nginx reverse proxy and https certificate configuration

author: yunqimg(ccxtcxx0)

1. Compile and install nginx

./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
make && make install
  • Pay attention to adding SSL module during compilation, otherwise https configuration will fail
  • After installation, the nginx program is saved in / usr/local/nginx/sbin / directory by default. The command to start nginx is as follows
/usr/local/nginx/sbin/nginx -c /home/nginx/nginx.conf

It is recommended to use the specified configuration file path mode to start, so that it is convenient to modify the configuration file when deploying in docker mode

2. Reverse agent configuration

  • Basic configuration example:
## Basic reverse proxy server ##
upstream backend  {
    server 127.0.0.1:8080; # local server
}

server {
    location / {
        proxy_pass  http://backend;
    }
}

The upstream node records the backend server address, and backend is the node name
The Nginx reverse proxy instruction does not need to add additional modules. By default, the proxy ﹣ u pass instruction is provided. Only the configuration file needs to be modified to implement the reverse proxy.

  • Nginx reverse proxy template
## Basic reverse proxy server ##
upstream tornado  {
    server 127.0.0.1:8080; # local server
}

server {
    listen          80;
    server_name     example.com;

    access_log      /home/nginx/log/access.log  main;
    error_log       /home/nginx/log/error.log;

    root            html;
    index           index.html index.htm index.php;
  
    ## send request back to tornado ##
    location / {
        proxy_pass  http://tornado;
  
        # Proxy Settings
        proxy_redirect     off;
        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        proxy_max_temp_file_size    0;
        proxy_connect_timeout       90;
        proxy_send_timeout          90;
        proxy_read_timeout          90;
        proxy_buffer_size           4k;
        proxy_buffers               4 32k;
        proxy_busy_buffers_size     64k;
        proxy_temp_file_write_size  64k;
   }
}

For nginx reverse proxy configuration module, it is recommended to save the configuration in an independent file. For example, save the above mentioned template to the tornado.conf file, and then add include / home / nginx / tornado.conf to the nginx.conf file. You can associate the two configuration files

Add location as follows

http {
    include       mime.types;
    default_type  application/octet-stream;

    # xxx
    # xxx
    # ...
    include       /home/nginx/tornado.conf;
}

How to obtain HTTPS certificate

Please refer to NGINX configure HTTPS server

Mainly refer to the section of using OpenSSL to generate SSL Key and CSR files

HTTPS basic configuration

To enable the HTTPS service, in the server block, you must use the ssl parameter of the listen command and define the server certificate file and private key file, as shown below

server {
    # ssl parameter
    listen              443 ssl;
    server_name         example.com;
    # Certificate file
    ssl_certificate     example.com.crt;
    # Private key file
    ssl_certificate_key example.com.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    #...
}

example.com.crt and example.com.key can be any name, as long as the configuration file corresponds to the actual file name
If the file name of certificate file and private key file can not work properly, you can try to fill in the full file path. For example: ssl_certificate /home/nginx/example.com.crt

The certificate file will be sent to each client connected to the server as a public entity. The private key file, as a security entity, should be stored in a directory file with a certain permission limit, and ensure that the main process of Nginx has access rights.
The private key file may also be placed in the same file as the certificate file, as follows:

ssl_certificate     www.example.com.cert;
ssl_certificate_key www.example.com.cert;

In this case, the read permission of the certificate file should also be limited. Although the certificate and the private key are stored in the same file, only the certificate will be sent to the client
The commands ssl_protocols and ssl_ciphers can be used to restrict connections to only SSL/TLS enhanced versions and algorithms. The default values are as follows

ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers     HIGH:!aNULL:!MD5;

Enhance HTTPS security

The default encryption algorithm adopted for HTTPS basic configuration is SHA-1, which is very fragile, and its security is decreasing year by year. In 2014, Google official blog announced that it will gradually reduce the security instructions of SHA-1 Certificate in Chrome browser, and will use SHA-2 signed certificate from 2015. Please refer to the article published by rabbit'run in 2014: Why Google is eager to kill SHA-1

For this reason, the mainstream HTTPS configuration scheme should avoid SHA-1 and can use D-H, Diffie – Hellman key exchange Scheme.

First, run the following code in the directory / etc/ssl/certs to generate the dhparam.pem file

openssl dhparam -out dhparam.pem 2048

Then add Nginx configuration

#Server algorithm preferred
ssl_prefer_server_ciphers on;
#Using DH files
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#Definition algorithm
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

If the server is strong enough, it can be encrypted with more complex 4096 bits.

In general, the following security enhancing commands should be added

#Reduce click hijacking
add_header X-Frame-Options DENY;
#Prevent the server from automatically resolving resource types
add_header X-Content-Type-Options nosniff;
#Anti XSS attack
add_header X-Xss-Protection 1;

These security orders are in Jerry Qu's article Some security related HTTP response headers There is a detailed introduction.

Optimized comprehensive configuration

worker_processes auto;

http {

    #Configure the shared session cache size according to site access
    ssl_session_cache   shared:SSL:10m;
    #Configure session timeout
    ssl_session_timeout 10m;

    server {
        listen              443 ssl;
        server_name         www.example.com;

        #Set long connection
        keepalive_timeout   70;

        #Certificate file
        ssl_certificate     www.example.com.crt;
        #Private key file
        ssl_certificate_key www.example.com.key;

        #Server algorithm preferred
        ssl_prefer_server_ciphers on;
        #Using DH files
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        #Definition algorithm
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
        #Reduce click hijacking
        add_header X-Frame-Options DENY;
        #Prevent the server from automatically resolving resource types
        add_header X-Content-Type-Options nosniff;
        #Anti XSS attack
        add_header X-Xss-Protection 1;
        #...

Force HTTPS

In order to be compatible with the original HTTP access of port 80, you can forward all access requests of port 80 to port 443, and add the following configuration between upstream and server

## your-domain.com ##
server {
    listen       80;
    server_name  your-domain.com;

    location = / {
        rewrite ^/(.*) https://your-domain.com/$1 permanent;     # force redirect http to https
    }

    location / {
        rewrite ^/(.*) https://your-domain.com/ permanent;       # force redirect http to https
    }
}

Reference resources

https://www.cnblogs.com/ghjbk/p/6744131.html
Httpupstream nginx Chinese document
The principle and configuration of nginx reverse agent
nginx reverse proxy
single_http_https_server
Nginx configures upstream to realize load balancing
Reverse agent configuration and load balancing for Nginx installation and deployment
Nginx configure HTTPS server
Nginx+Https configuration
Some security related HTTP response headers
nginx forces https access (http jumps to https)
Nginx configure HTTPS
location configuration of nginx
The plain HTTP request was sent to HTTPS port
The plain HTTP request was sent to HTTPS port
SSL For Free get Let's Encrypt free SSL certificate

Tags: Java Nginx SSL OpenSSL Google

Posted on Sun, 02 Feb 2020 01:27:11 -0500 by lew14