x

.gitignore

@@ -0,0 +1,2 @@
+nginx/certs/*
+!nginx/certs/.keep

app/Dockerfile

@@ -0,0 +1,7 @@
+from ruby
+
+add . /app
+workdir /app
+run bundle install
+
+cmd ["ruby", "app.rb"]

app/Gemfile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+# gem "rails"
+
+gem "sinatra", "~> 2.2"
+gem "thin", "~> 1.8"

app/Gemfile.lock

@@ -0,0 +1,31 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    daemons (1.4.1)
+    eventmachine (1.2.7)
+    mustermann (1.1.1)
+      ruby2_keywords (~> 0.0.1)
+    rack (2.2.3)
+    rack-protection (2.2.0)
+      rack
+    ruby2_keywords (0.0.5)
+    sinatra (2.2.0)
+      mustermann (~> 1.0)
+      rack (~> 2.2)
+      rack-protection (= 2.2.0)
+      tilt (~> 2.0)
+    thin (1.8.1)
+      daemons (~> 1.0, >= 1.0.9)
+      eventmachine (~> 1.0, >= 1.0.4)
+      rack (>= 1, < 3)
+    tilt (2.0.10)
+
+PLATFORMS
+  x86_64-linux
+
+DEPENDENCIES
+  sinatra (~> 2.2)
+  thin (~> 1.8)
+
+BUNDLED WITH
+   2.2.19

app/app.rb

@@ -0,0 +1,16 @@
+require 'sinatra'
+
+set :server, %w[thin webrick]
+set :bind, '0.0.0.0'
+
+get '/' do
+  'Hello world'
+end
+
+get '/foo' do
+  'Bar'
+end
+
+get '/cert' do
+  request.env['HTTP_X_CLIENTCERT_DN']
+end

docker-compose.yaml

@@ -0,0 +1,19 @@
+version: '3.3'
+services:
+  ruby:
+    container_name: app
+    image: integralist-ruby
+    ports:
+      - 4567:4567
+  nginx:
+    container_name: nginx
+    image: integralist-nginx
+    volumes:
+      - ./html:/usr/share/nginx/html
+      - ./nginx/certs/server.crt:/etc/nginx/certs/server.crt
+      - ./nginx/certs/server.key:/etc/nginx/certs/server.key
+      - ./nginx/certs/ca.crt:/etc/nginx/certs/ca.crt
+      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
+    ports:
+      - 80:80
+      - 443:443

nginx/Dockerfile

@@ -0,0 +1,3 @@
+from nginx
+expose 80 443
+cmd ["nginx", "-g", "daemon off;"]

nginx/nginx.conf

@@ -0,0 +1,33 @@
+user nobody nogroup;
+worker_processes auto;
+
+events {
+  worker_connections 512;
+}
+
+http {
+  upstream app {
+    server app:4567;
+  }
+
+  server {
+    listen *:443;
+    ssl on;
+    server_name "";
+
+    ssl_certificate        /etc/nginx/certs/server.crt;
+    ssl_certificate_key    /etc/nginx/certs/server.key;
+    ssl_client_certificate /etc/nginx/certs/ca.crt;
+    # @todo    this could be made 'optional' so taht
+    #          some connections are allowed to public
+    #          endpooints
+    ssl_verify_client      on;
+
+    root /usr/share/nginx/html;
+
+    location /app/ {
+      proxy_pass http://app/;
+      proxy_set_header X-ClientCert-DN $ssl_client_s_dn;
+    }
+  }
+}

script/create-certificate.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+openssl genrsa -des3 -out ca.key 4096
+
+openssl req -new \
+  -x509 \
+  -days 365 \
+  -key ca.key \
+  -out ca.crt

script/create-client-key-and-csr.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+openssl genrsa -out client.key 2048
+
+openssl req -new \
+  -key client.key \
+  -out client.csr

script/create-server-certificate.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+openssl x509 -req \
+  -days 365 \
+  -in server.csr \
+  -CA ca.crt \
+  -CAkey ca.key \
+  -set_serial 01 \
+  -out server.crt

script/create-server-key-and-csr.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+openssl genrsa -out server.key 4096 \
+openssl req -new \
+  -key server.key \
+  -out server.csr

script/sign-client-csr.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+openssl x509 -req \
+  -days 365 \
+  -in client.csr \
+  -CA ca.crt \
+  -CAkey ca.key \
+  -set_serial 01 \
+  -out client.crt