Add HTTPS reverse proxy with self-signed 100-year cert

- Nginx reverse proxy with WebUI and REST API for configuration - Self-signed SSL certificate with own CA (100 years validity) - Domain-based and IP/port-based routing - Docker setup with host network mode - All settings configurable via .env Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-09 15:32:00 +02:00
parent 3d35e1ab92
commit 411a8b8ddb
9 changed files with 936 additions and 0 deletions
@@ -0,0 +1,63 @@
+#!/bin/bash
+set -e
+
+CERT_DIR="/certs"
+CA_KEY="$CERT_DIR/ca.key"
+CA_CERT="$CERT_DIR/ca.crt"
+SERVER_KEY="$CERT_DIR/server.key"
+SERVER_CSR="$CERT_DIR/server.csr"
+SERVER_CERT="$CERT_DIR/server.crt"
+
+# Defaults
+CERT_COUNTRY="${CERT_COUNTRY:-DE}"
+CERT_STATE="${CERT_STATE:-Bavaria}"
+CERT_CITY="${CERT_CITY:-Munich}"
+CERT_ORG="${CERT_ORG:-MyOrganization}"
+CERT_OU="${CERT_OU:-IT}"
+CERT_CN="${CERT_CN:-proxy.local}"
+CERT_DAYS="${CERT_DAYS:-36500}"
+
+# Skip if certs already exist
+if [ -f "$CA_CERT" ] && [ -f "$SERVER_CERT" ] && [ -f "$SERVER_KEY" ]; then
+    echo "Certificates already exist. Skipping generation."
+    echo "Delete files in $CERT_DIR to regenerate."
+    exit 0
+fi
+
+echo "=== Generating CA (Certificate Authority) ==="
+openssl genrsa -out "$CA_KEY" 4096
+
+openssl req -new -x509 -days "$CERT_DAYS" -key "$CA_KEY" -out "$CA_CERT" \
+    -subj "/C=$CERT_COUNTRY/ST=$CERT_STATE/L=$CERT_CITY/O=$CERT_ORG/OU=$CERT_OU/CN=$CERT_CN CA"
+
+echo "=== Generating Server Certificate ==="
+openssl genrsa -out "$SERVER_KEY" 4096
+
+openssl req -new -key "$SERVER_KEY" -out "$SERVER_CSR" \
+    -subj "/C=$CERT_COUNTRY/ST=$CERT_STATE/L=$CERT_CITY/O=$CERT_ORG/OU=$CERT_OU/CN=$CERT_CN"
+
+# Create extension file for SAN (Subject Alternative Names)
+cat > "$CERT_DIR/server.ext" <<EOF
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName=@alt_names
+
+[alt_names]
+DNS.1=$CERT_CN
+DNS.2=localhost
+IP.1=127.0.0.1
+EOF
+
+openssl x509 -req -in "$SERVER_CSR" -CA "$CA_CERT" -CAkey "$CA_KEY" \
+    -CAcreateserial -out "$SERVER_CERT" -days "$CERT_DAYS" \
+    -extfile "$CERT_DIR/server.ext"
+
+# Cleanup
+rm -f "$SERVER_CSR" "$CERT_DIR/server.ext" "$CERT_DIR/ca.srl"
+
+echo "=== Certificates generated successfully ==="
+echo "CA Certificate:     $CA_CERT"
+echo "Server Certificate: $SERVER_CERT"
+echo "Server Key:         $SERVER_KEY"
+echo "Validity:           $CERT_DAYS days (~$(($CERT_DAYS / 365)) years)"