Nginx with SSL as reverse proxy on CentOS 7
FirewallD
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
Nginx
yum install epel-release
yum install nginx
systemctl enable nginx
systemctl start nginx
setsebool -P httpd_can_network_relay 1
setsebool -P httpd_can_network_connect 1
getsebool -a | grep -i http
HTTPS
mkdir /etc/ssl/nginx/
openssl req -new -x509 -days 365 -nodes -out /etc/ssl/nginx/drive.domain.com/drive.domain.com.crt -keyout /etc/ssl/nginx/drive.domain.com/drive.domain.com.key -subj "/CN=drive.domain.com"
openssl dhparam -out /etc/ssl/nginx/drive.domain.com/dh4096.pem 4096
openssl req -new -x509 -days 365 -nodes -out /etc/ssl/nginx/wiki.domain.com/wiki.domain.com.crt -keyout /etc/ssl/nginx/wiki.domain.com/wiki.domain.com.key -subj "/CN=wiki.domain.com"
openssl dhparam -out /etc/ssl/nginx/wiki.domain.com/dh4096.pem 4096
chown -R nginx:nginx /etc/ssl/nginx/
chmod 600 /etc/ssl/nginx/drive.domain.com/drive.domain.com.key
chmod 600 /etc/ssl/nginx/wiki.domain.com/wiki.domain.com.key
restorecon -Rv /etc/ssl/nginx/
Nginx configuration
vi /etc/nginx/nginx.conf server { listen 80; return 301 https://$host$request_uri; } vi /etc/nginx/conf.d/wiki.domain.com.conf server { listen 443; server_name wiki.domain.com www.wiki.domain.com; ssl_certificate /etc/ssl/nginx/wiki.domain.com.crt; ssl_certificate_key /etc/ssl/nginx/wiki.domain.com.key; ssl on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4"; ssl_dhparam /etc/ssl/nginx/dh4096.pem; ssl_prefer_server_ciphers on; access_log /var/log/nginx/wiki.domain.com.access.log; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Fix the “It appears that your reverse proxy set up is broken" error. proxy_pass http://192.168.0.24:8080; proxy_read_timeout 90; proxy_redirect http://192.168.0.24:8080 https://wiki.domain.com; } } vi /etc/nginx/conf.d/drive.domain.com.conf server { listen 443; server_name drive.domain.com www.drive.domain.com; ssl_certificate /etc/ssl/nginx/drive.domain.com/drive.domain.com.crt; ssl_certificate_key /etc/ssl/nginx/drive.domain.com/drive.domain.com.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4"; ssl_dhparam /etc/ssl/nginx/drive.domain.com/dh4096.pem; ssl_prefer_server_ciphers on; keepalive_timeout 70; ssl_stapling on; ssl_stapling_verify on; # Add headers to serve security related headers # Before enabling Strict-Transport-Security headers please read into this topic first. add_header Strict-Transport-Security "max-age=15552000; includeSubDomains"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; access_log /var/log/nginx/drive.domain.com.access.log; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Fix the “It appears that your reverse proxy set up is broken" error. proxy_pass http://192.168.0.23:8080; proxy_read_timeout 90; proxy_redirect http://192.168.0.23:8080 https://drive.domain.com; } }
Links:
https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-centos-7
https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins
https://www.nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/
http://sharadchhetri.com/2014/07/21/owncloud-error-accessing-server-untrusted-domain/
Originally published at trichev.com/blog. You can comment here or there.