Nginx
Nginx
Pronounced "Engine X"
"Developed by Igor Sysoev in 2002, Nginx was finally released to the public in 2004 and continues to grow in popularity every year. Nginx is an open-sourced, free HTTP server and reverse proxy. It can also act as an IMAP/POP3 server. Benefiting from being fully scalable, Nginx combines the use of a predictable small amount of memory with asynchronous architecture, resulting in a small memory footprint and low resource consumption. Nginx offers a high-performance, stable environment and is currently the chosen web server for WordPress, SourceForge, and TorrentReactor. Nginx is currently the 3rd most popular web server (behind Apache and IIS) with a market share of 7.65% (according to Netcraft’s March 2011 survey)." [1]
Installation
apt install nginx
SSL
Using the default self signed snakoil ssl certs:
Install the default certs (should already be installed)
apt install ssl-cert
Should have the snakeoil certs:
/etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key
If the certs doing exist, regenerate: [1]
sudo make-ssl-cert generate-default-snakeoil --force-overwrite
Config: (in /etc/nginx/sites-enabled/default)
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
include snippets/snakeoil.conf;
...
systemctl restart nginx
Let's Encrypt
apt install certbot python3-certbot-nginx
config:
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
...
server_name [DOMAIN];
...
include snippets/snakeoil.conf;
}
Restart and make sure it is hosting the fake ssl cert
service nginx restart
Have certbot verify and convert the fake to a real:
certbox
Will add the following:
ssl_certificate /etc/letsencrypt/live/[DOMAIN]/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/[DOMAIN]/privkey.pem; # managed by Certbot
Once these are added, you can then comment out the fake snakeoil certs.
SSL Proxy
Simple Example:
server {
listen 443 ssl default_server;
ssl_certificate /etc/ssl/DOMAIN/fullchain.pem;
ssl_certificate_key /etc/ssl/DOMAIN/privkey.pem;
location / {
proxy_pass http://localhost:8080;
}
}
Example:
http {
#...
upstream backend.example.com {
server backend1.example.com:443;
server backend2.example.com:443;
}
server {
listen 80;
server_name www.example.com;
#...
location /upstream {
proxy_pass https://backend.example.com;
proxy_ssl_certificate /etc/nginx/client.pem;
proxy_ssl_certificate_key /etc/nginx/client.key;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_trusted_certificate /etc/nginx/trusted_ca_cert.crt;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
}
}
server {
listen 443 ssl;
server_name backend1.example.com;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/certs/server.key;
ssl_client_certificate /etc/ssl/certs/ca.crt;
ssl_verify_client optional;
location /yourapp {
proxy_pass https://url_to_app.com;
#...
}
server {
listen 443 ssl;
server_name backend2.example.com;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/certs/server.key;
ssl_client_certificate /etc/ssl/certs/ca.crt;
ssl_verify_client optional;
location /yourapp {
proxy_pass https://url_to_app.com;
#...
}
}
}
ref: https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/