Run the RPKI Validator UI and API behind an nginx proxy - RIPE-NCC/rpki-validator-3 GitHub Wiki

Minimalistic example to use Nginx as a proxy to the RPKI Validator

Allowing to use Nginx for handling HTTP/HTTPS, and using basic authentication

to disallow unauthenticated updates.

Install Nginx on Centos: (Skip if you already have Nginx installed)

sudo yum install -y epel-release
sudo yum install -y nginx
sudo systemctl start nginx
sudo systemctl enable nginx

---

HTTP example

location / {

    limit_except GET HEAD {
      auth_basic 'Private property';
      auth_basic_user_file /etc/nginx/.htpasswd;
    }

    proxy_pass_request_headers on;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection keep-alive;
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_pass http://localhost:8080;

}

The location can be added on any virtual host in Nginx, or if the server is using only RPKI you can replace nginx.conf location.

---

Install LetsEncrypt with Centos (Skip if you already have SSL certificate)

sudo yum install epel-release
sudo yum install certbot-nginx
certbot --nginx -d rpki.example.com

Don't forget to add LetsEncrypt to automated renewal of certificate.

crontab -e
15 3 * * * /usr/bin/certbot renew --quiet

---

HTTPS example using LetsEncrypt with domain

server {
    server_name rpki.example.com; # managed by Certbot
    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
            limit_except GET HEAD {
              auth_basic 'Private property';
              auth_basic_user_file /etc/nginx/.htpasswd;
            }

            proxy_pass_request_headers on;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection keep-alive;
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
            proxy_pass http://localhost:8080;
    }

    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/rpki.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/rpki.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = rpki.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen       80 ;
    listen       [::]:80 ;
    server_name rpki.example.com;
    return 404; # managed by Certbot
}

The HTTPS version will allow only https connections to the server, and any http requests will be redirected to HTTPS.

---

Creating a password protection file /etc/nginx/.htpasswd

htpasswd -c /etc/nginx/.htpasswd youruser
#SETSOMEHARDPASSWORD