ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Solved Nginx Certificate Authentication issue

    IT Discussion
    nginx certificates authentication
    2
    13
    3.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JaredBuschJ
      JaredBusch
      last edited by

      And here is what goes in a conf file that handles SSL.

      [jbusch@nginxproxy ~]$ cat /etc/nginx/conf.d/community.domaina.com.conf
      server {
          client_max_body_size 40M;
          listen 443 ssl;
          server_name community.domaina.com;
          ssl          on;
          ssl_certificate /etc/letsencrypt/live/support.domaina.com/fullchain.pem;
          ssl_certificate_key /etc/letsencrypt/live/support.domaina.com/privkey.pem;
          ssl_stapling on;
          ssl_stapling_verify on;
          ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
          ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
          ssl_prefer_server_ciphers on;
          ssl_session_cache shared:SSL:10m;
          ssl_dhparam /etc/ssl/certs/dhparam.pem;
          add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
      
          location / {
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Proto $scheme;
              proxy_set_header Host $http_host;
              proxy_set_header X-NginX-Proxy true;
              proxy_pass http://10.254.0.35:4567;
              proxy_redirect off;
      
              # Socket.IO Support
              proxy_http_version 1.1;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection "upgrade";
      
          }
      }
      server {
          client_max_body_size 40M;
          listen 80;
          server_name community.domaina.com;
          rewrite        ^ https://$server_name$request_uri? permanent;
      }
      
      1 Reply Last reply Reply Quote 1
      • JaredBuschJ
        JaredBusch
        last edited by

        As you can see, I obtained my SSL from LetsEncrypt and this is forwarding to a NodeBB forum

        1 Reply Last reply Reply Quote 0
        • Emad RE
          Emad R @JaredBusch
          last edited by

          @jaredbusch said in Nginx Certificate Authentication issue:

          What have you done do configure your site?

          I can spin up CentOS 7 install Nginx, and immediately have it serving SSL with no special configuration.

          This is my nginx.conf that to my recollection has zero modifications.
          [jbusch@nginxproxy ~]$ cat /etc/nginx/nginx.conf

          # For more information on configuration, see:
          #   * Official English Documentation: http://nginx.org/en/docs/
          #   * Official Russian Documentation: http://nginx.org/ru/docs/
          
          user nginx;
          worker_processes auto;
          error_log /var/log/nginx/error.log;
          pid /run/nginx.pid;
          
          events {
              worker_connections 1024;
          }
          
          http {
              log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                                '$status $body_bytes_sent "$http_referer" '
                                '"$http_user_agent" "$http_x_forwarded_for"';
          
              access_log  /var/log/nginx/access.log  main;
          
              sendfile            on;
              tcp_nopush          on;
              tcp_nodelay         on;
              keepalive_timeout   65;
              types_hash_max_size 2048;
          
              include             /etc/nginx/mime.types;
              default_type        application/octet-stream;
          
              # Load modular configuration files from the /etc/nginx/conf.d directory.
              # See http://nginx.org/en/docs/ngx_core_module.html#include
              # for more information.
              include /etc/nginx/conf.d/*.conf;
          
              server {
                  listen       80 default_server;
                  listen       [::]:80 default_server;
                  server_name  _;
                  root         /usr/share/nginx/html;
          
                  # Load configuration files for the default server block.
                  include /etc/nginx/default.d/*.conf;
          
                  location / {
                  }
          
                  error_page 404 /404.html;
                      location = /40x.html {
                  }
          
                  error_page 500 502 503 504 /50x.html;
                      location = /50x.html {
                  }
              }
              server {
                  listen       443 default_server;
                  listen       [::]:443 default_server;
                  server_name  _;
                  root         /usr/share/nginx/html;
                  ssl          on;
                  ssl_certificate /etc/ssl/cacert.pem;
                  ssl_certificate_key /etc/ssl/privkey.pem;
                  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
          
                  # Load configuration files for the default server block.
                  include /etc/nginx/default.d/*.conf;
          
                  location / {
                  }
          
                  error_page 404 /404.html;
                      location = /40x.html {
                  }
          
                  error_page 500 502 503 504 /50x.html;
                      location = /50x.html {
                  }
              }
          
          }
          

          I can serve SSL content and I can proxy fine, thanks to a guide you wrote previously.

          What I am wondering or want to accomplish is

          	ssl_client_certificate "/etc/pki/nginx/ca.crt";		
          	ssl_verify_client on;
          

          Meaning no one can visit my https site, without installing .p12 cert on their browser, similar to VPN. Extra Security stuff.

