Let's encrypt nginx SSL reverse proxy with BASIC authentication

PUBLISHED ON MAR 27, 2016 — WEB

Japanese version

I recently migrate a development server in EC2, but want to see the Web application under development from the browser. Since public web server is bad idea for the development, I set up nginx SSL reverse proxy with BASIC authentication.

How to set up Let’s encrypt

If you start without running web server, Standalone is easy.

git clone https://github.com/letsencrypt/letsencrypt

Strangely --help option will install dependent packages, and start looking for a new version. Since my server opens only 443 port for web server, the following command works. As you answer some questions, key has been generated, great.

Option may sometimes change, you should refer to official document.

./letsencrypt-auto certonly --standalone --standalone-supported-challenges tls-sni-01

Postscript: Update the certificate

If you try to update the certificate in Standalone, you need to stop the web server. The following command is for updating the certificate, you can set cron to start the command and stop nginx for a few seconds. If you don’t like to stop the server, use webroot plugin.

./letsencrypt-auto renew

nginx setting

According to the manners of ubuntu, nginx.conf should not be modified.

Security

Old features, such as SSLv3, enabled by default is invalidated. Old browser is ignored, because it is for my own use only. I prefer high security to compatibility at this time. ssl_protocols may be redundant, but server work with intended setting, so no problem.

Generate .htpasswd file

For ubuntu, apache2-utils have the command.

htpasswd -c .htpasswd username

Setting files

/etc/nginx/sites-available/example, /etc/nginx/sites-enabled/example

server {
	listen 443;
	listen [::]:443;
	server_name example.juntaki.com;

	ssl on;
	ssl_certificate /etc/letsencrypt/live/example.juntaki.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/example.juntaki.com/privkey.pem;

	ssl_session_timeout 5m;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDH !aNULL !eNULL !SSLv2 !SSLv3';

	ssl_prefer_server_ciphers on;
	add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";

	auth_basic "Restricted";
	auth_basic_user_file /etc/nginx/.htpasswd;
	location / {
		deny all;
	}
	location /8080/ {
		proxy_pass http://localhost:8080/;
		proxy_redirect default;
	}
}

/etc/nginx/conf.d/reverse_proxy.conf

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Summary

Get the SSL key from Let’s encrypt. And by using the BASIC authentication with SSL, you can safely preview for the web site in development.

comments powered by Disqus