This document talks about securing your web application or api using nginx proxy.
------------- ---------------- -------------
| | | | | Web App |
| Client +--------->+ nginx server +---------->+ or |
| | https | | http | Web API |
------------- ---------------- -------------
Follow the standard installation procedure as per http://wiki.nginx.org/Install
Put the certificate and private key at a secured location. Lets assume the files are:
/etc/ssl/<server>/cert.crt
/etc/ssl/<server>/cert.key
Note: These will give security warnings in most browsers and are not ideal for production deployment
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/<server>/cert.key -out /etc/ssl/<server>/cert.crt
Create a configuration at file /etc/nginx/sites-available/<server>
server {
listen 443 ssl;
ssl_certificate /etc/ssl/<server>/cert.crt;
ssl_certificate_key /etc/ssl/<server>/cert.key;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4";
server_name <fdqn>;
access_log /var/log/nginx/<server_name>-access.log;
location / {
#proxy_pass_header Server;
proxy_set_header Host $http_host;
#proxy_redirect off;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Scheme $scheme;
#proxy_connect_timeout 10;
#proxy_read_timeout 10;
# change the below line to point to correct local or external address:
proxy_pass http://<server_ip>:<port>/;
}
}
Create a symbolic link of the configuration in the sites-enabled folder:
ln -s /etc/nginx/sites-available/<server> /etc/nginx/sites-enabled/<server>
sudo service nginx restart