From 801110811681499cf04b464c44a8695b500bd798 Mon Sep 17 00:00:00 2001
From: Brian McCullough <bmccullough@cacert.org>
Date: Wed, 18 Sep 2024 03:14:29 +0200
Subject: [PATCH] Modified NGINX configuration after further testing.

---
 INSTALL.txt             | 16 +++++-----
 misc/reverse-proxy.conf | 68 ++---------------------------------------
 2 files changed, 12 insertions(+), 72 deletions(-)

diff --git a/INSTALL.txt b/INSTALL.txt
index fecced1..2cbb93f 100644
--- a/INSTALL.txt
+++ b/INSTALL.txt
@@ -32,6 +32,8 @@ As Root: cmd: su - postgres
 cmd: createuser -s -d -e -r -P <DB User> ( Pwd: <DB Password> )
 cmd: createdb oidc_db -O <DB User>
 cmd: psql oidc_db < oidc_db_v2.sql
+Note: There will be a series of 8 error messages followed by CREATE and ALTER statements.  This is normal due to the format of the dump.
+Ctrl-D
 Ctrl-D
 
 cmd: cd ..
@@ -69,9 +71,7 @@ Continue by:
 cmd: ansible-playbook -K 01_install_cacert_oidc.yml
 Answer the password question for your "normal" user.
 
-cmd: cd ../..
-
-As Root: cmd: certbot --nginx -d <your domain name> -d <your authserver domain name> -d <your idp domain name>
+cmd: cd ../../oidc-registration-php
 
 Edit misc/reverse-proxy.conf and change "<My Domain Name>" to the correct value.
 Also change "<Host IP>" to the correct value for your machine.
@@ -86,12 +86,14 @@ From your working directory, do the following As Root:
 	cmd: cp misc/cas.pem /etc/nginx/certs
 	cmd: chmod 751 /srv/hydra/bin
 	cmd: chmod 751 /srv/hydra/bin/hydra
-	cmd: cp -i  /etc/letsencrypt/live/registercacert.buadh-brath.com/cert.pem idp.buadh-brath.com.pem
-	cmd: cp -i /etc/letsencrypt/live/registercacert.buadh-brath.com/privkey.pem idp.buadh-brath.com-key.pem
 	cmd: cd /srv/cacert/etc
+	cmd: certbot --nginx -d <your domain name> -d <your authserver domain name> -d <Your IDP Domain Name>
+	cmd: cp -i  /etc/letsencrypt/live/<Your Domain Name>/cert.pem <Your IDP Domain Name>.pem
+	cmd: cp -i /etc/letsencrypt/live/<Your Domain Name>/privkey.pem <Your IDP Domain Name>-key.pem
 	cmd: chown root:cacert *
-	cmd: chmod 640 idp.buadh-brath.com-key.pem
-	cmd: systemd restart cacert-idp.service
+	cmd: chmod 640 <Your IDP Domain Name>-key.pem
+	cmd: systemctl restart cacert-idp.service
+	cmd: systemctl status cacert-idp.service
 
 Exit Root, if necessary
 
diff --git a/misc/reverse-proxy.conf b/misc/reverse-proxy.conf
index 7b52e10..94192ef 100644
--- a/misc/reverse-proxy.conf
+++ b/misc/reverse-proxy.conf
@@ -1,39 +1,3 @@
-server {
-    if ($host = authserver.<My Domain Name>) {
-        return 301 https://$host$request_uri;
-    } # managed by Certbot
-
-
-    listen 80;
-    server_name authserver.<My Domain Name>;
-    return 404; # managed by Certbot
-
-
-}
-server {
-    if ($host = idp.<My Domain Name>) {
-        return 301 https://$host$request_uri;
-    } # managed by Certbot
-
-
-    listen 80;
-    server_name idp.<My Domain Name>;
-    return 404; # managed by Certbot
-
-
-}
-server {
-    if ($host = <My Domain Name>) {
-        return 301 https://$host$request_uri;
-    } # managed by Certbot
-
-
-    listen 80;
-    server_name <My Domain Name>;
-    return 404; # managed by Certbot
-
-
-}
 server {
     server_name authserver.<My Domain Name>;
  
@@ -44,14 +8,7 @@ server {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     }
 
-    listen 443 ssl; # managed by Certbot
     listen <Host IP>:4444 ssl;
-
-    ssl_certificate /etc/letsencrypt/live/<My Domain Name>/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/<My Domain Name>/privkey.pem; # managed by Certbot
-    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-
 }
 server {
     server_name idp.<My Domain Name>;
@@ -62,16 +19,7 @@ server {
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     }
-
-    listen 443 ssl; # managed by Certbot
-    listen <Host IP>:3000 ssl;
-    ssl_certificate /etc/letsencrypt/live/<My Domain Name>/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/<My Domain Name>/privkey.pem; # managed by Certbot
-    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-
 }
-
 server {
     server_name <My Domain Name>;
  
@@ -81,7 +29,6 @@ server {
 
      ssl_verify_client on;
         ssl_client_certificate /etc/nginx/certs/cas.pem;
-	#        ssl_verify_depth 1;
 
 	location ~ ^/(.+\.php)$ {
     	fastcgi_split_path_info ^(.+?\.php)(|/.*)$;
@@ -90,10 +37,8 @@ server {
     	}
 	include snippets/fastcgi-php.conf;
     	include fastcgi_params;
-	# fastcgi_index index.php;
     	fastcgi_pass unix:/run/php/php8.2-fpm.sock;
     	fastcgi_read_timeout 600s;
-	#fastcgi_param SCRIPT_FILENAME /srv/www.example.org/html$fastcgi_script_name;
     	fastcgi_param PATH_INFO $fastcgi_path_info;
     	fastcgi_intercept_errors on;
     	fastcgi_param PHP_VALUE "memory_limit = 512M
@@ -102,9 +47,9 @@ server {
 		max_execution_time = 240
 		max_input_time = 240
 		upload_max_filesize = 16M";
-    client_body_buffer_size 128k;
-    http2_push_preload on;
-     fastcgi_param TLS_SUCCESS $ssl_client_verify;
+	    client_body_buffer_size 128k;
+	    http2_push_preload on;
+        fastcgi_param TLS_SUCCESS $ssl_client_verify;
                         fastcgi_param TLS_DN      $ssl_client_s_dn;
                         fastcgi_param TLS_CERT    $ssl_client_cert;
                         fastcgi_param TLS_FP    $ssl_client_fingerprint;
@@ -112,17 +57,10 @@ server {
                         fastcgi_param SSL_CLIENT_S_DN   $ssl_client_s_dn;
   }
 
-
   # deny access to Apache .htaccess on Nginx with PHP,
   # if Apache and Nginx document roots concur
   location ~ /\.ht {
     deny all;
   }
   
-    listen 443 ssl http2; # managed by Certbot
-    ssl_certificate /etc/letsencrypt/live/<My Domain Name>/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/<My Domain Name>/privkey.pem; # managed by Certbot
-    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-
 }