added mtls for device endpoints

2025-10-03 13:22:47 +03:00
parent af252c4498
commit 269b098f0d
3 changed files with 133 additions and 30 deletions
--- a/nginx/dev.conf
+++ b/nginx/dev.conf
@@ -41,19 +41,6 @@ server {
    proxy_send_timeout 3600s;
  }

-  # --- LIVE ---
-  # HLS playlist/segments
-  location /hls/ {
-    proxy_pass  http://mediamtx:8888/;
-    proxy_http_version 1.1;
-  }  
-
-  # WebRTC WHIP/WHEP/test pages
-  location /webrtc/ {
-    proxy_pass  http://mediamtx:8889/;
-    proxy_http_version 1.1;
-  }
-  
  # --- MQTT over WebSocket (EMQX) ---
  # Clients connect to ws://<host>/mqtt/ws
  location /mqtt/ws {
@@ -64,4 +51,111 @@ server {
    proxy_read_timeout 3600s;
    proxy_send_timeout 3600s;
  }
+}
+
+# ==============================================
+# HTTPS :443 — mTLS enforced only on listed paths
+# ==============================================
+server {
+  listen 443 ssl http2;
+  server_name _;
+
+  ssl_certificate      /etc/nginx/ssl/certs/fullchain.pem;
+  ssl_certificate_key  /etc/nginx/ssl/certs/privkey.pem;
+  ssl_protocols        TLSv1.2 TLSv1.3;
+  ssl_prefer_server_ciphers on;
+
+  # mTLS trust chain (from Vault)
+  ssl_client_certificate /etc/nginx/ssl/iot_int_cert.pem;
+  ssl_verify_client      optional;  # locations below require SUCCESS
+  ssl_verify_depth       3;
+
+  # Client cert revocation (optional)
+  ssl_crl /etc/nginx/ssl/iot.crl;
+
+  # Forward client cert details upstream
+  proxy_set_header X-SSL-Client-Verify  $ssl_client_verify;
+  proxy_set_header X-SSL-Client-Serial  $ssl_client_serial;
+  proxy_set_header X-SSL-Client-Issuer  $ssl_client_i_dn;
+  proxy_set_header X-SSL-Client-DN      $ssl_client_s_dn;
+  proxy_set_header X-SSL-Client-Cert    $ssl_client_escaped_cert;
+
+  proxy_read_timeout  3600s;
+  proxy_send_timeout  3600s;
+
+  error_page 495 = @mtls_error;
+
+  # location @mtls_error { 
+  #   return 403 "ERR_SSL_VERSION_OR_CIPHER_MISMATCH \n"; 
+  # }
+
+  location @mtls_error { 
+    return 403 "mTLS required or client certificate invalid.\n"; 
+  }
+
+  location = /_mtls_check {
+    return 200 "$ssl_client_verify\n$ssl_client_s_dn\n$ssl_client_i_dn\n";
+  }
+
+  # ---- mTLS-protected paths ----
+  location ^~ /records {
+    if ($ssl_client_verify != SUCCESS) { 
+      return 495; 
+    }
+    proxy_pass http://snoop-api:8080;
+  }
+
+  location ^~ /tasks {
+    if ($ssl_client_verify != SUCCESS) { 
+      return 495; 
+    }
+    proxy_pass http://snoop-api:8080;
+  }
+
+  location ^~ /renew {
+    if ($ssl_client_verify != SUCCESS) { 
+      return 495; 
+    }
+    proxy_pass http://snoop-api:8080;
+  }
+
+  # MediaMTX HLS
+  location ^~ /hls/ {
+    if ($ssl_client_verify != SUCCESS) { 
+      return 495; 
+    }
+    proxy_pass http://mediamtx:8888/;
+  }
+
+  # MediaMTX WebRTC (WHIP/WHEP/test)
+  location ^~ /webrtc/ {
+    if ($ssl_client_verify != SUCCESS) { 
+      return 495; 
+    }
+    proxy_pass http://mediamtx:8889/;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+  }
+
+  # MQTT WS entry points (guarded by mTLS)
+  location = /loc {
+    if ($ssl_client_verify != SUCCESS) { 
+      return 495; 
+    }
+    proxy_pass http://emqx:8083/mqtt;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+  }
+
+  location = /gtasks {
+    if ($ssl_client_verify != SUCCESS) { 
+      return 495; 
+    }
+    proxy_pass http://emqx:8083/mqtt;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+  }
+
 }