Monday, November 4, 2019

How to enable https backends in nginx without adding back-end server's certificates

lets assume that we have a requirement to proxy from https://nginxserverip:443 to https://backendserverip:443 as mentioned below,


below is a code sample,
server {
server_name nginxserverip;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host backendserverip;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_pass https://backendserverip/;
}
listen [::]:443 ssl;
listen 443 ssl;
ssl_certificate xxxxxxx.pem;
ssl_certificate_key xxxxxxxx.pem;
}
that’s it.

Setup lets-encrypt certbot certificates with nginx server in debian-ubuntu Linux

Prerequisites

1. first your nginx server must be publicly accessible via a public ip. If not you will get an authentication error when creating the certificate via lets-encrypt.
Install nginx and check accessibility from publicly internet.

2. CN(certificate name or your domain name) must be correctly redirect to your publicly accessible nginx server.

Create an A record from your cloud console( if you are using any )

Step 1

First install required repositories to download cert-bot

xxxxxxxxxxxxxxxxx$ sudo add-apt-repository ppa:certbot/certbot
This is the PPA for packages prepared by Debian Let’s Encrypt Team and backported for Ubuntu(s).
Press [ENTER] to continue or ctrl-c to cancel adding it
 — -
gpg: no valid OpenPGP data found.


Below are some errors I faced,

Error,

xxxxxxxxxxxxxxxxx$ sudo add-apt-repository ppa:certbot/certbot
sudo: add-apt-repository: command not found

Solution,

xxxxxxxxxxxxxxxxx$ sudo apt-get install software-properties-common
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following additional packages will be installed:
xxxxxxxxxxxxxxxxx$ sudo apt-get update
Hit:1 http://security.debian.org stretch/updates InRelease
Reading package lists… Done

Error,

xxxxxxxxxxxxxxxxx$ sudo add-apt-repository ppa:certbot/certbot
gpg: keyserver receive failed: No dirmngr

Solution,

xxxxxxxxxxxxxxxxx$ sudo apt-get install dirmngr
Reading package lists… Done
Building dependency tree

Steps 2

Install cert-bot packages

xxxxxxxxxxxxxxxxx$ sudo apt-get install python-certbot-nginx
Reading package lists… Done
Building dependency tree
Reading state information… Done

Step 3

lets assume that our ssl certificate domain name is mysampledomain.com . Please note that you must register your domain before continue with lets-encrypt.
go to /etc/nginx/sites-available folder and create a file named mysampledomain.com
add below content to the file,
server {
listen 443 ssl;
server_name mysampledomain.com;
<remaining code here>
}
save the file.

Step 4

test the configuration,

xxxxxxxxxxxxxxxxx$ sudo nginx -t

Restart nginx service if test is pass.

xxxxxxxxxxxxxxxxx$ sudo systemctl restart nginx
xxxxxxxxxxxxxxxxx$ sudo systemctl status nginx
● nginx.service — A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Mon

Step 5

now you can create lets-encrypt certificate using certbot command,

xxxxxxxxxxxxxxxxx$ sudo certbot — nginx -d mysampledomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel):
- — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Please read the Terms of Service at
(A)gree/©ancel: A
- — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Would you be willing to share your email address with the Electronic Frontier
- — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
(Y)es/(N)o: N
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
Select the appropriate number [1–2] then [enter] (press ‘c’ to cancel): 2
Congratulations! You have successfully enabled


its done now. Check in etc sites-enabled/default file for ssl 443 configuration created by lets-encrypt cert-bot . You can write you own rules for load balancing using that part.