{"id":847,"date":"2017-09-28T04:23:16","date_gmt":"2017-09-27T21:23:16","guid":{"rendered":"https:\/\/trichev.com\/blog\/?p=847"},"modified":"2017-09-28T05:29:52","modified_gmt":"2017-09-27T22:29:52","slug":"nginx-with-ssl-as-reverse-proxy-on-centos-7","status":"publish","type":"post","link":"https:\/\/trichev.com\/blog\/2017\/09\/28\/nginx-with-ssl-as-reverse-proxy-on-centos-7\/","title":{"rendered":"Nginx with SSL as reverse proxy on CentOS 7"},"content":{"rendered":"<p><strong>FirewallD<\/strong><\/p>\n<p><code>firewall-cmd --permanent --add-service=http<br \/>\nfirewall-cmd --permanent --add-service=https<br \/>\nfirewall-cmd --reload<\/code><\/p>\n<p><strong>Nginx<\/strong><\/p>\n<p><code>yum install epel-release<br \/>\nyum install nginx<\/code><\/p>\n<p><code>systemctl enable nginx<br \/>\nsystemctl start nginx<\/code><\/p>\n<p><code>setsebool -P httpd_can_network_relay 1<br \/>\nsetsebool -P httpd_can_network_connect 1<\/code><\/p>\n<p><code>getsebool -a | grep -i http<\/code><\/p>\n<p><strong>HTTPS<\/strong><\/p>\n<p><code>mkdir \/etc\/ssl\/nginx\/<\/code><\/p>\n<p><code>openssl req -new -x509 -days 365 -nodes -out \/etc\/ssl\/nginx\/drive.domain.com\/drive.domain.com.crt -keyout \/etc\/ssl\/nginx\/drive.domain.com\/drive.domain.com.key -subj \"\/CN=drive.domain.com\"<br \/>\nopenssl dhparam -out \/etc\/ssl\/nginx\/drive.domain.com\/dh4096.pem 4096<\/code><\/p>\n<p><code>openssl req -new -x509 -days 365 -nodes -out \/etc\/ssl\/nginx\/wiki.domain.com\/wiki.domain.com.crt -keyout \/etc\/ssl\/nginx\/wiki.domain.com\/wiki.domain.com.key -subj \"\/CN=wiki.domain.com\"<br \/>\nopenssl dhparam -out \/etc\/ssl\/nginx\/wiki.domain.com\/dh4096.pem 4096<\/code><br \/>\n<code><br \/>\nchown -R nginx:nginx \/etc\/ssl\/nginx\/<br \/>\nchmod 600 \/etc\/ssl\/nginx\/drive.domain.com\/drive.domain.com.key<br \/>\nchmod 600 \/etc\/ssl\/nginx\/wiki.domain.com\/wiki.domain.com.key<br \/>\nrestorecon -Rv \/etc\/ssl\/nginx\/<\/code><\/p>\n<p><strong>Nginx configuration<\/strong><\/p>\n<pre><code>vi \/etc\/nginx\/nginx.conf\r\nserver {\r\n    listen 80;\r\n    return 301 https:\/\/$host$request_uri;\r\n}\r\n\r\nvi \/etc\/nginx\/conf.d\/wiki.domain.com.conf\r\nserver {\r\n\r\n    listen 443;\r\n    server_name wiki.domain.com www.wiki.domain.com;\r\n\r\n    ssl_certificate \/etc\/ssl\/nginx\/wiki.domain.com.crt;\r\n\r\n    ssl_certificate_key \/etc\/ssl\/nginx\/wiki.domain.com.key;\r\n\r\n    ssl on;\r\n    ssl_session_cache  builtin:1000  shared:SSL:10m;\r\n    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;\r\n    ssl_ciphers \"-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4\";\r\n    ssl_dhparam \/etc\/ssl\/nginx\/dh4096.pem;\r\n    ssl_prefer_server_ciphers on;\r\n\r\n    access_log            \/var\/log\/nginx\/wiki.domain.com.access.log;\r\n\r\n    location \/ {\r\n\r\n      proxy_set_header        Host $host;\r\n      proxy_set_header        X-Real-IP $remote_addr;\r\n      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;\r\n      proxy_set_header        X-Forwarded-Proto $scheme;\r\n\r\n      # Fix the \u201cIt appears that your reverse proxy set up is broken\" error.\r\n      proxy_pass          http:\/\/192.168.0.24:8080;\r\n      proxy_read_timeout  90;\r\n\r\n      proxy_redirect      http:\/\/192.168.0.24:8080 https:\/\/wiki.domain.com;\r\n    }\r\n}\r\n\r\nvi \/etc\/nginx\/conf.d\/drive.domain.com.conf\r\nserver {\r\n\r\n    listen 443;\r\n    server_name drive.domain.com www.drive.domain.com;\r\n\r\n    ssl_certificate \/etc\/ssl\/nginx\/drive.domain.com\/drive.domain.com.crt;\r\n    ssl_certificate_key \/etc\/ssl\/nginx\/drive.domain.com\/drive.domain.com.key;\r\n\r\n    ssl_session_timeout 5m;\r\n    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\r\n    ssl_ciphers \"-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4\";\r\n    ssl_dhparam \/etc\/ssl\/nginx\/drive.domain.com\/dh4096.pem;\r\n    ssl_prefer_server_ciphers on;\r\n    keepalive_timeout    70;\r\n    ssl_stapling on;\r\n    ssl_stapling_verify on;\r\n\r\n    # Add headers to serve security related headers\r\n    # Before enabling Strict-Transport-Security headers please read into this topic first.