1 Answer

0 votes
by
When our content is valuable, and we are rightly concerned about the privacy and security of our users, then we can use Nginx to control and secure the access of our services and the data we manage.

Nginx SSL Termination

SSL (Secure Socket Layer) connection uses a certificate for authentication before sending encrypted data from a client computer to the webserver. SSL termination is a form of SSL offloading (decryption), shifts some of this responsibility from the webserver to a different machine. SSL termination is used to recognize encrypted data.

In this section, we will describe how to configure an HTTPS server on NGINX Plus and NGINX.

To set up an HTTPS server in our nginx.conf file, adds the ssl parameter to the listen directive in the server block, then specify the locations of the server certificate and private keys files:

server {  

    listen              443 ssl;  

    server_name         www.example.com;  

    ssl_certificate     www.example.com.crt;  

    ssl_certificate_key www.example.com.key;  

    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;  

    ssl_ciphers         HIGH:!aNULL:!MD5;  

    #...  

}  

The server certificate is a public entity. It is sent to every client that connects to the Nginx Plus or Nginx.

The private key is a secure key or entity and should be stored in a file with restricted access. However, the master process of nginx must be able to read this file. We can also store the private key in the same file as the certificate.

ssl_certificate     www.example.com.cert;  

ssl_certificate_key www.example.com.cert;  

The ssl_protocol and ssl_ciphers directives can be used to require that clients use only the strong versions and ciphers of SSL/TLS when establishing connections.

SSL Termination for TCP Upstream Servers

Obtaining the SSL Certificate

First, we will need to obtain server certificates and a private key and put them on the server. A certificate can be obtained from a trusted CA (Certificate Authority) or generated using SSL library such as OpenSSL.

Configure Nginx Plus

To configure SSL Termination, include the following directives to the Nginx Plus configuration:

Enabling SSL

To enable the SSL, define the ssl parameter of the listen directive for the TCP server that passes connections to an upstream server group:

stream {  

  

    server {  

        listen     12345 ssl;  

        proxy_pass backend;  

        #...  

    }  

}  

Adding SSL Certificates

To add SSL Certificates, define the path to the certificates with the ssl_certificate directive, and specify the path to the private key in the ssl_certificate_key directive:

server {  

    #...  

    ssl_certificate        /etc/ssl/certs/server.crt;  

    ssl_certificate_key    /etc/ssl/certs/server.key;  

}  

Additionally, the ssl_protocols and ssl_ciphers directives can be used to limit connections and to add only the strong versions and ciphers of SSL/TLS:

server {  

    #...  

    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;  

    ssl_ciphers    HIGH:!aNULL:!MD5;  

}  

Restricting Access with HTTP Basic Authentication

We can restrict access to our website or some parts of it by implementing a username and password authentication. Username and passwords are taken from a file created and populated by a password file creation tool, for example, apache2-utils.

Creating a Password File

To create username-password pairs, use a password file creation utility, for example, httpd-tools or apache2-utils:

1. First, verify that httpd-tools or apache2-utils is installed.

2. Create a password file and a first user, run the htpasswd utility with the -c flag which is used to create a new file, the file pathname as the first argument, and the username as the second argument.

$ sudo htpasswd -c /etc/apache2/.htpasswd user1  

Press Enter and enter the password for user1 at the prompts.

3. Create additional username-password pairs. Omit the -c flag since the file already exists:

$ sudo htpasswd /etc/apache2/.htpasswd user2  

4. We can make sure that the file contains paired usernames and encrypted passwords:

$ cat /etc/apache2/.htpasswd  

user1:$apr1$/woC1jnP$KAh0SsVn5qeSMjTtn0E9Q0  

user2:$apr1$QdR8fNLT$vbCEEzDj7LyqCMyNpSoBh/  

user3:$apr1$Mr5A0e.U$0j39Hp5FfxRkneklXaMrr/  

Configuring Nginx Plus and Nginx for HTTP Basic Authentication

1. Inside a location that we are going to protect, define the auth_basic directive and give a name to the password-protected area. The name of the area will be shown in the username and password dialog window when asking for credentials.

location /api {  

    auth_basic "Administrator's Area";  

    #...  

}\  

2. Define the auth_basic_user_file directive with the path to the .htpasswd file that contains user/password pairs:

location /api {  

    auth_basic           "Administrator's Area";  

    auth_basic_user_file /etc/apache2/.htpasswd;   

}

Related questions

0 votes
asked Sep 5, 2019 in NGINX by Robin
0 votes
asked Sep 5, 2019 in NGINX by Robin
...