farmerswife

Welcome
Login  Sign up

Using NGINX as a third party proxy service to apply your SSL certificates

In the article “How to SSL farmerswife using your own certificates” we provided information that you can use a third party solution to proxy the connection between your internet facing farmerswife Server and the farmerswife clients to secure it by using your own SSL certificates. You can also use solutions like F5, HAproxy, NGINX or the solution of your choice.

As an example we provide a NGINX configuration file that will use your subdomain and your ports exposed to the internet to point to your local machine, also this configuration uses a strict SSL

IMPORTANT: This example here is intended to be used by Linux IT administrators. If you need support for the installation please contact sales for a quote.

An advantage of using NGINX or a third party solution is that you can set which protocols to use and also which ciphers. For example, you can set this up in a way to only allow TLS 1.2 and the newest TLS 1.3. For this example explained here we allowed both TLS 1.2 and TLS 1.3 with a custom set of ciphers.

This example uses a Debian 10 Buster server and NGINX version 1.14.2 with the stream module, which normally comes by default installing from Debian repositories. 


The below rough diagram shows how this will work once proxied through NGINX:


First you will need to create the folder /etc/nginx/ssl if it doesn't exist and execute the following commands to generate the needed Diffie-Hellman key:


openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096


NOTE: this process may take several minutes time to finish.


DO NOT COPY & PASTE from here! Download the below attached file to avoid any invisible whitespace or gremlin characters issues.


nginx.conf

user www-data;
worker_processes auto;
include /etc/nginx/modules-enabled/*.conf;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
    worker_connections 10240;
}

http {
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/clients/*-http.conf;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for"';
    log_format main_ext '$remote_addr - $remote_user [$time_local] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for" '
    '"$host" sn="$server_name" '
    'rt=$request_time '
    'ua="$upstream_addr" us="$upstream_status" '
    'ut="$upstream_response_time" ul="$upstream_response_length" '
    'cs=$upstream_cache_status' ;
    log_format vhosts '$host $remote_addr - $remote_user [$time_local] '
    '"$request" $status $body_bytes_sent '
    '"$http_referer" "$http_user_agent"';

    access_log /var/log/nginx/access.vhost.log  vhosts;
    access_log /var/log/nginx/access.log  main;

    sendfile on;

    server_tokens off;

    keepalive_timeout 65;

    gzip on;
    gzip_http_version 1.0;
    gzip_comp_level 9;
    gzip_proxied any;
    gzip_types text/plain text/xml text/css text/comma-separated-values text/javascript application/javascript application/x-javascript font/ttf font/otf image/svg+xml application/atom+xml;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384';
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_ecdh_curve secp384r1;
    ssl_session_timeout 10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=60s;
    resolver_timeout 2s;
}

stream {
    include /etc/nginx/clients/*-stream.conf;
    log_format basic '$remote_addr [$time_local] '
    '$protocol $status $bytes_sent $bytes_received '
    '$session_time';

    access_log /var/log/nginx/access.stream.log basic;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384';
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_ecdh_curve secp384r1;
    ssl_session_timeout 10m;
    #ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
}

The following values are some of the ones you will need to modify in this config:

  • user www-data: Change it to the user running the NGINX process, but on latest Debian package it's user changed to be www-data.


Then you have to create the folder /etc/nginx/clients to add the two following files.


farmerswife-http.conf

upstream farmerswife-webcal {
    server 192.168.0.100:27000;
}
upstream farmerswife-webclient {
    server 192.168.0.100:26000;
}
upstream farmerswife-api {
    server 192.168.0.100:25000;
}

## Legacy HTTPS / WebCal
server {
    listen 27000 ssl http2;
    server_name farmerswife.yourdomain.com;

    ssl_certificate /etc/nginx/ssl/certificate.crt;
    ssl_trusted_certificate /etc/nginx/ssl/certificate.trusted.crt;
    ssl_certificate_key /etc/nginx/ssl/certificate.key;

    location / {
        proxy_intercept_errors on;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_pass http://farmerswife-webcal$request_uri;
    }
}

## WebClient / Mobile WebClient / Play
server {
    listen 26000 ssl http2;
    server_name farmerswife.yourdomain.com;

    ssl_certificate /etc/nginx/ssl/certificate.crt;
    ssl_trusted_certificate /etc/nginx/ssl/certificate.trusted.crt;
    ssl_certificate_key /etc/nginx/ssl/certificate.key;

    location /webcal {
        proxy_intercept_errors on;
        rewrite ^.* https://farmerswife.yourdomain.com:27000/webcal$request_uri;
    }

    location / {
        proxy_intercept_errors on;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_pass http://farmerswife-webclient$request_uri;
    }
}

## iOS / API
server {
    listen 25000 ssl http2;
    server_name farmerswife.yourdomain.com;

    ssl_certificate /etc/nginx/ssl/certificate.crt;
    ssl_trusted_certificate /etc/nginx/ssl/certificate.trusted.crt;
    ssl_certificate_key /etc/nginx/ssl/certificate.key;

    location / {
        proxy_intercept_errors on;
        #proxy_max_temp_file_size 0;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_pass https://farmerswife-api$request_uri;
    }
}

The following values are some of the ones you will need to modify in this config:

  • server_name: change this on all fields you need to use to match to your sub-domain structure.
  • listen: change this to point to your farmerswife port.
  • ssl_certificate: change this to point to your own certificate.
  • ssl_trusted_certificate: change this to point to your certificate CA.
  • ssl_certificate_key: change this to point to your certificate key.
  • upstream: point this to the correct private IP and port of the actual host machine of your farmerswife server


farmerswife-stream.conf

## Desktop Client
server {
    listen 22000 ssl;

    ssl_certificate /etc/nginx/ssl/certificate.crt;
    ssl_trusted_certificate /etc/nginx/ssl/certificate.trusted.crt;
    ssl_certificate_key /etc/nginx/ssl/certificate.key;
    ssl_verify_client off;
    #ssl_session_cache builtin:1000 shared:SSL:10m;

    proxy_ssl on;
    proxy_ssl_verify off;
    proxy_ssl_session_reuse off;

    proxy_pass 192.168.0.100:22000;
}

## File Transfer Port (Raw-Sockets)
server {
    listen 24000;
    proxy_pass 192.168.0.100:24000;
}

The following values are some of the ones you will need to modify in this config:

  • listen: change this to point to your farmerswife port.
  • ssl_certificate: change this to point to your own certificate.
  • ssl_trusted_certificate: change this to point to your certificate CA.
  • ssl_certificate_key: change this to point to your certificate key.
  • proxy_pass: point this to the correct private IP and port of the actual host machine of your farmerswife server



Use the attached nginx.conf, farmerswife-http.conf and farmerswife-stream.conf files as a guide. Once this is configured and running, this still needs to be maintained from your side.

Did you find it helpful? Yes No