I am trying to configure a subdomain to proxy requests to an other server on which I have no control. A friend run that server, and he uses his own CA to avoid paying for an ssl certificate. I tried my configuration proxying to one of my own subdomain, running a valid ssl certificate, and it worked fine, but as soon as I proxy to him and his "invalid" ssl certificate, nginx keep asking me for my credentials.
Here is my configuration :
server
{
listen [::]:443 ssl spdy;
listen 443 ssl;
server_name subdomain.mydomain.tld;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:RC4';
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_session_timeout 5m;
ssl_certificate /etc/ssl/mydomain.crt;
ssl_certificate_key /etc/ssl/mydomain.key;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/startssl.pem;
add_header Strict-Transport-Security max-age=63072000;
root /path/;
location /
{
index /_h5ai/server/php/index.php;
auth_basic "mydomain";
auth_basic_user_file auth_file;
}
location /friend/
{
rewrite ^/friend/(.*) /$1 break;
proxy_set_header Authorization "Basic base64_encoded";
proxy_pass https://subdomain.friend.tld:443/blah/;
}
location ~ .php$
{
fastcgi_pass 127.0.0.1:4242;
include fastcgi.conf;
fastcgi_read_timeout 3600;
}
}
I do not have any errors in the logs.
I can browse everything fine outside of /friend, it authenticate fine, but as soon as I get into /friend the authentication just keep poping like I had a wrong password.
I know my base64 encoded is valid, and I tested it by replicating the same auth on one of my subdomain and it worked fine, so the only explanation left I can think of is that nginx doesn't like his certificate.
Is there some configuration I would have missed allowing me to trust his CA ?
Or just to disable the verification, the data aren't sensible at all, it'd be fine even over http, but he doesn't want to bother with configuring that on his server. So disabling the verification would be a good enough solution for me.
Thanks
You should install your friend's CA cert (not the webserver cert, but the CA cert he created and used to sign his webserver cert) into the default OpenSSL CA store.
First you need to determine where OpenSSL keeps its files on your system. On Linux it's usually:
cd /etc/ssl/certs
Save your friend's CA cert, in PEM format, into that directory.
Then you need to determine the hash of that cert:
openssl x509 -noout -hash -in your-friends-ca.pem
and create a symlink to the cert file with the hash as the filename and with the filename extension .0:
ln -s your-friends-ca.pem 34ae50c5.0
Then restart Nginx.
Related
My client bought a PositiveSSL Certificate, and he gave me 2 files, crt and ca-bundle.
How can I install these files to the ubuntu server and make the https protocol work?
FYI, I'm using nginx.
Any clue?
key file
First off: you need the secret key as well, from the extensions on the filenames you are missing that file.
ngnix
nginx expects a chained certificate, but that's easy enough to create:
$ cd /path/to
$ cat www.example.com.crt ca-bundle.crt > example.bundle.crt
While at it create the Diffie–Hellman parameters:
$ openssl dhparam -out dh4096.pem 4096
You need to add a few statements to the appropriate place in your configuration file(s).
It's the server block that needs something like this:
server {
listen 443 ssl http2;
server_name www.example.com ;
ssl on;
ssl_certificate /path/to/example.bundle.crt;
ssl_certificate_key /path/to/example.key;
# take care: a single add_header *will* wipe all the inherited ones!
# HSTS (be careful, this is irreversible!)
# add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
}
Something like this can be added to the http block:
http {
#ssl parameters (certificates in the virtual servers)
ssl_dhparam /path/to/dh4096.pem;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS:!DES";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
}
[that way you only need to maintain that stuff once for all virtual servers, is also ok to add it in the server blocks that use ssl]
More info:
http://nginx.org/en/docs/http/configuring_https_servers.html
Test it
Free tests are available, e.g. this one: https://www.ssllabs.com/ssltest/
Fix it to make sure you're set at a high enough rating.
SO...
I have a node application running on a server on port 8080 and I am trying to enabled it to work over SSL using NGINX and CloudFlare. Note the following...
My host is running Ubuntu 16.04 LTS
I am currently using CloudFlare's Universal SSL (free tier)
I have my test host DNS setup as test.company.com
I have copied the CloudFlare origin pull cert from this post to my test box's /etc/nginx/certs
...my previous NGINX configuration looked like...
server {
listen 80;
location / {
proxy_pass http://localhost:8080;
}
}
...it now looks like...
# HTTP
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
return 301 https://$host$request_uri;
}
# HTTPS
server {
listen 443;
server_name test.company.com;
ssl on;
ssl_client_certificate /etc/nginx/certs/cloudflare.crt;
ssl_verify_client on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:8080/;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
}
...I followed the example here and the link it provides here and I'm skeptical that everything above is required (I'm a minimalist). Whenever I run sudo nginx -t I still get errors around ssl_certificate and ssl_certificate_key not being specified. I cannot figure out how to download the require files from CloudFlare and from what I understand, I don't believe I should need to.
If I try to re-use the CloudFlare origin pull cert as both the ssl_certificate and ssl_certificate_key, I get the error nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/certs/cloudflare.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: ANY PRIVATE KEY error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
I am confident that it is possible to create my own self-signed certificate, but I am planning on using this strategy eventually to spin up production machines. Any help on pointing me in the right direction is much appreciated.
