Nginx: Difference between revisions

From Omnia
Jump to navigation Jump to search
 
(3 intermediate revisions by the same user not shown)
Line 38: Line 38:


  systemctl restart nginx
  systemctl restart nginx
== Let's Encrypt ==
apt install certbot python3-certbot-nginx
config:
<pre>
server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
...
        server_name [DOMAIN];
...
        include snippets/snakeoil.conf;
}
</pre>
Restart and make sure it is hosting the fake ssl cert
service nginx restart
Have certbot verify and convert the fake to a real:
certbox
Will add the following:
    ssl_certificate /etc/letsencrypt/live/[DOMAIN]/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/[DOMAIN]/privkey.pem; # managed by Certbot
Once these are added, you can then comment out the fake snakeoil certs.


== SSL Proxy ==
== SSL Proxy ==

Latest revision as of 03:51, 20 January 2024

Nginx

Pronounced "Engine X"

"Developed by Igor Sysoev in 2002, Nginx was finally released to the public in 2004 and continues to grow in popularity every year. Nginx is an open-sourced, free HTTP server and reverse proxy. It can also act as an IMAP/POP3 server. Benefiting from being fully scalable, Nginx combines the use of a predictable small amount of memory with asynchronous architecture, resulting in a small memory footprint and low resource consumption. Nginx offers a high-performance, stable environment and is currently the chosen web server for WordPress, SourceForge, and TorrentReactor. Nginx is currently the 3rd most popular web server (behind Apache and IIS) with a market share of 7.65% (according to Netcraft’s March 2011 survey)." [1]

Installation

apt install nginx

SSL

Using the default self signed snakoil ssl certs:

Install the default certs (should already be installed)

apt install ssl-cert

Should have the snakeoil certs:

/etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/ssl/private/ssl-cert-snakeoil.key

If the certs doing exist, regenerate: [1]

sudo make-ssl-cert generate-default-snakeoil --force-overwrite

Config: (in /etc/nginx/sites-enabled/default)

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        include snippets/snakeoil.conf;

...
systemctl restart nginx

Let's Encrypt

apt install certbot python3-certbot-nginx

config:

server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
...
        server_name [DOMAIN];
...
        include snippets/snakeoil.conf;
}

Restart and make sure it is hosting the fake ssl cert

service nginx restart

Have certbot verify and convert the fake to a real:

certbox

Will add the following:

   ssl_certificate /etc/letsencrypt/live/[DOMAIN]/fullchain.pem; # managed by Certbot
   ssl_certificate_key /etc/letsencrypt/live/[DOMAIN]/privkey.pem; # managed by Certbot

Once these are added, you can then comment out the fake snakeoil certs.

SSL Proxy

Simple Example:

server {
        listen 443 ssl default_server;
        ssl_certificate /etc/ssl/DOMAIN/fullchain.pem;
        ssl_certificate_key /etc/ssl/DOMAIN/privkey.pem;
        location / {
                proxy_pass http://localhost:8080;
        }
}


Example:

http {
    #...
    upstream backend.example.com {
        server backend1.example.com:443;
        server backend2.example.com:443;
   }

    server {
        listen      80;
        server_name www.example.com;
        #...

        location /upstream {
            proxy_pass                    https://backend.example.com;
            proxy_ssl_certificate         /etc/nginx/client.pem;
            proxy_ssl_certificate_key     /etc/nginx/client.key;
            proxy_ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
            proxy_ssl_ciphers             HIGH:!aNULL:!MD5;
            proxy_ssl_trusted_certificate /etc/nginx/trusted_ca_cert.crt;

            proxy_ssl_verify        on;
            proxy_ssl_verify_depth  2;
            proxy_ssl_session_reuse on;
        }
    }

    server {
        listen      443 ssl;
        server_name backend1.example.com;

        ssl_certificate        /etc/ssl/certs/server.crt;
        ssl_certificate_key    /etc/ssl/certs/server.key;
        ssl_client_certificate /etc/ssl/certs/ca.crt;
        ssl_verify_client      optional;

        location /yourapp {
            proxy_pass https://url_to_app.com;
        #...
        }

    server {
        listen      443 ssl;
        server_name backend2.example.com;

        ssl_certificate        /etc/ssl/certs/server.crt;
        ssl_certificate_key    /etc/ssl/certs/server.key;
        ssl_client_certificate /etc/ssl/certs/ca.crt;
        ssl_verify_client      optional;

        location /yourapp {
            proxy_pass https://url_to_app.com;
        #...
        }
    }
}

ref: https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/

keywords