          JaredBuschJ 2 Replies Last reply Reply Quote 0
          • JaredBuschJ
            JaredBusch @Emad R
            last edited by

            @emad-r said in Nginx Certificate Authentication issue:

            @jaredbusch said in Nginx Certificate Authentication issue:

            What have you done do configure your site?

            I can spin up CentOS 7 install Nginx, and immediately have it serving SSL with no special configuration.

            This is my nginx.conf that to my recollection has zero modifications.
            [jbusch@nginxproxy ~]$ cat /etc/nginx/nginx.conf

            # For more information on configuration, see:
            #   * Official English Documentation: http://nginx.org/en/docs/
            #   * Official Russian Documentation: http://nginx.org/ru/docs/
            
            user nginx;
            worker_processes auto;
            error_log /var/log/nginx/error.log;
            pid /run/nginx.pid;
            
            events {
                worker_connections 1024;
            }
            
            http {
                log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                                  '$status $body_bytes_sent "$http_referer" '
                                  '"$http_user_agent" "$http_x_forwarded_for"';
            
                access_log  /var/log/nginx/access.log  main;
            
                sendfile            on;
                tcp_nopush          on;
                tcp_nodelay         on;
                keepalive_timeout   65;
                types_hash_max_size 2048;
            
                include             /etc/nginx/mime.types;
                default_type        application/octet-stream;
            
                # Load modular configuration files from the /etc/nginx/conf.d directory.
                # See http://nginx.org/en/docs/ngx_core_module.html#include
                # for more information.
                include /etc/nginx/conf.d/*.conf;
            
                server {
                    listen       80 default_server;
                    listen       [::]:80 default_server;
                    server_name  _;
                    root         /usr/share/nginx/html;
            
                    # Load configuration files for the default server block.
                    include /etc/nginx/default.d/*.conf;
            
                    location / {
                    }
            
                    error_page 404 /404.html;
                        location = /40x.html {
                    }
            
                    error_page 500 502 503 504 /50x.html;
                        location = /50x.html {
                    }
                }
                server {
                    listen       443 default_server;
                    listen       [::]:443 default_server;
                    server_name  _;
                    root         /usr/share/nginx/html;
                    ssl          on;
                    ssl_certificate /etc/ssl/cacert.pem;
                    ssl_certificate_key /etc/ssl/privkey.pem;
                    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
            
                    # Load configuration files for the default server block.
                    include /etc/nginx/default.d/*.conf;
            
                    location / {
                    }
            
                    error_page 404 /404.html;
                        location = /40x.html {
                    }
            
                    error_page 500 502 503 504 /50x.html;
                        location = /50x.html {
                    }
                }
            
            }
            

            I can serve SSL content and I can proxy fine, thanks to a guide you wrote previously.

            What I am wondering or want to accomplish is

              ssl_client_certificate "/etc/pki/nginx/ca.crt";		
              ssl_verify_client on;
            

            Meaning no one can visit my https site, without installing .p12 cert on their browser, similar to VPN. Extra Security stuff.

            ok, now I am following.

            never tested that functionality myself form the admin side. Used it in the past as a user of someone else's system.

            1 Reply Last reply Reply Quote 0
            • JaredBuschJ
              JaredBusch @Emad R
              last edited by

              @emad-r who owns the file?

              ls -laZ /etc/pki/nginx/ca.crt
              
              Emad RE 1 Reply Last reply Reply Quote 0
              • Emad RE
                Emad R @JaredBusch
                last edited by

                @jaredbusch said in Nginx Certificate Authentication issue:

                ls -laZ /etc/pki/nginx/ca.crt

                -rw-r--r-- root root ?

                JaredBuschJ 1 Reply Last reply Reply Quote 0
                • JaredBuschJ
                  JaredBusch @Emad R
                  last edited by JaredBusch

                  @emad-r said in Nginx Certificate Authentication issue:

                  @jaredbusch said in Nginx Certificate Authentication issue:

                  ls -laZ /etc/pki/nginx/ca.crt

                  -rw-r--r-- root root ?

                  i specified -laZ intentionally to show the SELinux context also.

                  I don't have your directory setup, but this is what my /etc/pki/tls/certs looks like

                  drwxr-xr-x. root root system_u:object_r:cert_t:s0      .
                  drwxr-xr-x. root root system_u:object_r:cert_t:s0      ..
                  lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
                  lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
                  -rw-r--r--. root root unconfined_u:object_r:cert_t:s0  dhparam.pem
                  -rwxr-xr-x. root root system_u:object_r:bin_t:s0       make-dummy-cert
                  -rw-r--r--. root root system_u:object_r:cert_t:s0      Makefile
                  -rwxr-xr-x. root root system_u:object_r:cert_t:s0      renew-dummy-cert
                  
                  Emad RE 2 Replies Last reply Reply Quote 1
                  • Emad RE
                    Emad R @JaredBusch
                    last edited by

                    @jaredbusch said in Nginx Certificate Authentication issue:

                    @emad-r said in Nginx Certificate Authentication issue:

                    @jaredbusch said in Nginx Certificate Authentication issue:

                    ls -laZ /etc/pki/nginx/ca.crt

                    -rw-r--r-- root root ?

                    i specified -laZ intentionally to show the SELinux context also.

