Configuring TLS on Nginx (SEC 350) - Chromosom3/TechNotes GitHub Wiki
Introduction
In this lab, we will be configuring the certificate authority, issuing a certificate, enabling TLS on Nginx, and allowing HTTPS traffic through the firewalls.
Certificate Authority Configuration
In this section, we will configure the certificate authority server. We will harden the server to prevent unauthorized connections. To do this we will run the following commands. These commands configure iptables to only allow SSH from the management box.
# Make this persistent
yum install iptables-services -y
# Accidently did this on the log server :( had to use remove to get rid of it, hope this doesn't break anything.
systemctl disable --now firewalld
systemctl enable --now iptables
systemctl status iptables
# Might need this
iptables -F INPUT # Flushes out all input rules
# Set the settings
iptables -A INPUT -p tcp --dport 22 -s YourIP -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
# Save the settings
iptables-save > /etc/sysconfig/iptables # This is persistent
iptables-save > iptables-rules.txt
# Load the settings
iptables-restore < iptables-rules.txt
Now we will configure the certificate authority on the server to issue certs. Note the last command will require you to request a certificate on the client.
cd /etc/pki/CA
touch index.txt
echo 1000 > serial
openssl genrsa -des3 -out private/cakey.pem 2048
openssl req -new -x509 -days 365 -key private/cakey.pem -out cacert.pem
# Need CSR
openssl ca -out websrv.crt -infiles websrv.csr
NGINX Server
Using the following commands we will generate a private key and certificate signing request. Then we will move the certificates to the desired locations.
openssl req -newkey rsa:2048 -keyout websrv.key -out websrv.csr
scp websrv.csr dylan@remotehost:/home/dylan
scp dylan@remotehost:/home/dylan/websrv.crt /home/dylan/websrv.crt
cp /home/dylan/websrv.crt /etc/ssl/certs
cp /home/dylan/websrv.key /etc/ssl/private
Next, we will configure the firewall to allow HTTPS traffic on the webserver.
ufw allow 443/tcp
ufw reload
Next, we will begin configuring the Nginx settings.
Create the /etc/nginx/snippets/self-signed.conf file.
ssl_certificate /etc/ssl/certs/websrv.crt;
ssl_certificate_key /etc/ssl/private/websrv.key;
Make /etc/nginx/snippets/ssl-params.conf next.
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable strict transport security for now. You can uncomment the following
# line if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
Next create the configuration for the virtual host in the /etc/nginx/sites-available directory. For example /etc/nginx/sites-available/nginx01-dylan
server {
listen 443 ssl;
listen [::]:443 ssl;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name nginx01-dylan.dylan.local;
location / {
try_files $uri $uri/ =404;
}
}
Then use sudo nginx -t to test your configuration files. If everything looks enable the configuration file ln -s /etc/nginx/sites-available/nginx01-dylan /etc/nginx/sites-enabled/ and restart the service.
Edge01 Firewall
You will need to run the following commands in the configure menu on the edge firewall.
set firewall name LAN-to-DMZ rule 11 action accept
set firewall name LAN-to-DMZ rule 11 destination address 172.16.50.5
set firewall name LAN-to-DMZ rule 11 destination port 443
set firewall name LAN-to-DMZ rule 11 protocol tcp
set firewall name LAN-to-DMZ rule 11 description "Allow access to web server from LAN"
commit
save