It looks like you're using Cloudflare's Origin CA service, nice!
The issue looks like you've put your SSL private key in the ssl_client_certificate attribute and not put your real SSL certificate in your configuration. Your Nginx SSL configuration should contain the following lines instead:
ssl_certificate /path/to/your_certificate.pem;
ssl_certificate_key /path/to/your_key.key;
Make sure SSL Certificate corresponds to the .PEM file with the correct contents, and the Certificate Key file contains the .KEY file with the correct contents too.
To generate a certificate with Origin CA, navigate to the Crypto section of the Cloudflare dashboard. From there, click the Create Certificate button in the Origin Certificates section. Once you complete the steps in the wizard, you will see a window which allows you to download both the certificate file and the key file. Make sure you put them in the correct files and install them on your web server.
Further reading:
How to install an Origin CA certificate in NGINX
Creating and managing certificates with Origin CA
Also, ssl on is deprecated, instead, use listen 443 ssl;.
I have a definition in Nginx where by different ports, I need different SSL client verify options.
When I connect to :443/location1, Nginx will request a client cert, but will fail with "HTTP 400, Bad Request, Require Client Cert". It seems as if NGinx uses the server rule for port 444 which has a "ssl_verify_client off" on connect, but on the route, NGinx checks to see if a client cert was given since it's rule for port 443, says client verify is required and then fails in the actual HTTP request.
I dug around and can't seem to find any docs around this. Clearly same IP:PORT is an issue, but everything thus far indicates by PORT I can change the config but that doesn't seem to be the case.
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl-certs/a.cert;
ssl_certificate_key /etc/nginx/ssl-certs/a.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_client_certificate /etc/nginx/ssl-certs/ca.pem;
ssl_verify_client on;
location /location1 {
[..]
}
}
server {
listen 444;
ssl on;
ssl_certificate /etc/nginx/ssl-certs/a.cert;
ssl_certificate_key /etc/nginx/ssl-certs/a.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_verify_client off;
location /location2 {
[..]
}
}
I eventually figured it out.
Client rejection is mandatory, but can happen either after the connection has been made or during the handshake.
NGINX will allow the handshake to complete, then enforce if the
client was verified.
APACHE (at least the last version I used) fails
the handshake.
I've used letsencrypt to install an SSL cert for the latest nginx on ubuntu.
The setup is fine and works great with the exception of:
I don't know enough about SSL to know what's going on but I have a suspicion:
I installed the SSL cert for Apache a while back and just now moved to Nginx for it's http/2 support. As the nginx plugin is not stable yet I had to install the cert myself and this is what I did:
In my nginx config (/etc/nginx/conf/default.conf) I added:
server {
listen 80;
server_name [domain];
return 301 https://$host$request_uri;
}
server {
listen 443 http2;
listen [::]:443 http2;
server_name [domain];
ssl on;
ssl_certificate /etc/letsencrypt/live/[domain]/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/[domain]/privkey.pem;
}
Is it possible that this breaks the chain somehow? What is the proper way here?
Thanks guys
1) For strong Diffie-Hellman and avoid Logjam attacks see this great manual.
You need extend your nginx config with these directives (after you will generate dhparams.pem file):
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
2) For correct certificate chain use fullchain.pem, not cert.pem, see this great tutorial for details.
And you will get A grade :)
3) and as bonus try this great service:
"Generate Mozilla Security Recommended Web Server Configuration Files".
I'm currently in the process of migrating the hosting of a service of mine from a Managed hosting (running Lighspeed + Cpanel) to my own Managed hosting, running Nginx.
Everything is running fine in Nginx 1.6.0, but my problem is that my certificate shows as self-signed. I installed the SSL certificate including the chained certificate as per
http://www.digicert.com/ssl-certificate-installation-nginx.htm
However, even trying the configuration on NGinx SSL certificate authentication signed by intermediate CA (chain) it does not work.
If I input my website on http://sslcheck.globalsign.com/en_US it shows as it's a self-signed certificate.
Below is my virtual host configuration regarding SSL:
server {
listen 80;
listen 443 ssl;
server_name host02.website.com *.website.com;
root /spacedata/website.com;
index index.php index.html /;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-SHA:RC4-SHA;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security max-age=31536000;
ssl_certificate /etc/pki/tls/certs/bundle-alpha.crt;
ssl_certificate_key /etc/pki/tls/certs/private.key;
...
}
I confirm that I installed the right Cert and Private Keys.
Bear in mind that I run the AlphaSSL Wildcard certificate.
I suspect that I'm missing something in regards to the configuration as in my other hosting I installed the same .crt file and .key.
I had the same issue before, had todo with the order of the certs that reside inside your ssl_certificate file.
You need to include all intermediate CA certs in this file, and have them in the right order.
All I had to do was reverse the order of the certs within that file, and my problem was solved.
Your server cert should be on top, then simply go down the CA chain.
PS. My config looks like:
listen 443 default ssl;
ssl_certificate /etc/nginx/ssl/server_plus.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;