Nginx Security Controls
When our content is valuable, and we are rightly concerned about the privacy and security of our users, then we can use Nginx to control and secure the access of our services and the data we manage.
Nginx SSL Termination
SSL (Secure Socket Layer) connection uses a certificate for authentication before sending encrypted data from a client computer to the webserver. SSL termination is a form of SSL offloading (decryption), shifts some of this responsibility from the webserver to a different machine. SSL termination is used to recognize encrypted data.
In this section, we will describe how to configure an HTTPS server on NGINX Plus and NGINX.
To set up an HTTPS server in our nginx.conf file, adds the ssl parameter to the listen directive in the server block, then specify the locations of the server certificate and private keys files:
The server certificate is a public entity. It is sent to every client that connects to the Nginx Plus or Nginx.
The private key is a secure key or entity and should be stored in a file with restricted access. However, the master process of nginx must be able to read this file. We can also store the private key in the same file as the certificate.
The ssl_protocol and ssl_ciphers directives can be used to require that clients use only the strong versions and ciphers of SSL/TLS when establishing connections.
SSL Termination for TCP Upstream Servers
Obtaining the SSL Certificate
First, we will need to obtain server certificates and a private key and put them on the server. A certificate can be obtained from a trusted CA (Certificate Authority) or generated using SSL library such as OpenSSL.
Configure Nginx Plus
To configure SSL Termination, include the following directives to the Nginx Plus configuration:
To enable the SSL, define the ssl parameter of the listen directive for the TCP server that passes connections to an upstream server group:
Adding SSL Certificates
To add SSL Certificates, define the path to the certificates with the ssl_certificate directive, and specify the path to the private key in the ssl_certificate_key directive:
Additionally, the ssl_protocols and ssl_ciphers directives can be used to limit connections and to add only the strong versions and ciphers of SSL/TLS:
Restricting Access with HTTP Basic Authentication
We can restrict access to our website or some parts of it by implementing a username and password authentication. Username and passwords are taken from a file created and populated by a password file creation tool, for example, apache2-utils.
Creating a Password File
To create username-password pairs, use a password file creation utility, for example, httpd-tools or apache2-utils:
1. First, verify that httpd-tools or apache2-utils is installed.
2. Create a password file and a first user, run the htpasswd utility with the -c flag which is used to create a new file, the file pathname as the first argument, and the username as the second argument.
Press Enter and enter the password for user1 at the prompts.
3. Create additional username-password pairs. Omit the -c flag since the file already exists:
4. We can make sure that the file contains paired usernames and encrypted passwords:
Configuring Nginx Plus and Nginx for HTTP Basic Authentication
1. Inside a location that we are going to protect, define the auth_basic directive and give a name to the password-protected area. The name of the area will be shown in the username and password dialog window when asking for credentials.
2. Define the auth_basic_user_file directive with the path to the .htpasswd file that contains user/password pairs: