Nginx with SSL as reverse proxy on CentOS 7
FirewallD
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
Nginx
yum install epel-release
yum install nginx
systemctl enable nginx
systemctl start nginx
setsebool -P httpd_can_network_relay 1
setsebool -P httpd_can_network_connect 1
getsebool -a | grep -i http
HTTPS
mkdir /etc/ssl/nginx/
openssl req -new -x509 -days 365 -nodes -out /etc/ssl/nginx/drive.domain.com/drive.domain.com.crt -keyout /etc/ssl/nginx/drive.domain.com/drive.domain.com.key -subj "/CN=drive.domain.com"
openssl dhparam -out /etc/ssl/nginx/drive.domain.com/dh4096.pem 4096
openssl req -new -x509 -days 365 -nodes -out /etc/ssl/nginx/wiki.domain.com/wiki.domain.com.crt -keyout /etc/ssl/nginx/wiki.domain.com/wiki.domain.com.key -subj "/CN=wiki.domain.com"
openssl dhparam -out /etc/ssl/nginx/wiki.domain.com/dh4096.pem 4096
chown -R nginx:nginx /etc/ssl/nginx/
chmod 600 /etc/ssl/nginx/drive.domain.com/drive.domain.com.key
chmod 600 /etc/ssl/nginx/wiki.domain.com/wiki.domain.com.key
restorecon -Rv /etc/ssl/nginx/
Nginx configuration
vi /etc/nginx/nginx.conf
server {
listen 80;
return 301 https://$host$request_uri;
}
vi /etc/nginx/conf.d/wiki.domain.com.conf
server {
listen 443;
server_name wiki.domain.com www.wiki.domain.com;
ssl_certificate /etc/ssl/nginx/wiki.domain.com.crt;
ssl_certificate_key /etc/ssl/nginx/wiki.domain.com.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4";
ssl_dhparam /etc/ssl/nginx/dh4096.pem;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/wiki.domain.com.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://192.168.0.24:8080;
proxy_read_timeout 90;
proxy_redirect http://192.168.0.24:8080 https://wiki.domain.com;
}
}
vi /etc/nginx/conf.d/drive.domain.com.conf
server {
listen 443;
server_name drive.domain.com www.drive.domain.com;
ssl_certificate /etc/ssl/nginx/drive.domain.com/drive.domain.com.crt;
ssl_certificate_key /etc/ssl/nginx/drive.domain.com/drive.domain.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4";
ssl_dhparam /etc/ssl/nginx/drive.domain.com/dh4096.pem;
ssl_prefer_server_ciphers on;
keepalive_timeout 70;
ssl_stapling on;
ssl_stapling_verify on;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this topic first.
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
access_log /var/log/nginx/drive.domain.com.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://192.168.0.23:8080;
proxy_read_timeout 90;
proxy_redirect http://192.168.0.23:8080 https://drive.domain.com;
}
}Links:
https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-centos-7
https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins
https://www.nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/
http://sharadchhetri.com/2014/07/21/owncloud-error-accessing-server-untrusted-domain/
