...

Open source softwares - NGINX

Back to Course

Lesson Description


Lession - #629 Nginx Security Controls


Nginx Security Controls

At the point when our substance is significant, and we are appropriately worried about the protection and security of our clients, then we can utilize Nginx to control and get the entrance of our administrations and the information we make due.

Nginx SSL Termination

SSL (Secure Socket Layer>
association involves an endorsement for confirmation prior to sending encoded information from a client PC to the webserver. SSL end is a type of SSL offloading (decoding>
, moves a portion of this obligation from the webserver to an alternate machine. SSL end is utilized to perceive scrambled information. In this part, we will depict how to design a HTTPS server on NGINX Plus and NGINX. To set up a HTTPS server in our nginx.conf record, adds the ssl boundary to the listen order in the server block, then, at that point, determine the areas of the server declaration and private keys documents:

server {  
    listen              443 ssl;  
    server_name         www.example.com;  
    ssl_certificate     www.example.com.crt;  
    ssl_certificate_key www.example.com.key;  
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;  
    ssl_ciphers         HIGH:!aNULL:!MD5;  
    #...  
}  


The server testament is a public substance. Shipped off each client interfaces with the Nginx Plus or Nginx. The private key is a safe key or substance and ought to be put away in a record with confined admittance. Notwithstanding, the expert course of nginx should have the option to peruse this record. We can likewise store the private key in a similar document as the authentication.

ssl_certificate     www.example.com.cert;  
ssl_certificate_key www.example.com.cert;  
The ssl_protocol and ssl_ciphers orders can be utilized to expect that clients utilize just areas of strength for the and codes of SSL/TLS while laying out associations.

SSL Termination for TCP Upstream Servers

Obtaining the SSL Certificate To begin with, we should acquire server authentications and a private key and put them on the server. An authentication can be acquired from a confided in CA (Certificate Authority>
or produced utilizing SSL library like OpenSSL.
Configure Nginx Plus To arrange SSL Termination, incorporate the accompanying orders to the Nginx Plus setup:
Enabling SSL To enable the SSL, characterize the ssl boundary of the listen order for the TCP server that passes associations with an upstream server bunch:

stream {  
  
    server {  
        listen     12345 ssl;  
        proxy_pass backend;  
        #...  
    }  
}  


Adding SSL Certificates

To add SSL Certificates, characterize the way to the testaments with the ssl_certificate mandate, and determine the way to the private key in the ssl_certificate_key order:

server {  
    #...  
    ssl_certificate        /etc/ssl/certs/server.crt;  
    ssl_certificate_key    /etc/ssl/certs/server.key;  
}  


Also, the ssl_protocols and ssl_ciphers orders can be utilized to restrict associations and to add just areas of strength for the and codes of SSL/TLS:

server {  
    #...  
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;  
    ssl_ciphers    HIGH:!aNULL:!MD5;  
}  


Restricting Access with HTTP Basic Authentication

We can restrict admittance to our site or a few pieces of it by executing a username and secret word verification. Username and passwords are taken from a document made and populated by a secret phrase record creation instrument, for instance, apache2-utils.

Creating a Password File

To make username-secret key matches, utilize a secret phrase record creation utility, for instance, httpd-apparatuses or apache2-utils: 1. To start with, check that httpd-instruments or apache2-utils is introduced. 2. Make a secret key record and a first client, run the htpasswd utility with the - c banner which is utilized to make another document, the record pathname as the primary contention, and the username as the subsequent contention.

$ sudo htpasswd -c /etc/apache2/.htpasswd user1  
3. Create additional username-password pairs. Omit the -c flag since the file already exists:

$ sudo htpasswd /etc/apache2/.htpasswd user2 


4. We can make sure that the file contains paired usernames and encrypted passwords:

$ cat /etc/apache2/.htpasswd  
user1:$apr1$/woC1jnP$KAh0SsVn5qeSMjTtn0E9Q0  
user2:$apr1$QdR8fNLT$vbCEEzDj7LyqCMyNpSoBh/  
user3:$apr1$Mr5A0e.U$0j39Hp5FfxRkneklXaMrr/  


Configuring Nginx Plus and Nginx for HTTP Basic Authentication

1. Inside an area that we will secure, characterize the auth_basic mandate and give a name to the secret key safeguarded region. The name of the area will be displayed in the username and secret key exchange window while requesting accreditations.

location /api {  
    auth_basic "Administrator's Area";  
    #...  
}\  


2. Characterize the auth_basic_user_file mandate with the way to the .htpasswd record that contains client/secret key matches:

location /api {  
    auth_basic           "Administrator's Area";  
    auth_basic_user_file /etc/apache2/.htpasswd;   
}