4.5. External SSL¶
This document provides information on
NGINX Installation on vanilla centos 7
Configuration for SSL Termination and Reverse proxies to ngeneahub
4.5.1. Installing NGINX¶
Adding the EPEL Software Repository
sudo yum install epel-release
Installing NGINX
sudo yum install nginx
Starting Nginx service
sudo systemctl start nginx
Check Nginx service Status
sudo systemctl status nginx
Nginx status output should look like this
Output
● nginx.service - The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2022-01-24 20:14:24 UTC; 5s ago
Process: 1898 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
Process: 1896 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
Process: 1895 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
Main PID: 1900 (nginx)
CGroup: /system.slice/nginx.service
├─1900 nginx: master process /usr/sbin/nginx
└─1901 nginx: worker process
Jan 24 20:14:24 centos-updates systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jan 24 20:14:24 centos-updates nginx[1896]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jan 24 20:14:24 centos-updates nginx[1896]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Jan 24 20:14:24 centos-updates systemd[1]: Started The nginx HTTP and reverse proxy server.
The service should be active
To stop the Nginx service
sudo systemctl stop nginx
To disable the Nginx service
sudo systemctl disable nginx
To Enable the Nginx service
sudo systemctl enable nginx
4.5.2. Configuration for SSL Termination and Reverse Proxy using OpenSSL¶
4.5.2.1. Create Self-Signed Certificates for Nginx¶
Create the Certificate Configuration file named localhost.conf
[req]
default_bits = 2048
default_keyfile = localhost.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = New York
localityName = Locality Name (eg, city)
localityName_default = Rochester
organizationName = Organization Name (eg, company)
organizationName_default = localhost
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = localhost
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = 127.0.0.1
Create the Certificate using OpenSSL using below command
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf
Copy the Certificate Key Pair to the Certificates folder /etc/ssl/certs
sudo cp localhost.crt /etc/ssl/certs/localhost.crt
sudo cp localhost.key /etc/ssl/private/localhost.key
4.5.2.2. Creating configuration file for Nginx¶
Create a configuration file in /etc/nginx/conf.d/proxy.conf and Update the Nginx Configuration File to Load the Certificate Key Pair
server {
listen 80;
listen 443 ssl http2;
listen [::]:443 ssl http2; #for IPv6
server_name example.com;
#specify the certificate files to use
ssl_certificate /etc/ssl/certs/localhost.crt;
ssl_certificate_key /etc/ssl/private/localhost.key;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
root /usr/share/nginx/html;
#Serving index.html file when requesting /
index index.html;
#Reverse proxy for requests
location / {
proxy_set_header Host $host:8000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8000/;#if running outside docker you can use 127.0.0.1 or localhost instead of host.docker.internal, or with docker with network_mode: "host"
proxy_redirect off;
}
}
}
Reload the Nginx service after you have made some configuration changes
sudo systemctl reload nginx
4.5.3. Configuration for SSL Termination and Reverse Proxy using Certbot and LetsEncrypt (Another method)¶
4.5.3.1. Add trusted SSL Certificates from Letsencrypt¶
We need to redirect all unencrypted HTTP connections to HTTPS. This is done with certbot and letsencrypt certificates. The certbot will obtain free certificates and also handle the renewal process automatically. To do that we will install certbot and also a plugin for our NGINX server.
sudo yum install certbot python3-certbot-nginx
Once we have installed those packages, we can obtain our certificates.
sudo certbot --nginx -d example.com
It will ask you if you want to redirect all traffic from HTTP to HTTPS. Select yes (2). This automatically makes some changes to our NGINX default configuration.
server {
server_name example.com;
location / {
proxy_pass http://127.0.0.1:8000;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com;
return 404; # managed by Certbot
}
4.5.4. HTTPS Configuration for NgeneaHub¶
To configure NgeneaHub for HTTPS, a configuration file named ‘nghub.conf’ should be created under etc/nginx/conf.d/pixstor/ folder. It should contain the configuration below:
location /ngeneahub/ {
proxy_pass http://localhost:8000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /ngeneahub/ws {
proxy_pass http://localhost:8000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
4.5.4.1. Reload the Nginx service after you have made some configuration changes¶
sudo systemctl reload nginx
4.5.4.2. To auto-renew the certificates, Run¶
certbot renew