wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


nginx:start

Nginx

Homepage: http://nginx.org/en/

nginx [engine x] is an HTTP and reverse proxy server, as well as a mail proxy server.

Installation

Nginx can simply be installed using pakfire. E.g.

 pakfire install nginx libdaemon 

You will find the configuration files in /etc/nginx.

Configuration

You can find a very good and detailed configuration manual on the official nginx homepage at http://nginx.org/en/docs/.

Example 1: Reverse Proxy

This example will make nginx run as a SSL reverse proxy. This means that all services running behind the ipfire firewall do not have ssl enabled but if you are connecting to them from the internet SSL is enabled by the nginx reverse proxy:

/etc/nginx/nginx.conf

server {
	listen       443 ssl;
        server_name  127.0.0.1;
        ssl                  on;
        ssl_certificate         /etc/ssl/certs/nginx.crt;
        ssl_certificate_key     /etc/ssl/private/nginx.key;
        ssl_session_timeout  10m;
        client_max_body_size 1000M;

        ssl_protocols             TLSv1.1 TLSv1.2 TLSv1;
        ssl_ciphers               ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:RSA+3DES:!ADH:!AECDH:!M$;
        ssl_prefer_server_ciphers on;
        ssl_session_cache         shared:SSL:10m;

        include sites/*.conf;

        }

I am only describing the server block here. For all other configurations please have look at the nginx documentation. For each service I created a own config file under the directory sites. You will have to create this one by yourself and all config files need to have a .conf at the end.

/etc/nginx/sites/default.conf This is my default configuration, where my web server is running.

location / {
   proxy_pass http://192.168.222.111:80;
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

   proxy_set_header X-Forwarded-Proto https;
   proxy_redirect http:// https://;
}

Example 2: Reverse Proxy for MS Exchange server

If your company use MS Excange as an e-mail-server for security reasons it is recomended, that the http-services of MS Exchange are not in the first row and don't communicate directly with clients in the internet. In this case it is a good idea, to use nginx as a reverse-proxy for OutlookWebAccess (OWA) and ActiveSync (sync mobile devices). And ofcourse the ExchangeWebService (EWS) should only accesable from the intranet.

Put these lines for the Exchange locations in your standard nginx.conf into the 'ssl-server-section' and comment these four lines for the standard server www-root-location, if you don't need nginx as a webserver:

 server {
        listen      443 ssl;
		...
#        location / {
#            root   html;
#            index  index.html index.htm;
#					}
		...
        location /owa {
	    proxy_pass https://IP_OF_YOUR_EXCHANGE/owa;
						}		
        location /Microsoft-Server-ActiveSync {
	    proxy_pass https://IP_OF_YOUR_EXCHANGE/Microsoft-Server-ActiveSync;
            proxy_read_timeout=1500;
						}		
					}
		}
		

Reload nginx and surf from the red (!) net to https://your_ipfire/owa. You should see the OWA-Login-Site of your MS Exchange. But the ssl-certificate comes from the nginx and not from the MS Exchange. Your reverse-proxy is working well!

Access to the ExchangeWebService under https://your_ipfire/ews should be forbidden!

Syncing your mobile devices should be working well.

If you have any trouble, look for nginx log files in /var/log/nginx.

Example 3: Managing ssl-certificats for all your sites by acme.sh and Let's Encrypt

Your nginx is working as an reverse proxy for a couple of websites with different domains behind. User who surf to your sites by ssl see the nginx delivered ssl-certificate . In most cases this is selfsigned and would be marked by browsers as unsecure. You need for every of your hosted domains a secure ssl-certificate and nginx should deliver it. The solution is a little script acme.sh and Let's Encrypt as CertAuthority!

First log in to your IPFire as root by ssh and load the script on your IPFire:

curl https://get.acme.sh | sh

The script makes a new directory /root/.acme and load the required files into this directory. In addition, a cronjob is created, which is responsible for the regular renewal of the certificates.This is important because Let's Encrypt certs are only valid for 3 months.

Run now the script for every domain you host. It is important, that your nginx is accessible on port 80, because the script is loading some testpattern to your nginx-www-root and Let's Encrypt compare this by surfing to http://yourdomain.tld!

acme.sh --issue -d yourdomain_1.tld -w /usr/share/nginx/html
acme.sh --issue -d yourdomain_2.tld -w /usr/share/nginx/html
...

If everything okey, your certs are now in /root/.acme/yourdomain_x.tld/ If you have some trouble, run acme.sh with –debug as an additional flag.

Now open /etc/nginx/nginx.conf and point the path to your new Let's Encrypt cert files for every domain you have:

server {
	listen 443 ssl;
	sever_name yourdomain_1.tld;
	ssl_certificate		/root/.acme/yourdomain_1.tld/yourdomain_1.tld.cer;
	ssl_certificate_key	/root/.acme/yourdomain_1.tld/yourdomain_1.tld.key;
	...
	}
server {
	listen 443 ssl;
	sever_name yourdomain_2.tld;
	ssl_certificate		/root/.acme/yourdomain_1.tld/yourdomain_2.tld.cer;
	ssl_certificate_key	/root/.acme/yourdomain_1.tld/yourdomain_2.tld.key;
	...
	}
...

Reload your nginx by typing

/etc/init.d/nginx reload

and surf to your website with https://. You should now get a green certificate, signed by Let's Encrypt for your domain. If you have any trouble, look for /var/log/nginx/error.log.

Many thanks to Neilpang for write this nice script!

Source: https://github.com/Neilpang/acme.sh

nginx/start.txt · Last modified: 2017/08/26 12:10 by Vossi