Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
The Mightywomble
Dec 30, 2018 · 8 min read
Surely this is common knowledge? you’d think so however its been pretty apparent on
some of the forums I spend my time that while we know security and SSL are
important, getting it set up can be a bit of a problem?
Rightly or wrongly, I fond the logs provided, the ability to add geolocation lockdown
and other such nice to have a good thing on a network.
This is done using a reverse proxy hosted by NGINX, why NGINX? Simple its the easiest
thing I’ve found to set up a reverse proxy, it's well tested, its low CPU/ram.
It’s also remembering that while a Reverse Proxy can at as your public SSL endpoint it’s
not a security catch all, security is about strength in depth, putting hurdles in the way,
which you are made aware of if they are knocked down.
What OS?
I will include where possible instructions for installing things on Ubuntu 18.04 and
Centos 7.
Install Nginx
Nginx is a webserver, similar to Apache, I feel its a bit easier to get my head around it
than Apache.
Ubuntu
Log into your Server via SSH as your user. (assumption made you can SSH into the box,
otherwise, skip to the next bit if you have console access)
ssh username@hostname
Install nginx
By default, nginx may not start automatically, so you need to use the following command.
Other valid options are “stop” and “restart”.
or
Centos
The process for Centos needs a little bit more setup, however its fairly similar
Log into your Server via SSH as your user. (assumption made you can SSH into the box,
otherwise, skip to the next bit if you have console access)
ssh username@hostname
su to root
su -
Run command:
vi /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/
gpgcheck=0
enabled=1
To save and quit the Rle in vi press Esc followed by :x and Enter.
To install latest stable nginx server, run the following yum command:
yum install nginx
First enable nginx service by running systemctl command so that it start at server boot
time:
systemctl enable nginx
Sample outputs:
Oh no, stop the train, time to get oV.. chances are if you are running Apache on the same
server that its bound to the same IP ports (80,443) that Nginx want’s to use.
or
Basically, if something is running on ports 80 or 443 you might need to change the port
Nginx starts on which is out of scope for here however covered by a quick google at Tecmint:
https://www.tecmint.com/change-nginx-port-in-linux/
Install letsencrypt
LetsEncrypt is your gateway to gree public facing SSL certiDcates, something that used
to cost a few quid. We manage the requesting of certs from LetsEncrypt using a tool
called certbot
Ubuntu
Certbot is in very active development, so the Certbot packages provided by Ubuntu tend to
be outdated. However, the Certbot developers maintain a Ubuntu software repository with
up-to-date versions, so we’ll use that repository instead.
Certbot is now ready to use, but in order for it to conRgure SSL for Nginx, we need to verify
some of Nginx’s conRguration.
Centos
The Rrst step to using Let’s Encrypt to obtain an SSL certiRcate is to install the certbot
software on your server. Currently, the best way to install this is through the EPEL
repository.
Once the repository has been enabled, you can obtain the certbot-nginx package by
typing:
The certbot Let's Encrypt client is now installed and ready to use.
The Domain
For the purposes of the remainder of this tutorial we will use git.example.com as the
URL we want to protect and 10.10.10.10 as the internal IP of the gitlab server we wish
to provide external access to. The server on 10.10.10.10 has no SSL setup and is
accessible on port 8880. We assume that the server on 10.10.10.10 has Drewall access
setup to allow access to port 8880
You will also need the domain (example: git.example.com) registered and the DNS
pointing to the external IP of your router.
cd /etc/nginx/sites-enabled
vi git.example.com.conf
and add
server {
server_name git.example.com;
# The internal IP of the VM that hosts your Apache conRg
set $upstream 10.10.10.10:8880;
location / {
proxy_pass_header Authorization;
proxy_pass http://$upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection “”;
proxy_buVering oV;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect oV;
}
listen 80;
This is has added a basic conDguration which will listen on port 80 for git.example.com
and redirect the tra^c to 10.10.10.10:8880
nginx -t
then run
or
At this point if the Drewall, router and DNS are setup right opening
http://git.example.com should open up your Gitlab login.
This runs certbot with the --nginx plugin, using -d to specify the names we'd like
the certiDcate to be valid for.
If this is your Drst time running certbot , you will be prompted to enter an email
address and agree to the terms of service. After doing so, certbot will communicate
with the Let's Encrypt server, then run a challenge to verify that you control the domain
you're requesting a certiDcate for.
If that’s successful, certbot will ask how you'd like to conDgure your HTTPS settings:
Output
Select your choice (option 2) then hit ENTER . The conDguration will be updated, and
Nginx will reload to pick up the new settings. certbot will wrap up with a message
telling you the process was successful and where your certiDcates are stored:
Output
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your cert will
expire on 2017-10-23. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again with the
"certonly" option. To non-interactively renew *all* of your
certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory
will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Your certiDcates are downloaded, installed, and loaded. Try reloading your website
using https:// and notice your browser's security indicator. It should represent that
the site is properly secured, usually with a green lock icon.
server {
server_name git.example.com;
# The internal IP of the VM that hosts your Apache conRg
set $upstream 10.10.10.10:8880;
location / {
proxy_pass_header Authorization;
proxy_pass http://$upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection “”;
proxy_buVering oV;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect oV;
}
}
server {
if ($host = git.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name git.example.com;
listen 80;
return 404; # managed by Certbot
This can be expanded in the Nginx conDg Dle to add Geo Location blocking or
Client authentication if you generate a Cert Pair using OpenSSL, put the client cert
accessible by browser and the server cert on the Nginx then add the following code to
the git.example.com.conf Dle under the ssl_dhparam line
# client certiDcate
ssl_client_certiDcate /etc/nginx/client_certs/root.crt;
# make veriDcation optional, so we can display a 403 message to those
# who fail authentication
ssl_verify_client on;
Using this you can only access the service if you have the correct client certiDcates.