Thursday, June 28, 2018

Securing Proxy HTTP/TCP Traffic


Secure HTTP
-----------

- traffic between nginx proxy server and upstream server can also be encrypted

CLIENT -- SSL --> PROXY SERVER (nginx) -- SSL --> UPSTREAM SERVER (Apache, Nginx, etc..)

1. Get SSL certificate for proxy server
self-signed or signed by CA
2. Configure proxy server
location /upstream {
    proxy_pass https://backend.example.com;
    proxy_ssl_certificate     /etc/nginx/client.pem;
    proxy_ssl_certificate_key /etc/nginx/client.key

    # must be in PEM format
    proxy_ssl_trusted_certificate /etc/nginx/trusted_ca_cert.crt;

    # checks validity of certificates
    proxy_ssl_verify       on;
    proxy_ssl_verify_depth 2;

    # reuses previous sessions w/c reduces number of handshakes
    proxy_ssl_session_reuse on;

    proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    proxy_ssl_ciphers   HIGH:!aNULL:!MD5;
}
3. Configure upstream server
server {
    listen              443 ssl;
    server_name         backend1.example.com;

    # I don't know if these certificates are from the proxy
    # server or from the upstream server
    ssl_certificate     /etc/ssl/certs/server.crt;
    ssl_certificate_key /etc/ssl/certs/server.key;

    # Confused also with this one!
    ssl_client_certificate /etc/ssl/certs/ca.crt;
    ssl_verify_client      off;

    location /yourapp {
        ...
    }
}

Secure TCP

----------

- TCP connection to upstream servers (group of proxied/backend servers) can be
  secured using SSL
- requirements:
    a. Nginx PLUS R6 and later or NGINX Open Source compiled with
       `--with-stream` and `with-stream_ssl_module`
    b. upstream group of servers / proxied TCP servers
    c. SSL certificate and a private key
- setup is similar in securing HTTPS to upstream but `stream` context is used instead

stream {

    upstream backend {
        server backend1.example.com:12345;
        server backend2.example.com:12345;
        server backend3.example.com:12345;
   }

    server {
        listen     12345;
        proxy_pass backend;
        proxy_ssl  on;

        proxy_ssl_certificate         /etc/ssl/certs/backend.crt;
        proxy_ssl_certificate_key     /etc/ssl/certs/backend.key;
        proxy_ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
        proxy_ssl_ciphers             HIGH:!aNULL:!MD5;
        proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt;

        proxy_ssl_verify        on;
        proxy_ssl_verify_depth  2;
        proxy_ssl_session_reuse on;
    }
}


-
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)