1.6 KiB
1.6 KiB
This contains the setup for setting up a remote machine that serves a keyfile for decrypting a luks volume
- Install nginx
sudo apt update
sudo apt install nginx apache2-utils -y
- Create User for basic auth
sudo htpasswd -c /etc/nginx/.htpasswd truenas
- Create secure directory and key file
sudo mkdir -p /srv/keys
head -c 128 /dev/urandom | sudo tee /srv/keys/truenas.key >/dev/null
- Create rate limit zone
# /etc/nginx/conf.d/ratelimit.conf
# Allow only 3 key requests per minute per IP
limit_req_zone $binary_remote_addr zone=keylimit:10m rate=3r/m;
- Configure nginx virtual host
# /etc/nginx/sites-available/keyserver.conf
server {
listen 443 ssl;
server_name <ip address here>;
# TLS certificate and key (we will set these in the next step)
ssl_certificate /etc/ssl/certs/keyserver.crt;
ssl_certificate_key /etc/ssl/private/keyserver.key;
# Enforce strong TLS
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
# Rate limiting zone created earlier
limit_req zone=keylimit burst=2 nodelay;
location /keys/ {
alias /srv/keys/;
# Basic auth
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
# Disable directory listing
autoindex off;
# Prevent caching
add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
}
}
- Enable the host:
sudo ln -s /etc/nginx/sites-available/keyserver.conf /etc/nginx/sites-enabled/
- Disable default host:
sudo rm /etc/nginx/sites-enabled/default