Bobcares

Nginx with SSL Termination | All About

by | Aug 12, 2022

This ultimate guide covers all the important aspects of setup Nginx with SSL termination on the load balancer, find out how to set up to make yours even better. At Bobcares, we will help our customers with any sort of queries as a part of our Server Management Services.

Introduction to Nginx load balancer with SSL Termination

Nginx is a popular reverse proxy and load balancer that focuses on level 7 application traffic and determines pooled backend server which is the best available to serve the request. Relieving on the upstream web and application servers for the computational load SSL/TLS encryption.

This will reduce your SSL management overhead since the OpenSSL updates the keys and certificates which accordingly can be managed from the load balancer itself.

About SSL Termination

The SSL termination is the process that occurs on the load balancer which handles the SSL encryption/decryption so that traffic between the load balancer and backend servers in HTTP. To be specific the Nginx can be configured as a load balancer to distribute incoming traffic around several backend servers.

Indeed the backends must be also secured by restricting access to the load balancer’s IP.

Nginx SSL Termination

Configuration setup for Nginx Load Balancing

Let’s take a look at the steps involved in the process of Nginx load balancing with SSL termination.
This article makes use of the following 3 Parts:

Section1 (Frontend)

  • Hostname: loadbalancer
  • Private IP: 10.130.227.31

Section2 (Backend)

  • Hostname: web1
  • Private IP: 10.130.227.12

Section3 (Backend)

  • Hostname: web2
  • Private IP: 10.130.227.23

Domain name – website.com

Note that private networking must be enabled to all these sections.Even more, you can use the below command to upgrade your OS.

apt-get update && apt-get upgrade -y Copy Code

Reboot each server to apply the upgrades. Eventually, this is important since OpenSSL helps to keep secure and have the better version. Also, have Nginx virtual host setup for the domain with the upstream module load balancing backends server.

Prior to setting up the Nginx load balancing, you should have Nginx installed on your VPS. You can simply install it quickly with the command “

apt-getCopy Code

apt-get install nginxCopy Code

On the other two backend servers, update and install Apache:

apt-get install apache2Copy Code

Later finish up with installing PHP on both backend servers:

apt-get install php5 libapache2-mod-php5 php5-mcrypt
Copy Code

Generate SSL Certificate

We will now go through the SSL certificate generation process:
First, create an SSL certificate directory.

mkdir -p /etc/nginx/ssl/website.com
cd /etc/nginx/ssl/website.com
Copy Code

In addition, Create a private key:

openssl genrsa -des3 -out private key.key 2048
Copy Code

now remove its passphrase:

openssl rsa -in privatekey.key -out privatekey.key
Copy Code

The next step is to create a CSR (Certificate Signing Request) you can request this from any SSL service provider or can also generate a self-signed certificate with the following command.

openssl req -new -key privatekey.key -out server.csrCopy Code
openssl x509 -req -days 365 -in server.csr -signkey privatekey.key -out SSLcertificate.crt
Copy Code

Once this is done new directory will be created with the following files:

  • privatekey.key
  • CAcertificate.pem
  • SSLcertificate.crt

Furthermore, we need to create a virtual hosts file inside the Nginx directory

nano /etc/nginx/sites-available/website.comCopy Code

Now add the upstream module containing the private IP addresses of the backend servers and save this file.

upstream mywebapp1 { 
server 10.130.227.12;
 server 10.130.227.23; 
}Copy Code
server {
    listen 80;
    server_name website.com www.website.com;
    location / {
        proxy_pass http://mywebapp1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
Copy Code

Moreover, perform a configuration test to check for errors and then reload the Nginx server and as result, the load balancing will be configured.

service nginx configtestCopy Code
service nginx reloadCopy Code

Enable SSL

Additionally, we can now take a quick look at enabling SSL by adding the following directives to the virtual hosts file ” /etc/nginx/sites-available/website.com”.

 listen 443 ssl;
ssl on;
ssl_certificate      /etc/nginx/ssl/website.com/SSLcertificate.crt;
ssl_certificate_key    /etc/nginx/ssl/website.com/privatekey.key;
ssl_trusted_certificate /etc/nginx/ssl/website.com/CAcertificate.pem; Copy Code

You will be getting server block like this:

server {
    listen 80;
    listen 443 ssl;
    server_name website.com www.website.com;
    ssl on;
    ssl_certificate         /etc/nginx/ssl/website.com/SSLcertificate.crt;
    ssl_certificate_key     /etc/nginx/ssl/website.com/privatekey.key;
    ssl_trusted_certificate /etc/nginx/ssl/website.com/CAcertificate.pem;
    location / {
        proxy_pass http://mywebapp1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
Copy Code

Finally, Check for configuration errors and reload the Nginx service.

service nginx configtestCopy Code
service Nginx reloadCopy Code

Securing The Backend Servers

Currently, the website hosted on the backend servers can be directly accessed by anyone who knows the public IP, we can prevent it by configuring the web servers on the backends to listen to the private interface.

You can follow the given steps to do this in Apache:

First, search for “Listen 80” in the ports.conf file and replace with your backend private IP:

nano /etc/apache2/ports.confCopy Code
Listen 10.130.227.23:80Copy Code

Further, you have to restart Apache.

service apache2 restart
Copy Code

The next step is to have HTTP restricted for the load balancer’s private IP. The following firewall rule achieves this.

iptables -I INPUT \! --src LB_IP_ADDRESS-p tcp --dport 80 -j DROPCopy Code

Hardening SSL Configuration

This section explains how to configure SSL.

Enabling SSL session cache improves the performance the HTTPS websites. This must be placed with “ssl_trusted_certificate” in the directive.

ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;Copy Code

For the SSL connection, you need to specify the protocols and ciphers.

ssl_prefer_server_ciphers       on;
ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                     ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
Copy Code

Enable it with the

add_headerCopy Code
 directive.

add_header Strict-Transport-Security "max-age=31536000";Copy Code

Check for any configuration errors and later reload the Nginx service.

service nginx configtest && service nginx reloadCopy Code

Final Configuration Check

After hardening the SSL termination, the configuration file will be resulted as below:

/etc/nginx/sites-available/website.comCopy Code
upstream mywebapp1 {
    server 10.130.227.12;
    server 10.130.227.23;
}

server {
    listen 80;
    listen 443 ssl;
    server_name website.com www.website.com;
    ssl on;
    ssl_certificate         /etc/nginx/ssl/website.com/SSLcertificate.crt;
    ssl_certificate_key     /etc/nginx/ssl/website.com/privatekey.key;
    ssl_trusted_certificate /etc/nginx/ssl/website.com/CAcertificate.pem;
	
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 10m;
	
    ssl_prefer_server_ciphers       on;
    ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers                     ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
	
    add_header Strict-Transport-Security "max-age=31536000";

    location / {
        proxy_pass http://mywebapp1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
Copy Code

In the final analysis, do an SSL server test and this progress should get an A+ grade. Meanwhile, run the curl test again to check if everything is working correctly.

curl https://website.com/test.php https://website.com/test.php https://website.com/test.phpCopy Code

[Need assistance with a different issue? We are available 24/7.]

Conclusion

To conclude, The Nginx load balancer with SSL termination is the process that works to reduce SSL management overhead and terminate HTTPS traffic from clients which can also be managed from the load balancer itself.

On the whole, our Support team provides instructions on how to quickly fix the problem.

PREVENT YOUR SERVER FROM CRASHING!

Never again
lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server
24/7 so that it remains lightning fast and secure.

GET STARTED

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Speed issues driving customers away?
We’ve got your back!