How to setup the nginx for https reverse proxy

Here is just one example how you can setup the nginx server to let it forward the https call and consume the ssl  cert (you have created in my last article).

In fact at the location section you can forward request to the non https server which could in your DMZ. Outside surf will surf the public domain and with https secured.

server {
 listen 443 ssl;
 server_name wayneshare.com;

ssl_certificate cert_wayneshare/cert_wayneshare.crt;
 ssl_certificate_key cert_wayneshare/key_wayneshare.pem;

ssl_session_cache shared:SSL:1m;
 ssl_session_timeout 5m;

ssl_ciphers HIGH:!aNULL:!MD5;
 ssl_prefer_server_ciphers on;

client_body_buffer_size 200k;
 client_header_buffer_size 20k;
 client_max_body_size 256m;
 large_client_header_buffers 16 32k;

access_log /var/log/nginx/node0.access.log;
 error_log /var/log/nginx/node0.error.log info;

location /internal/ {
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_pass http://10.1.1.36/internal/;
 }
}

 

As you have the https enabled now, so you can set a force redirect of your http site or URL to a https URL. just use nginx setting :

 

server {
 listen 80;
............
 location /internal/ {
    return 301 https://$server_name$request_uri;
}
}

 

Advertisements

How to setup at tomcat to consume the https cert

After I get my signed ssl/https cert from a CA, I need to use it for web server like apache, nginx and tomat. Here I give one example how to import the cert to key store and then config the tomcat to use it at 443 port:

1. To import an existing certificate signed by root CA into a PKCS12 keystore using OpenSSL you would execute a command like:

openssl pkcs12 -export -in wayneshare.crt -inkey mykey.key -out wayneshare.p12 -name mycerts -CAfile myCA.crt -caname root -chain

Or by keytool:

The cert you got from CA normally is signed by several level root CA in cert, it is a chain cert structure. So if you import the Chain Certificate into your keystore by key tool, you need import the root CA cert first by levels:

keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_chain_certificate>

And finally you can import your signed new Certificate

keytool -import -alias mycerts -keystore <your_keystore_filename> -trustcacerts -file <your_certificate_filename>

Such as for my case, i have two levels of root Cert to import before I import my real cert:

keytool -import -alias root -keystore keystore.jks -trustcacerts -file wayneshare_com.ca0.crt
keytool -import -alias intermed -keystore keystore.jks -trustcacerts -file wayneshare_com.ca1.crt
keytool -import -alias waynecert -keystore keystore.jks -storepass mypass -trustcacerts -file wayneshare_com.crt

 

2. After crt is added to the key store, not we can change the server.xml of tomcat to add key store there:

<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443" maxThreads="500"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/home/certificate/keystore.jks" keystorePass="mypass"
clientAuth="false" sslProtocol="TLS"/>

/home/certificate/ is a folder i use to put my cert and keystores

3. restart your tomcat then you should be ok at 443 port!

 

 

 

How to get a https certificate for your website.

It is common that your web site need a ssl certificate to ensure the https secure. There are some free cert creation and suppliers there. Here I am going to use SSLS.COM – a budget supplier as example supplier to list  the steps that to get a cert for your web site

1. First, create a Java keystore contains your 2048 bit private key, assign a validate years:

sudo keytool -genkey -alias mycert -keystore keystore.jks -storepass mypass -keyalg RSA -keysize 2048 -keypass mypass -validity 3650 -dname "cn=wayneshare.com,OU=Dept Name,O=Wayne Share LLC,L=Palo Alto,ST=CA,C=US"

also save as a PKCS key format.

sudo keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype pkcs12
keytool -list -v -keystore keystore.jks -storepass mypass
keytool -list -v -keystore keystore.p12 -storetype PKCS12 -storepass mypass

2. Create a CSR by private key, To create your CSR, run the following command:

sudo keytool -certreq -keyalg RSA -alias waynecert -file certreq.csr -keystore keystore.jks

