From 74114a62349a44d57f3a32ba3c02920840d9cc18 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Wed, 6 Feb 2019 11:53:10 -0800
Subject: [PATCH] Add hello-mTLS for nginx

---
 autocert/examples/hello-mtls/README.md        |  7 ++++
 .../hello-mtls/nginx/Dockerfile.server        | 11 +++++++
 .../examples/hello-mtls/nginx/certwatch.sh    |  6 ++++
 .../examples/hello-mtls/nginx/entrypoint.sh   | 10 ++++++
 .../hello-mtls/nginx/hello-mtls.server.yaml   | 33 +++++++++++++++++++
 autocert/examples/hello-mtls/nginx/site.conf  | 16 +++++++++
 6 files changed, 83 insertions(+)
 create mode 100644 autocert/examples/hello-mtls/nginx/Dockerfile.server
 create mode 100755 autocert/examples/hello-mtls/nginx/certwatch.sh
 create mode 100755 autocert/examples/hello-mtls/nginx/entrypoint.sh
 create mode 100644 autocert/examples/hello-mtls/nginx/hello-mtls.server.yaml
 create mode 100644 autocert/examples/hello-mtls/nginx/site.conf

diff --git a/autocert/examples/hello-mtls/README.md b/autocert/examples/hello-mtls/README.md
index 5a8f97ed..d030f797 100644
--- a/autocert/examples/hello-mtls/README.md
+++ b/autocert/examples/hello-mtls/README.md
@@ -53,3 +53,10 @@ languages are appreciated!
   - [ ] TLS stack configuration loaded from `step-ca`
   - [ ] Root certificate rotation
 
+[nginx/](nginx/)
+- [X] Server
+  - [X] mTLS (client authentication using internal root certificate)
+  - [X] Automatic certificate renewal
+  - [X] Restrict to safe ciphersuites and TLS versions
+  - [ ] TLS stack configuration loaded from `step-ca`
+  - [ ] Root certificate rotation
\ No newline at end of file
diff --git a/autocert/examples/hello-mtls/nginx/Dockerfile.server b/autocert/examples/hello-mtls/nginx/Dockerfile.server
new file mode 100644
index 00000000..52149987
--- /dev/null
+++ b/autocert/examples/hello-mtls/nginx/Dockerfile.server
@@ -0,0 +1,11 @@
+FROM nginx:alpine
+
+RUN apk add inotify-tools
+RUN mkdir /src
+ADD site.conf /etc/nginx/conf.d
+ADD certwatch.sh /src
+ADD entrypoint.sh /src
+
+# Certificate watcher and nginx
+ENTRYPOINT ["/src/entrypoint.sh"]
+CMD ["nginx", "-g", "daemon off;"]
diff --git a/autocert/examples/hello-mtls/nginx/certwatch.sh b/autocert/examples/hello-mtls/nginx/certwatch.sh
new file mode 100755
index 00000000..fa6304c0
--- /dev/null
+++ b/autocert/examples/hello-mtls/nginx/certwatch.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+
+while true; do
+    inotifywait -e modify /var/run/autocert.step.sm/site.crt
+    nginx -s reload
+done
diff --git a/autocert/examples/hello-mtls/nginx/entrypoint.sh b/autocert/examples/hello-mtls/nginx/entrypoint.sh
new file mode 100755
index 00000000..2a7c9686
--- /dev/null
+++ b/autocert/examples/hello-mtls/nginx/entrypoint.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# Wait for renewer
+sleep 10
+
+# watch for the update of the cert and reload nginx
+/src/certwatch.sh &
+
+# Run docker CMD
+exec "$@"
\ No newline at end of file
diff --git a/autocert/examples/hello-mtls/nginx/hello-mtls.server.yaml b/autocert/examples/hello-mtls/nginx/hello-mtls.server.yaml
new file mode 100644
index 00000000..7e32bbb8
--- /dev/null
+++ b/autocert/examples/hello-mtls/nginx/hello-mtls.server.yaml
@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels: {app: hello-mtls}
+  name: hello-mtls
+spec:
+  type: ClusterIP
+  ports:
+  - port: 443
+    targetPort: 443
+  selector: {app: hello-mtls}
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hello-mtls
+  labels: {app: hello-mtls}
+spec:
+  replicas: 1
+  selector: {matchLabels: {app: hello-mtls}}
+  template:
+    metadata:
+      annotations:
+        autocert.step.sm/name: hello-mtls.default.svc.cluster.local
+      labels: {app: hello-mtls}
+    spec:
+      containers:
+      - name: hello-mtls
+        image: hello-mtls-server-nginx:latest
+        imagePullPolicy: Never
+        resources: {requests: {cpu: 10m, memory: 20Mi}}
diff --git a/autocert/examples/hello-mtls/nginx/site.conf b/autocert/examples/hello-mtls/nginx/site.conf
new file mode 100644
index 00000000..6914dbc9
--- /dev/null
+++ b/autocert/examples/hello-mtls/nginx/site.conf
@@ -0,0 +1,16 @@
+server {
+    listen                     443 ssl;
+    server_name                localhost;
+    ssl_protocols              TLSv1.2;
+    ssl_certificate            /var/run/autocert.step.sm/site.crt;
+    ssl_certificate_key        /var/run/autocert.step.sm/site.key;
+    ssl_client_certificate     /var/run/autocert.step.sm/root.crt;
+    ssl_verify_client          on;
+    ssl_prefer_server_ciphers  on;
+    ssl_ciphers                ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html index.htm;
+    }
+}
\ No newline at end of file