farmerswife

Welcome
Login  Sign up

Using NGINX as a third party proxy service to apply your SSL certificates

In this related article “How to SSL farmerswife using your own certificates” we provided information that you can use a third party solution (with v6.5 "legacy"/deprecated "Proxy WIFE Server") to proxy the connection between your internet facing farmerswife Server and the farmerswife clients to secure them by using your own SSL certificates. 

You can also use solutions like F5, HAproxy, NGINX or the solution of your choice.

As an example we here provide a set of NGINX configuration files, which will use your subdomain and your already configured ports exposed to the internet to point to your local fw Server host machine, by using strict SSL policies.

IMPORTANT: This example here is intended to be used by Linux IT administrators. If you need support for the installation please contact sales for a quote.

An advantage of using NGINX or a third party solution is, that you can set which protocols to use and also which ciphers. For example, you can set this up in a way to only allow TLS 1.2 and the newest TLS 1.3. For this example explained here we allowed both TLS 1.2 and TLS 1.3 with a custom set of ciphers.

This example uses a Debian 10 Buster server and NGINX version 1.14.2 with the stream module, which normally comes by default installing from Debian repositories.


The below rough diagram shows how this will work once your farmerswife system is proxied through NGINX:

On your new local e.g. Linux Ubuntu machine, located within your "DMZ":

First you will need to create the folder /etc/nginx/ssl if it doesn't exist and execute the following commands to generate the needed Diffie-Hellman key:


openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096


NOTE: this process may take several minutes time to finish (typically 20 to 30 min.)


DO NOT COPY & PASTE from here! Download the below attached files to avoid any invisible whitespace or gremlin characters issues!


nginx.conf:

user www-data;
worker_processes auto;
include /etc/nginx/modules-enabled/*.conf;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
    worker_connections 10240;
}

http {
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/clients/*-http.conf;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for"';
    log_format main_ext '$remote_addr - $remote_user [$time_local] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for" '
    '"$host" sn="$server_name" '
    'rt=$request_time '
    'ua="$upstream_addr" us="$upstream_status" '
    'ut="$upstream_response_time" ul="$upstream_response_length" '
    'cs=$upstream_cache_status' ;
    log_format vhosts '$host $remote_addr - $remote_user [$time_local] '
    '"$request" $status $body_bytes_sent '
    '"$http_referer" "$http_user_agent"';

    access_log /var/log/nginx/access.vhost.log  vhosts;
    access_log /var/log/nginx/access.log  main;

    sendfile on;

    server_tokens off;

    keepalive_timeout 65;

    gzip on;
    gzip_http_version 1.0;
    gzip_comp_level 9;
    gzip_proxied any;
    gzip_types text/plain text/xml text/css text/comma-separated-values text/javascript application/javascript application/x-javascript font/ttf font/otf image/svg+xml application/atom+xml;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384';
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_ecdh_curve secp384r1;
    ssl_session_timeout 10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=60s;
    resolver_timeout 2s;
}

stream {
    include /etc/nginx/clients/*-stream.conf;
    log_format basic '$remote_addr [$time_local] '
    '$protocol $status $bytes_sent $bytes_received '
    '$session_time';

    access_log /var/log/nginx/access.stream.log basic;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384';
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_ecdh_curve secp384r1;
    ssl_session_timeout 10m;
    #ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
}

The following values are some of the ones you will need to modify within this "nginx.conf" file:

  • user www-data: Change it to the user running the NGINX process. (Note: on latest Debian packages it's user changed to be www-data.)


Then you have to create the folder /etc/nginx/clients to add the two following files.


farmerswife-http.conf

upstream farmerswife-webcal {
    server 192.168.0.100:27000;
}
upstream farmerswife-webclient {
    server 192.168.0.100:26000;
}
upstream farmerswife-api {
    server 192.168.0.100:25000;
}

## Legacy HTTPS / WebCal
server {
    listen 27000 ssl http2;
    server_name farmerswife.yourdomain.com;

    ssl_certificate /etc/nginx/ssl/certificate.crt;
    ssl_trusted_certificate /etc/nginx/ssl/certificate.trusted.crt;
    ssl_certificate_key /etc/nginx/ssl/certificate.key;

    location / {
        proxy_intercept_errors on;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_pass http://farmerswife-webcal$request_uri;
    }
}

## WebClient / Mobile WebClient / Play
server {
    listen 26000 ssl http2;
    server_name farmerswife.yourdomain.com;

    ssl_certificate /etc/nginx/ssl/certificate.crt;
    ssl_trusted_certificate /etc/nginx/ssl/certificate.trusted.crt;
    ssl_certificate_key /etc/nginx/ssl/certificate.key;

    location /webcal {
        proxy_intercept_errors on;
        rewrite ^.* https://farmerswife.yourdomain.com:27000/webcal$request_uri;
    }

    location / {
        proxy_intercept_errors on;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_pass http://farmerswife-webclient$request_uri;
    }
}

## iOS / API
server {
    listen 25000 ssl http2;
    server_name farmerswife.yourdomain.com;

    ssl_certificate /etc/nginx/ssl/certificate.crt;
    ssl_trusted_certificate /etc/nginx/ssl/certificate.trusted.crt;
    ssl_certificate_key /etc/nginx/ssl/certificate.key;

    location / {
        proxy_intercept_errors on;
        #proxy_max_temp_file_size 0;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_pass https://farmerswife-api$request_uri;
    }
}

The following values are some of the ones you will need to modify within this "farmerswife-http.conf" file:

  • server_name: change this on all fields and you need to match this to your sub-domain structure.
  • listen: change this to point to the according farmerswife Server port.
  • ssl_certificate: change this to point to your own "public" certificate.
  • ssl_trusted_certificate: change this to point to your "trusted" certificate CA.
  • ssl_certificate_key: change this to point to your "private" certificate key.
  • upstream: point this to the correct private IP and port of the actual host machine of your farmerswife server's main "Server Port".


farmerswife-stream.conf

## Desktop Client
server {
    listen 22000 ssl;

    ssl_certificate /etc/nginx/ssl/certificate.crt;
    ssl_trusted_certificate /etc/nginx/ssl/certificate.trusted.crt;
    ssl_certificate_key /etc/nginx/ssl/certificate.key;
    ssl_verify_client off;
    #ssl_session_cache builtin:1000 shared:SSL:10m;

    proxy_ssl on;
    proxy_ssl_verify off;
    proxy_ssl_session_reuse off;

    proxy_pass 192.168.0.100:22000;
}

## File Transfer Port (Raw-Sockets)
server {
    listen 24000;
    proxy_pass 192.168.0.100:24000;
}

The following values are some of the ones you will need to modify in this "farmerswife-stream.conf" file:

  • listen: change this to point to the according farmerswife Server port.
  • ssl_certificate: change this to point to your own "public" certificate.
  • ssl_trusted_certificate: change this to point to your "trusted" certificate CA.
  • ssl_certificate_key: change this to point to your "private" certificate key.
  • proxy_pass: point this to the correct private IP and port of the actual host machine of your farmerswife server's main "Server Port".

Use the below attached nginx.conf, farmerswife-http.conf and farmerswife-stream.conf files as a guide. Once this is configured and running, this still needs to be maintained from your side.

Did you find it helpful? Yes No