method = OPTIONS ) { + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE, PATCH' always; + add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type' always; + add_header 'Access-Control-Max-Age' 3600; + return 204; + } + + # Para el resto de métodos, aplicar autenticación + auth_request /check-auth; + + # Añadir headers CORS en respuestas reales también + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE, PATCH' always; + add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type' always; + + try_files $uri $uri/ /index.php?$args; + } + + location ^~ /bundles/apiplatform/ { + try_files $uri $uri/ =404; + } + + # ============================================ + # 5. PHP HANDLER + # ============================================ + location ~ \.php$ { + include fastcgi_params; + fastcgi_pass unix:/var/run/php/php8.3-fpm-ogcore.sock; + fastcgi_split_path_info ^(.+\.php)(/.*)$; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $request_uri; + fastcgi_param PATH_TRANSLATED $document_root$fastcgi_script_name; + + # Pasa info TLS y token a PHP + fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify; + fastcgi_param Authorization $http_authorization; + } + + error_log /var/log/nginx/ogcore-error.log; + access_log /var/log/nginx/ogcore-access.log; +}