Configure TLS at server-side
Here are some configuration file examples that enables TLS
Enable server authentication
- Nginx
- Apache
- Caddy (Caddyfile)
- Caddy (JSON)
server {
server_name [YOUR_DOMAIN]
listen 443 ssl;
root /www/data;
location / {
}
proxy_http_version 1.1;
proxy_set_header Host $host;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_certificate /etc/nginx/conf.d/[CERTIFICATE_FILE_NAME];
ssl_certificate_key /etc/nginx/conf.d/[KEY_FILE_NAME];
}
<VirtualHost *:443>
SSLEngine on
ServerName [YOUR_DOMAIN]
LogLevel warn
SSLCertificateFile /etc/apache2/sites-enabled/[CERTIFICATE_FILE_NAME]
SSLCertificateKeyFile /etc/apache2/sites-enabled/[KEY_FILE_NAME]
SSLProtocol TLSv1.2
<IfDefine thisIsAComment>
Comment https://httpd.apache.org/docs/2.4/en/ssl/ssl_howto.html
</IfDefine>
DocumentRoot "/www/data"
<Directory "/www/data">
AuthType None
Require all granted
</Directory>
</VirtualHost>
[YOUR_DOMAIN] {
file_server
tls [CERTIFICATE_FILE_NAME] [KEY_FILE_NAME]
}
{
"apps": {
"http": {
"servers": {
"[YOUR_DOMAIN]": {
"listen": [
":443"
],
"routes": [
{
"match": [
{
"host": [
"[YOUR_DOMAIN]"
]
}
],
"handle": [
{
"handler": "file_server",
"hide": [
"./caddyfile"
]
}
]
}
],
"tls_connection_policies": [
{
"certificate_selection": {
"any_tag": [
"cert0"
]
}
}
]
}
}
},
"tls": {
"certificates": {
"load_files": [
{
"certificate": "[CERTIFICATE_FILE_NAME]",
"key": "[KEY_FILE_NAME]",
"tags": [
"cert0"
]
}
]
}
}
}
}
Enable mutual authentication (mtls)
- Nginx
- Apache
- Caddy (Caddyfile)
- Caddy (JSON)
server {
server_name [YOUR_DOMAIN]
listen 443 ssl;
root /www/data;
location / {
}
proxy_http_version 1.1;
proxy_set_header Host $host;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_certificate /etc/nginx/conf.d/[CERTIFICATE_FILE_NAME];
ssl_certificate_key /etc/nginx/conf.d/[KEY_FILE_NAME];
ssl_client_certificate /etc/nginx/[CLIENT_CA_CERTIFICATE_FILE_NAME];
ssl_verify_client on;
}
<VirtualHost *:443>
SSLEngine on
ServerName [YOUR_DOMAIN]
LogLevel warn
SSLCertificateFile /etc/apache2/sites-enabled/[CERTIFICATE_FILE_NAME]
SSLCertificateKeyFile /etc/apache2/sites-enabled/[KEY_FILE_NAME]
SSLProtocol TLSv1.2
<IfDefine thisIsAComment>
Comment https://httpd.apache.org/docs/2.4/en/ssl/ssl_howto.html
</IfDefine>
DocumentRoot "/www/data"
<Directory "/www/data">
AuthType None
Require all granted
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile "[CLIENT_CA_CERTIFICATE_FILE_NAME]"
</Directory>
</VirtualHost>
[YOUR_DOMAIN] {
file_server
tls [CERTIFICATE_FILE_NAME] [KEY_FILE_NAME] {
client_auth {
mode require_and_verify
trusted_ca_cert_file [CLIENT_CA_CERTIFICATE_FILE_NAME]
}
}
}
{
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":443"
],
"routes": [
{
"match": [
{
"host": [
"[YOUR_DOMAIN]"
]
}
],
"handle": [
{
"handler": "subroute",
"routes": [
{
"handle": [
{
"handler": "file_server",
"hide": [
"./caddyfile"
]
}
]
}
]
}
],
"terminal": true
}
],
"tls_connection_policies": [
{
"match": {
"sni": [
"[YOUR_DOMAIN]"
]
},
"certificate_selection": {
"any_tag": [
"cert0"
]
},
"client_authentication": {
"trusted_ca_certs_pem_files": "[CLIENT_CA_CERTIFICATE_FILE_NAME]",
"mode": "require_and_verify"
}
},
{}
]
}
}
},
"tls": {
"certificates": {
"load_files": [
{
"certificate": "[CERTIFICATE_FILE_NAME]",
"key": "[KET_FILE_NAME]",
"tags": [
"cert0"
]
}
]
}
}
}
}