Skip to content

Instantly share code, notes, and snippets.

@yaboong

yaboong/gist:45feed8ead1290ca3a5845395bd57531

Forked from vijinho/gist:2a59d7660ecc0c7d8c2b
Created February 26, 2020 09:43
Show Gist options
  • Save yaboong/45feed8ead1290ca3a5845395bd57531 to your computer and use it in GitHub Desktop.
Save yaboong/45feed8ead1290ca3a5845395bd57531 to your computer and use it in GitHub Desktop.
Download ZIP
MacOS X nginx SSL Proxy Setup
Raw
gistfile1.md

#Installing nginx on OS X

brew install nginx
sudo cp -v /usr/local/opt/nginx/*.plist /Library/LaunchDaemons/
sudo chown root:wheel /Library/LaunchDaemons/homebrew.mxcl.nginx.plist
mkdir -p /usr/local/etc/nginx/logs
mkdir -p /usr/local/etc/nginx/sites-available
mkdir -p /usr/local/etc/nginx/sites-enabled
mkdir -p /usr/local/etc/nginx/conf.d
mkdir -p /usr/local/etc/nginx/ssl
mkdir -p /var/log/nginx
sudo mkdir -p /var/www
sudo chown :staff /var/www
sudo chmod 775 /var/www

##Setup nginx.conf rm /usr/local/etc/nginx/nginx.conf cat > /usr/local/etc/nginx/nginx.conf

worker_processes  1;
error_log  /var/log/nginx/error.log debug;
events {
    worker_connections  1024;
    accept_mutex off;
}

http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay off;
    server_tokens off;
    include mime.types;
    keepalive_timeout 3;
    client_body_timeout 8;
    client_header_timeout 5;
    send_timeout 8;

    include             mime.types;
    default_type        application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;
    index index.html;
    limit_req_zone $binary_remote_addr zone=limit:10m rate=5r/s;
    include /usr/local/etc/nginx/sites-enabled/*;
}

##Setup SSL Generate 4096bit RSA keys and the self-sign the certificates in one command:

openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=US/ST=State/L=Town/O=Office/CN=localhost" -keyout /usr/local/etc/nginx/ssl/localhost.key -out /usr/local/etc/nginx/ssl/localhost.crt

##Proxy Setup ###https

/usr/local/etc/nginx/sites-available/default-proxy-ssl.conf

server {
    listen 443 default_server;
    listen [::]:443 default_server ipv6only=on;
    server_name localhost;
    access_log  /var/log/nginx/proxy-ssl.log;
   
    client_body_buffer_size 4k;
    client_max_body_size 4M;
    client_header_buffer_size 1k;
    large_client_header_buffers 4 1k;
   
    ssl                  on;
    ssl_certificate      ssl/localhost.crt;
    ssl_certificate_key  ssl/localhost.key;
    ssl_session_timeout  5m;
    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;
  
    location / {
        limit_req zone=limit burst=5 nodelay;
        proxy_buffering off;
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $server_name;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

ln -s /usr/local/etc/nginx/sites-available/default-proxy.conf /usr/local/etc/nginx/sites-enabled/default-proxy.conf

###http

/usr/local/etc/nginx/sites-available/default-proxy.conf

server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;
    server_name localhost;
    access_log  /var/log/nginx/proxy.log;

    client_body_buffer_size 4k;
    client_max_body_size 4M;
    client_header_buffer_size 1k;
    large_client_header_buffers 4 1k;

    location / {
        limit_req zone=limit burst=5 nodelay;
        proxy_buffering off;
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $server_name;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

ln -s /usr/local/etc/nginx/sites-available/default-proxy-ssl.conf /usr/local/etc/nginx/sites-enabled/default-proxy-ssl.conf

#Starting/Stopping sudo launchctl load /Library/LaunchDaemons/homebrew.mxcl.nginx.plist launchctl stop homebrew.mxcl.nginx start homebrew.mxcl.nginx

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment