cadey/xesite
cadey
/
xesite
1
0
Fork 1
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Update site-to-site-wireguard-part-3-2019-04-11.markdown

This commit is contained in:
Cadey Ratio 2019-04-11 14:15:28 -07:00 committed by GitHub
parent 000ac938fc
commit 721f16de44
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
blog/site-to-site-wireguard-part-3-2019-04-11.markdown
View File

@ -1,19 +1,20 @@
--- ---
title: "Site to Site WireGuard: Part 3 - TLS and HTTPS" title: "Site to Site WireGuard: Part 3 - Custom TLS Certificate Authority"
date: 2019-04-11 date: 2019-04-11
--- ---
# Site to Site WireGuard: Part 3 - TLS and HTTPS # Site to Site WireGuard: Part 3 - Custom TLS Certificate Authority
This is the third in my Site to Site WireGuard VPN series. You can read the other articles here: This is the third in my Site to Site WireGuard VPN series. You can read the other articles here:
- [Part 1 - Names and Numbers](https://christine.website/blog/site-to-site-wireguard-part-1-2019-04-02) - [Part 1 - Names and Numbers](https://christine.website/blog/site-to-site-wireguard-part-1-2019-04-02)
- [Part 2 - DNS](https://christine.website/blog/site-to-site-wireguard-part-2-2019-04-07) - [Part 2 - DNS](https://christine.website/blog/site-to-site-wireguard-part-2-2019-04-07)
- Part 3 - TLS and HTTPS (this post) - Part 3 - Custom TLS Certificate Authority (this post)
- Setting up additional iOS, macOS, Android and Linux clients - Setting up additional iOS, macOS, Android and Linux clients
- Other future fun things (seamless tor2web routing, etc) - Other future fun things (seamless tor2web routing, etc)
In this article, we are going to create a custom [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security) [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority), trust it on iOS and macOS, and then use it for serving a [URL Shortener](https://github.com/Xe/surl) at `https://g.o/`. We are going to be using [Caddy](https://caddyserver.com) as our webserver, as it has many useful directives. In this article, we are going to create a custom [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security) [Certificate Authority](https://en.wikipedia.org/wiki/Certificate_authority), trust it on iOS and macOS.
In the next part we will use it for serving a [URL Shortener](https://github.com/Xe/surl) at `https://g.o/`.
## What's TLS? ## What's TLS?
@ -55,35 +56,6 @@ chmod 750 /srv/within/certs
chown root:www-data /srv/within/certs chown root:www-data /srv/within/certs
``` ```
<!-- TODO(Xe): Move this to caddy section when that's a thing -->
And in that folder create a script called `fixperms.sh`:
```shell
#!/bin/sh
chmod -R 750 .
chown -R root:www-data .
chmod 600 minica-key.pem
```
Then mark it executable:
```
chmod +x fixperms.sh
```
These permissions are set as such:
| Facet | Read | Write | Execute/Directory Listing |
| :--------------- | :--- | :---- | :------------------------ |
| User (root) | Yes | Yes | Yes |
| Group (www-data) | Yes | No | Yes |
| Others | No | No | No |
This will allow Caddy to be able to read the certificates later in the post.
### Creating And Using Your First Certificate ### Creating And Using Your First Certificate
First, navigate back to your certificate home and run the following command: First, navigate back to your certificate home and run the following command:
@ -136,48 +108,10 @@ Then you should be ready to open [https://aloha.pele:2848](https://aloha.pele:28
If you get the secure connection working like normal (without prompting or nag screens), everything is working perfectly. If you get the secure connection working like normal (without prompting or nag screens), everything is working perfectly.
## HTTPS
[Caddy](https://caddyserver.com) is a general-purpose HTTP server. One of its main features is automatic [Let's Encrypt](https://letsencrypt.org) support. We are using it here to serve HTTPS because it has a very, very simple configuration file format.
* Caddy
* Setup Caddy
* Systemd
* Certificate permissions
* Configure Caddy for static file serving for aloha.pele
* root directive
* browse directive
* Link to Caddy documentation
* URL shortener
* Decide domain
* suggest
* Install surl in Docker
* Configuration
* Create Docker volume
* docker volume create surl
* docker run --name surl -v surl:/data --restart always -dit xena/surl:v0.4.0
* Create DNS entry
* g.o. IN CNAME oho.pele.
* Create TLS certificate
* cd ~/backups/CA && minica -domains 'g.o'
* Configure Caddy
* g.o:80 {
* tls off
*
* redir / https://g.o
* }
*
* g.o:443 {
* tls /srv/within/certs/g.o/cert.pem /srv/within/certs/g.o/key.pem
*
* proxy / http://10.77.0.1:5000
* }
* Test
* cURL
* Safari
--- ---
That's about it for this time around. In the next part, we will set up HTTPS serving with [Caddy](https://caddyserver.com).
Please give me [feedback](/contact) on my approach to this. I also have a [Patreon](https://www.patreon.com/cadey) and a [Ko-Fi](https://ko-fi.com/A265JE0) in case you want to support this series. I hope this is useful to you all in some way. Stay tuned for the future parts of this series as I build up the network infrastructure from scratch. If you would like to give feedback on the posts as they are written, please watch [this page](https://github.com/Xe/site/pulls) for new pull requests. Please give me [feedback](/contact) on my approach to this. I also have a [Patreon](https://www.patreon.com/cadey) and a [Ko-Fi](https://ko-fi.com/A265JE0) in case you want to support this series. I hope this is useful to you all in some way. Stay tuned for the future parts of this series as I build up the network infrastructure from scratch. If you would like to give feedback on the posts as they are written, please watch [this page](https://github.com/Xe/site/pulls) for new pull requests.
Be well. Be well.