Nginx HTTPS Proxy

Overview:

Nginx (pronounced engine-x) is a lightweight web server application that can also be used as a proxy.

Accessing FINStack through the Nginx proxy is useful when either you wish to access FINStack through a different port without giving FINStack any special privileges or if you want to secure your connection to FINStack for security reasons.

Software:

For the proxy, you will need to download Nginx at nginx.org.

The zip file installation for windows is recommended.

For the HTTPS encryption, you will need to download OpenSSL at gnuwin32.sourceforge.net under the binaries section.

OpenSSL Setup:

Extract the contents of this zip file to a folder on your desktop.

Open that folder and navigate into the "share" folder.

Click in a blank area, then right click in that blank area while holding down the shift button.

Click on the "Open command window here" option in the menu that opens up.

Type in the command set OPENSSL_CONF=%cd%\openssl.cnf and press enter.

Type in the command cd ..\bin and press enter.

Then run the command openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout cert.key -out cert.crt and press enter.

Go through the setup prompt in the console.

This will create the files cert.key and cert.crt in the bin folder of your openssl folder.

These will be used for the Nginx setup.

Nginx Setup:

Extract the nginx-1.x.x folder to your desktop.

Open that folder and navigate into the "conf" folder.

Open the "nginx.conf" file with a text editor, preferably not Microsoft Notepad as it may mess up the end-of-line encoding.

Find the section near the middle that looks like this:

server { listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} }

Then comment out all of the lines like this: (this will turn off the standard port 80 HTTP server)

#server { #listen 80; #server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; #location / { #root html; #index index.html index.htm; #} #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # #error_page 500 502 503 504 /50x.html; #location = /50x.html { #root html; #} # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} #}

Find the section near the bottom that looks like this:

# HTTPS server # #server { # listen 443 ssl; # server_name localhost; # ssl_certificate cert.pem; # ssl_certificate_key cert.key; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 5m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # location / { # root html; # index index.html index.htm; # } #}

Uncomment the following lines and add the lines like this:

After editing the file, copy the cert.crt and cert.key files from the openssl/bin folder to the nginx/conf folder.

To start the proxy server, open the nginx-1.x.x folder, click, then right click while holding down the shift key and click the "Open command window here" option.

Then type in nginx to start the service.

If you run into errors, make sure that you have permission to use port 443 (HTTPS port) and make sure that nothing else is using that port already.

In order to stop the service, open another command window in the same place and type in nginx -s stop and the first nginx window will stop.

Usage:

Simply go to your browser and go to the address https://localhost

You will most likely see a page saying that your certificate is not secure, this isn't actually the case.

This happens because your certificate wasn't created by a trusted certificate company, but the connection is SSL secure.

Ubuntu:

For some Linux distributions, similar instructions may be found at digitalocean.com

Troubleshooting Tips:

Issues with NGINX 1.14.0 Showing generated report as text in Chrome!

If you are seeing your report appear as text in the browser, make sure to remove the following statement: 

add_header          X-Content-Type-Options nosniff;