                    I don't have your directory setup, but this is what my /etc/pki/tls/certs looks like

                    drwxr-xr-x. root root system_u:object_r:cert_t:s0      .
                    drwxr-xr-x. root root system_u:object_r:cert_t:s0      ..
                    lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
                    lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
                    -rw-r--r--. root root unconfined_u:object_r:cert_t:s0  dhparam.pem
                    -rwxr-xr-x. root root system_u:object_r:bin_t:s0       make-dummy-cert
                    -rw-r--r--. root root system_u:object_r:cert_t:s0      Makefile
                    -rwxr-xr-x. root root system_u:object_r:cert_t:s0      renew-dummy-cert
                    

                    I see, I think my issue is related to openssl and CA setup, a missing step some where, was hoping for some easy setup guide so we can use this method instead of VPN, this would be a quicker and very secure way for special scenarios.

                    Cause I am testing this, Selinux is disabled. Once I succeed if I do I document then re-enable security features and test again.

                    JaredBuschJ 1 Reply Last reply Reply Quote 0
                    • JaredBuschJ
                      JaredBusch @Emad R
                      last edited by

                      @emad-r said in Nginx Certificate Authentication issue:

                      @jaredbusch said in Nginx Certificate Authentication issue:

                      @emad-r said in Nginx Certificate Authentication issue:

                      @jaredbusch said in Nginx Certificate Authentication issue:

                      ls -laZ /etc/pki/nginx/ca.crt

                      -rw-r--r-- root root ?

                      i specified -laZ intentionally to show the SELinux context also.

                      I don't have your directory setup, but this is what my /etc/pki/tls/certs looks like

                      drwxr-xr-x. root root system_u:object_r:cert_t:s0      .
                      drwxr-xr-x. root root system_u:object_r:cert_t:s0      ..
                      lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
                      lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
                      -rw-r--r--. root root unconfined_u:object_r:cert_t:s0  dhparam.pem
                      -rwxr-xr-x. root root system_u:object_r:bin_t:s0       make-dummy-cert
                      -rw-r--r--. root root system_u:object_r:cert_t:s0      Makefile
                      -rwxr-xr-x. root root system_u:object_r:cert_t:s0      renew-dummy-cert
                      

                      I see, I think my issue is related to openssl and CA setup, a missing step some where, was hoping for some easy setup guide so we can use this method instead of VPN, this would be a quicker and very secure way for special scenarios.

                      Not sure what else you need. Point to the private key and the certificate.

                      Cause I am testing this, Selinux is disabled. Once I succeed if I do I document then re-enable security features and test again.

                      Always useful for eliminating a potential configuration problem.

                      1 Reply Last reply Reply Quote 0
                      • Emad RE
                        Emad R @JaredBusch
                        last edited by

                        @jaredbusch said in Nginx Certificate Authentication issue:

                        @emad-r said in Nginx Certificate Authentication issue:

                        @jaredbusch said in Nginx Certificate Authentication issue:

                        ls -laZ /etc/pki/nginx/ca.crt

                        -rw-r--r-- root root ?

                        i specified -laZ intentionally to show the SELinux context also.

                        I don't have your directory setup, but this is what my /etc/pki/tls/certs looks like

                        drwxr-xr-x. root root system_u:object_r:cert_t:s0      .
                        drwxr-xr-x. root root system_u:object_r:cert_t:s0      ..
                        lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
                        lrwxrwxrwx. root root system_u:object_r:cert_t:s0      ca-bundle.trust.crt -> /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
                        -rw-r--r--. root root unconfined_u:object_r:cert_t:s0  dhparam.pem
                        -rwxr-xr-x. root root system_u:object_r:bin_t:s0       make-dummy-cert
                        -rw-r--r--. root root system_u:object_r:cert_t:s0      Makefile
                        -rwxr-xr-x. root root system_u:object_r:cert_t:s0      renew-dummy-cert
                        

                        Thanks this pointed me in the right direction, a useful guide coming soon

                        1 Reply Last reply Reply Quote 0
                        • 1 / 1
                        • First post
                          Last post