How to Add SSL Encryption to Web Apps Using the Nginx Reverse Proxy

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome back everybody today we're going to be taking a look at securing web applications with ssl using the nginx reverse proxy and the web application that we're going to be securing is the transmission daemon web interface and i specifically chose this one because it has no option for and no support for ssl encryption and it is an authenticated service so if we type in our username and password which the default is transmission and password transmission it passes it in clear text across the network so as far as security that's going to be a hard no so we need to fix that with nginx today before we get started we'll do a short primer on how reverse proxies work so currently with the transmission server we have the transmission daemon bound to the 192.168 1.20 ip address and on port 9091 so when we want to access it from the client we can type into our web browser http server 04 colon 9091 and we'll access it over our cleartext protocol the way a reverse proxy works is that it's going to sit in the middle and it's going to listen for and accept requests on behalf of the transmission server so in our case the client is going to make a request to the reverse proxy still thinking that it's the transmission server when the reverse proxy sees that it gets a request for server 4 coming in it's going to forward it off to the transmission server and return the reply to the client so in this case we can have the encryption terminate on the reverse proxy and then pass a clear text to the transmission server but in our case we're going to have both the reverse proxy and the transmission server sitting both on one physical server running as two separate services so in order to make the transmission server not accessible over the lan we're going to bind it to the loopback address and then we're going to bind the reverse proxy to the lan address and when the reverse proxy gets a request for the transmission server it's going to send the request off to the loopback address so in our enginex configuration we'll set up our ssl certificates and have it set to only accept https requests and once it gets that only over the loopback address will afford those clear text credentials so there will be no way to sniff those credentials over the network with that let's go ahead and jump in and get the setup once you're logged into the server the first thing we'll need to do is install engine x so we'll use sudo apt install engine x enter your password once that's installed we're going to change into the configuration directory then we're going to generate our ssl keys don't encrypt the private key good for 10 years i'm going to use shaw 384 and rsa 2048 keys and we do need a new private key the private key is going to be servercert.key and the actual certificate is going to be called server cert dot crt and the important part is the common name so we're going to call this servoforward.home.local and if we take a look here we should have them both here clear that out now we can change into sites available and set up our configuration file and i'll go ahead and jump to the end where this is configured and then i will walk you through what everything means all right i have it all set up now so the first thing you need is the server block which defines a new server next we need to say what port it's going to listen on and the scheme so we're going to be listening on port 443 we're going to be using ssl and i went ahead and set it up for http 2. next the server name that it's listening for is server 04.home.local so when it receives the request for that it'll forward it off to the local host but if it receives just an ip address on port 443 it'll go to the default server uh server tokens are is off that's a security thing everybody should do that the ssl certificate is the one that we generated earlier same with the key we define the ssl as on uh we set up the ssl session cache that way every time you connect you don't have to reset up the connection if it's been less than 10 minutes this is for performance we're going to go ahead and use tls 1.3 since it's available for the ssl ciphers i went ahead and said use high ciphers which is a default for tls 1.3 but just in case we add 1.2 for backwards compatibility and then explicitly denied several other ones such as des md5 rc4 the really weak ones and then ssl prefers server ciphers on so the server is going to choose what cipher we use uh the location of the access log for when you access the server and then location is where our actual server the transmission server's at where we're gonna forward our requests so first we're going to set a couple headers so the host header and then we're going to have the real ip which is as it says the real ip of the client that's connecting because when the transmission server receives it it's going to be seeing the ip address of the proxy and we would like to see what the actual client is the exported 4 is similar except it's going to have a list in our case you'll only ever see the client but if we went through several hops you would see client proxy one proxy two and so on added to the list exported for proto uh is the scheme so that's going to be either http or https and then finally we have the proxy pass so we're going to proxy pass it to http colon localhost colon 9091 and then down here i'm just saying if you're not using get head or post just return a 405 so let's go ahead and write that out and then we can use sudo engine x hyphen t to check if we have any configuration errors it came back okay so we use sudo system ctl restart engine x restart so let's go ahead and go back to firefox and take a look and see if we can access it over ssl now before we go over to firefox it would be a good idea to actually enable the new site so we're going to use sudo ln hyphen s for symbolic link then etsy engine x sites available transmission etsy nginx sites enabled and then we'll reboot nginx and now we'll head over to firefox now we can try accessing the transmission server again but this time over https so let's go ahead and give that a try and i did go ahead and set up server 04 as a host name in my hosts file pointing at 192.168.1.20. so we'll try that and you can see we get the security risk from the self-signed certificate if you don't want to see this every time you can come up here more information view certificate come down here download the certificate and then import it so it's a trusted certificate but for now we'll hit advance accept the risk and continue enter our username and password and you can see that the server came up but we can also still access it through http if we come over here and we put in http colon slash server 04 on port 9091 and we don't want that we only want to be able to access it through the reverse proxy with https so let's go ahead and fix that back in the terminal so to do that we need to edit the configuration file for transmission but first we need to turn it off otherwise when you start the transmission service again it's going to overwrite all of your changes i'm not sure why they do that but just make sure you shut it off first and then we'll change directory into xe transmission take a look see what's in here so we need to edit the settings.json file we're going to come down here to rpc bind address here and we're going to change this to the wheatback address and then we can restart and then when we go back to firefox we can try it again now back in firefox we can try accessing it again over http server04 and you can see we just get the default engine x but we need colon 90 91 you can see that it doesn't connect and then when we try to access it over https colon whack wax server 04 advanced except the risk can continue we get our server and if you did notice just a second ago if we go to http colon server 04 just normally like that you get the default nginx page if you want to get rid of that go into xc engine x sites enabled and delete default and that is how you use the nginx reverse proxy to set up ssl encryption on web servers that otherwise would not support it remember if you found this video helpful be sure to like and subscribe thank you
Info
Channel: SecureRandom
Views: 3,980
Rating: undefined out of 5
Keywords: Linux, nginx, ssl, tls
Id: wQcSql62zRo
Channel Id: undefined
Length: 11min 54sec (714 seconds)
Published: Sun Apr 18 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.