Nginx with SSL as reverse proxy on CentOS 7

FirewallD

firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

Nginx

yum install epel-release
yum install nginx

systemctl enable nginx
systemctl start nginx

setsebool -P httpd_can_network_relay 1
setsebool -P httpd_can_network_connect 1

getsebool -a | grep -i http

HTTPS

mkdir /etc/ssl/nginx/

openssl req -new -x509 -days 365 -nodes -out /etc/ssl/nginx/drive.domain.com/drive.domain.com.crt -keyout /etc/ssl/nginx/drive.domain.com/drive.domain.com.key -subj "/CN=drive.domain.com"
openssl dhparam -out /etc/ssl/nginx/drive.domain.com/dh4096.pem 4096

openssl req -new -x509 -days 365 -nodes -out /etc/ssl/nginx/wiki.domain.com/wiki.domain.com.crt -keyout /etc/ssl/nginx/wiki.domain.com/wiki.domain.com.key -subj "/CN=wiki.domain.com"
openssl dhparam -out /etc/ssl/nginx/wiki.domain.com/dh4096.pem 4096


chown -R nginx:nginx /etc/ssl/nginx/
chmod 600 /etc/ssl/nginx/drive.domain.com/drive.domain.com.key
chmod 600 /etc/ssl/nginx/wiki.domain.com/wiki.domain.com.key
restorecon -Rv /etc/ssl/nginx/

Nginx configuration

vi /etc/nginx/nginx.conf
server {
    listen 80;
    return 301 https://$host$request_uri;
}

vi /etc/nginx/conf.d/wiki.domain.com.conf
server {

    listen 443;
    server_name wiki.domain.com www.wiki.domain.com;

    ssl_certificate /etc/ssl/nginx/wiki.domain.com.crt;

    ssl_certificate_key /etc/ssl/nginx/wiki.domain.com.key;

    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4";
    ssl_dhparam /etc/ssl/nginx/dh4096.pem;
    ssl_prefer_server_ciphers on;

    access_log            /var/log/nginx/wiki.domain.com.access.log;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      # Fix the “It appears that your reverse proxy set up is broken" error.
      proxy_pass          http://192.168.0.24:8080;
      proxy_read_timeout  90;

      proxy_redirect      http://192.168.0.24:8080 https://wiki.domain.com;
    }
}

vi /etc/nginx/conf.d/drive.domain.com.conf
server {

    listen 443;
    server_name drive.domain.com www.drive.domain.com;

    ssl_certificate /etc/ssl/nginx/drive.domain.com/drive.domain.com.crt;
    ssl_certificate_key /etc/ssl/nginx/drive.domain.com/drive.domain.com.key;

    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4";
    ssl_dhparam /etc/ssl/nginx/drive.domain.com/dh4096.pem;
    ssl_prefer_server_ciphers on;
    keepalive_timeout    70;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this topic first.
    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;


    access_log            /var/log/nginx/drive.domain.com.access.log;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      # Fix the “It appears that your reverse proxy set up is broken" error.
      proxy_pass          http://192.168.0.23:8080;
      proxy_read_timeout  90;

      proxy_redirect      http://192.168.0.23:8080 https://drive.domain.com;
      }
}

Links:
https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-centos-7
https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins
https://www.nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/
http://sharadchhetri.com/2014/07/21/owncloud-error-accessing-server-untrusted-domain/

Leave a comment

You must be logged in to post a comment.