\r\n    add_header Strict-Transport-Security \"max-age=15552000; includeSubDomains\";\r\n    add_header X-Content-Type-Options nosniff;\r\n    add_header X-Frame-Options \"SAMEORIGIN\";\r\n    add_header X-XSS-Protection \"1; mode=block\";\r\n    add_header X-Robots-Tag none;\r\n    add_header X-Download-Options noopen;\r\n    add_header X-Permitted-Cross-Domain-Policies none;\r\n\r\n\r\n    access_log            \/var\/log\/nginx\/drive.domain.com.access.log;\r\n\r\n    location \/ {\r\n\r\n      proxy_set_header        Host $host;\r\n      proxy_set_header        X-Real-IP $remote_addr;\r\n      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;\r\n      proxy_set_header        X-Forwarded-Proto $scheme;\r\n\r\n      # Fix the \u201cIt appears that your reverse proxy set up is broken\" error.\r\n      proxy_pass          http:\/\/192.168.0.23:8080;\r\n      proxy_read_timeout  90;\r\n\r\n      proxy_redirect      http:\/\/192.168.0.23:8080 https:\/\/drive.domain.com;\r\n      }\r\n}<\/code><\/pre>\n<p>Links:<br \/>\n<a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-install-linux-nginx-mysql-php-lemp-stack-on-centos-7\">https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-install-linux-nginx-mysql-php-lemp-stack-on-centos-7<\/a><br \/>\n<a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins\">https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins<\/a><br \/>\n<a href=\"https:\/\/www.nginx.com\/blog\/nginx-se-linux-changes-upgrading-rhel-6-6\/\">https:\/\/www.nginx.com\/blog\/nginx-se-linux-changes-upgrading-rhel-6-6\/<\/a><br \/>\n<a href=\"http:\/\/sharadchhetri.com\/2014\/07\/21\/owncloud-error-accessing-server-untrusted-domain\/\">http:\/\/sharadchhetri.com\/2014\/07\/21\/owncloud-error-accessing-server-untrusted-domain\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>FirewallD firewall-cmd &#8211;permanent &#8211;add-service=http firewall-cmd &#8211;permanent &#8211;add-service=https firewall-cmd &#8211;reload Nginx yum install epel-release yum install nginx systemctl enable nginx systemctl start nginx setsebool -P httpd_can_network_relay 1 setsebool -P httpd_can_network_connect 1 getsebool -a | grep -i http HTTPS mkdir \/etc\/ssl\/nginx\/ openssl req -new -x509 -days 365 -nodes -out \/etc\/ssl\/nginx\/drive.domain.com\/drive.domain.com.crt -keyout \/etc\/ssl\/nginx\/drive.domain.com\/drive.domain.com.key -subj &#8220;\/CN=drive.domain.com&#8221; openssl dhparam -out [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[231],"tags":[32,261,262,14,11],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/trichev.com\/blog\/wp-json\/wp\/v2\/posts\/847"}],"collection":[{"href":"https:\/\/trichev.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trichev.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trichev.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/trichev.com\/blog\/wp-json\/wp\/v2\/comments?post=847"}],"version-history":[{"count":5,"href":"https:\/\/trichev.com\/blog\/wp-json\/wp\/v2\/posts\/847\/revisions"}],"predecessor-version":[{"id":852,"href":"https:\/\/trichev.com\/blog\/wp-json\/wp\/v2\/posts\/847\/revisions\/852"}],"wp:attachment":[{"href":"https:\/\/trichev.com\/blog\/wp-json\/wp\/v2\/media?parent=847"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trichev.com\/blog\/wp-json\/wp\/v2\/categories?post=847"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trichev.com\/blog\/wp-json\/wp\/v2\/tags?post=847"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}