Welcome! Log In Create A New Profile

Advanced

Proxy pass and SSL certificates

Posted by Mephysto On Hell 
Mephysto On Hell
Proxy pass and SSL certificates
May 03, 2018 10:40AM
Hello everyone,
I am using Nginx in a production environment since some years, but I am
almost a newbie with SSL certificates and connections. A the moment I have
a configuration with two levels:

1. A first level Nginx that operate as load balancer
2. Two second level Nginx: the first host a web site and it do not need a
SSL connection, the second hosts an Owncloud instance and it need a SSL
connection.

I am using Certbot and Let's Encrypt to generate signed certificates. A the
moment I have certificates installed in both levels and until last month
this configuration was working. After certificates renewal (every three
months) I am getting an ERR_CERT_DATE_INVALID and I can not access to
Owncloud. Only second level certificate has been renewed.

But if I try to connect directly to second level Nginx, I do not get any
error and I can access to Owncloud.

This is first level Nginx config:

upstream cloud {
server 10.39.0.52;
}

upstream cloud_ssl {
server 10.39.0.52:443;
}


server {
listen 80 default_server;
listen [::]:80 default_server;
server_name cloud.diakont.it cloud.diakont.srl;
return 301 https://$server_name$request_uri;
}

server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl on;
server_name cloud.diakont.it cloud.diakont.srl;
include snippets/cloud.diakont.it.conf;
include snippets/ssl-params.conf;

error_log /var/log/nginx/cloudssl.diakont.it.error.log info;
access_log /var/log/nginx/cloudssl.diakont.it.access.log;

location / {
proxy_pass https://cloud_ssl/;
proxy_redirect default;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_set_header Host $host;
}
}


I would like to set first level Nginx to establish a SSL connection with
Owncloud without having to renew the certificates on both levels. Is it
possible? How do I have to change my config?

Thanks in advance.

Meph
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Joncheski
Re: Proxy pass and SSL certificates
May 04, 2018 01:40PM
Hello Meph,

Can you send the other configuration file ( ssl-params.conf and
cloud.diakont.it.conf ) which you call in this configuration.
And in "location /" , you need to enter this "proxy_redirect default;"
because this is default argument.

Best regards,
Goce Joncheski

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279665,279674#msg-279674

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Mephysto On Hell
Re: Proxy pass and SSL certificates
May 04, 2018 02:40PM
Hello Goce,
thank you very much for you answer. I attached files you requested at this
email.



On 4 May 2018 at 13:34, Joncheski <[email protected]> wrote:

> Hello Meph,
>
> Can you send the other configuration file ( ssl-params.conf and
> cloud.diakont.it.conf ) which you call in this configuration.
> And in "location /" , you need to enter this "proxy_redirect default;"
> because this is default argument.
>
> Best regards,
> Goce Joncheski
>
> Posted at Nginx Forum: https://forum.nginx.org/read.
> php?2,279665,279674#msg-279674
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Attachments:
open | download - ssl-params.conf (747 bytes)
open | download - cloud.diakont.it.conf (143 bytes)
Joncheski
Re: Proxy pass and SSL certificates
May 08, 2018 09:40AM
Hello Meph,

In configuration file "cloud.diakont.it.conf":
- "ssl_certificate" please set path of only public certificate of server
(cloud.diakont.it), and in "ssl_certificate_key" please set path of only
private key of server (cloud.diakont.it).

In configuration file "ssl-params.conff":
- The certificates that you use for the server and for the client, from whom
are they issued and signed? If you are from your publisher and signer, these
parameters will be removed: ssl_ecdh_curve, ssl_stapling, add_header
X-Frame-Options DENY; add_header X-Content-Type-Options nosniff;

Change parameter: resolver_timeout 10s.

In nginx config:
- Add this argument:
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_trusted_certificate <PATH-OF-ROOT-CA-CERTIFICATE>;
- And in location / like this:
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_pass https://cloud_ssl/;
}

And check the configuration file (nginx -t).
After this, please send me more access and error log for this.


Best regards,
Goce Joncheski

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279665,279710#msg-279710

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Mephysto On Hell
Re: Proxy pass and SSL certificates
May 09, 2018 12:00PM
Hello Goce,
but with this configuration, can I disable SSL in target Nginx?

Thanks in advance.

Meph

On 8 May 2018 at 09:34, Joncheski <[email protected]> wrote:

> Hello Meph,
>
> In configuration file "cloud.diakont.it.conf":
> - "ssl_certificate" please set path of only public certificate of server
> (cloud.diakont.it), and in "ssl_certificate_key" please set path of only
> private key of server (cloud.diakont.it).
>
> In configuration file "ssl-params.conff":
> - The certificates that you use for the server and for the client, from
> whom
> are they issued and signed? If you are from your publisher and signer,
> these
> parameters will be removed: ssl_ecdh_curve, ssl_stapling, add_header
> X-Frame-Options DENY; add_header X-Content-Type-Options nosniff;
>
> Change parameter: resolver_timeout 10s.
>
> In nginx config:
> - Add this argument:
> proxy_ssl_verify on;
> proxy_ssl_verify_depth 2;
> proxy_ssl_session_reuse on;
> proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> proxy_ssl_trusted_certificate <PATH-OF-ROOT-CA-CERTIFICATE>;
> - And in location / like this:
> location / {
> proxy_set_header X-Real-IP
> $remote_addr;
> proxy_set_header X-Forwarded-Proto
> $scheme;
> proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> proxy_set_header Upgrade
> $http_upgrade;
> proxy_set_header Connection
> 'upgrade';
> proxy_set_header Host $host;
> proxy_pass https://cloud_ssl/;
> }
>
> And check the configuration file (nginx -t).
> After this, please send me more access and error log for this.
>
>
> Best regards,
> Goce Joncheski
>
> Posted at Nginx Forum: https://forum.nginx.org/read.
> php?2,279665,279710#msg-279710
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Joncheski
Re: Proxy pass and SSL certificates
May 10, 2018 10:20AM
Hello Meph,

Not, exactly this has SSL.
Here's a suggestion configuration:

nginx.conf:
------------------------------------------------------------------------------------------------------
user nginx;
worker_processes auto;
error_log /var/log/nginx/cloudssl.diakont.it.error.log;
events {
worker_connections 1024;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log /var/log/nginx/cloudssl.diakont.it.access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

upstream cloud {
server 10.39.0.52;
}

upstream cloud_ssl {
server 10.39.0.52:443;
}


server {
listen 80 default_server;
listen [::]:80 default_server;
server_name cloud.diakont.it cloud.diakont.srl;
return 301 https://$server_name$request_uri;
}

server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name cloud.diakont.it;

#HTTPS-and-SSL

proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_trusted_certificate <PATH-OF-CA-CERTIFICATE>;

include snippets/cloud.diakont.it.conf;
include snippets/ssl-params.conf;

location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_pass https://cloud_ssl/;
}
}
}
------------------------------------------------------------------------------------------------------

cloud.diakont.it.conf:
------------------------------------------------------------------------------------------------------
ssl_certificate #PATH OF PUBLIC CERTIFICATE FROM SDP GATEWAY#;
ssl_certificate_key #PATH OF PRIVATE KEY FROM SDP GATEWAY#;
ssl_trusted_certificate #PATH OF PUBLIC CA CERTIFICATE#;
------------------------------------------------------------------------------------------------------

ssl-params.conf:
------------------------------------------------------------------------------------------------------
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers
'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

#this resolver and resolver_timeout maybe be comment
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
------------------------------------------------------------------------------------------------------

Test this configuration and tell me :)
Best regards,
Goce Joncheski

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279665,279741#msg-279741

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login