3. I use the ssls.com to create our SSL cert. make an order there.

4. active the ssl cert there by our CSR content at the SSLS.COM

4.1 paste the CSR content to active step of ssls.com

less certreq.csr

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDEjCCAfoCAQAwgZwxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTESMBAGA1UE
BxMJUGFsbyBBbHRvMTswOQYDVQQKEzJCb3NjaCBSZXNlYXJjaCBhbmQgVGVjaG5v
bG9neSBDZW50ZXIgTm9ydGggQW1lcmljYTEUMBIGA1UECxMLQ1IvUlRDLUhNSTMx
GTAXBgNVBAMTEGljbG91ZC1yYWRpby5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCAJnRWYm48FVmqVDBAf4+UWW9k2uI0oOMC9yazAgGQecH8lKwH
GwJO0cHWAnBT86d7chdmr2susfwQ47vDcfmHU8q2Rwk3xADYSHxob5GYnTSewHUI
YFTUOx/G7a/w/jrjLZlR5ZP8TBHoM+4+5aYHrbL/ctFX4xgOW57T7JNwtlhlfkxI
a5xRjpL721SE1ribDZKdsZOjO9Y7x/SKvdH3ljKINM8HO6u60uTyVJFuJkgd81lt
Pk6u1V9MizieLek5GSNPyapiqAGndRCkpEHdB3CKG7zolhoCryQ/oLxEwETTgSSO
ddPLyD8NY/dulzPiGsMJ5aWScV2zuPHRwuLNAgMBAAGgMDAuBgkqhkiG9w0BCQ4x
ITAfMB0GA1UdDgQWBBS0lua3qgUb5oqcxcXDQbNaUGu33jANBgkqhkiG9w0BAQsF
AAOCAQEAcfJF73FUhiIF+ZMQud/D8mmKOy5tIGjWNWQacNl4bmPeCDmpoNCMRu25
8R3hYAY6jDvamPz2JZ6iLS857R7wdnSiC5bAo0jnQ3AMODxqJp49Em5qJzpzZ2NC
X/Aooom62nQU0QzfuBENRaeTChlcTylvh4daGYJUseXyCvt/mE0tdgHnh8ynAg8P
w+mBkedHbinkxGYgbplFyDML3bm16EvvAFDZNR1499YbbpCmLV8uXp6RhwPBkb8x
KSizazvez2SNi9vEMqkmNI65Z5P4KS/p1lUd+GAS+EdUwt97hZtFIVCn/p7C6SPf
1cQNPghutNf8ULIpjh1pdY99OnpIjA==
-----END NEW CERTIFICATE REQUEST-----

4.2 input myself info for contact:

Administrative wayne zhou
contact waynzhou@wayneshare.com
3888 Miranda Place
Palo Alto, CA, 94304
United States

4.3 So, to confirm you have the domain, SSLS.COM has two ways at here:
one is use a email under your domain account, like the admin@wayneshare.com. another one is need to access your website server, such as apache/nginx to put a verification file over there for comodoca (root CA) to verify your site under your control.

Download a file from ssls.com for cert verification, you get this msg first:
“You’re almost done. Upload file to /.well-known/pki-validation/ public directory of wayneshare.com. Do not rename the file or edit its contents. If you’re not sure what to do, please contact support.”

File name we got is: F26FF4AD68EEB3785D28B5420663D6A5.txt
File Content just One line: 591E88059BC38F2F09DC9C426E83C607F7414728CFDAD1D1F4711A4658904C1F comodoca.com 5a1ca2e34e5ee

5. Put F26FF4AD68EEB3785D28B5420663D6A5.txt to my nginx server:
As I use nginx as the reverse proxy, so I need to install the https at nginx side, not at the tomcat side.
So this step is to put the challenge onto the nginx server to prove you are the owner of the website wayneshare.com

Add this line and restart the nginx
location = /.well-known/pki-validation/F26FF4AD68EEB3785D28B5420663D6A5.txt {
alias /home/www/.well-known/pki-validation/F26FF4AD68EEB3785D28B5420663D6A5.txt;
}

After I put the file under the /home/www folder, this link should work:

http://wayneshare.com/.well-known/pki-validation/F26FF4AD68EEB3785D28B5420663D6A5.txt

then you can contact the support of the SSLS.COM and soon you will get email about the cert file. Just save the cert for your site to use it.

6. import the signed cert into the keystore file for web server usage.
sudo keytool -certreq -keyalg RSA -alias waynecert -file certreq.csr -keystore keystore.jks

 

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Notes: related command for keytool

keytool –list

# export the private key

# export the cert
keytool -export -rfc -alias mycerts -file cert_1.crt

# import key from another key store

keytool -importkeystore -srckeystore ~/.keystore -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias mycerts -deststorepass mypass -destkeypass mypass

Export certificate using openssl:

openssl pkcs12 -in keystore.p12 -nokeys -out cert_1.pem

Export unencrypted private key:

openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key_1.pem