Home > Mobile >  SSL Configuration on Nginx, ShinyProxy (SSL Key Issue?)
SSL Configuration on Nginx, ShinyProxy (SSL Key Issue?)

Time:11-05

I'm currently working with the following tools to allow web-based access for containers: Client Web Browser > Nginx > ShinyProxy > Docker. The server is running on Ubuntu 22.04 LTS. Docker forwards the container to ShinyProxy, then ShinyProxy outputs on :8080, and I'm using Nginx to reverse proxy any requests from the URL (and 80) to 443, HTTPS.

We have a couple of web apps that run off this system, and they work quite well, however I cannot seem to nail that padlock for HTTPS/SSL even when the web apps are not running and you get the base 404/502 Nginx error page.

However simple Nginx's key declaration seems to be, either I've missed a step somewhere, or something is in the wrong format or configuration.

I'm using a configuration file for Nginx based off of some settings ShinyProxy has given (https://shinyproxy.io/documentation/security/) And ours (nginx's sites-available linked to sites-enabled using ln -s) looks like this:

server {
  listen                80;
  server_name           ourwebserverurl;
  rewrite     ^(.*)     https://$server_name$1 permanent;
}

server {
  listen                443 ssl;
  server_name           ourwebserverurl;
  access_log            /var/log/nginx/shinyproxy.access.log;
  error_log             /var/log/nginx/shinyproxy.error.log error;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  ssl_certificate       /etc/ssl/certs/ourwebserverurl.crt;
  ssl_certificate_key   /etc/ssl/private/ourwebserverurl.key;

   location / {
       proxy_pass          http://127.0.0.1:8080/;

       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       proxy_read_timeout 600s;

       proxy_redirect    off;
       proxy_set_header  Host              $http_host;
       proxy_set_header  X-Real-IP         $remote_addr;
       proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
       proxy_set_header  X-Forwarded-Proto $scheme;
     }


}

For creating the keys, we started with this command:

openssl req -sha256 -newkey rsa:2048 -keyout ourserverurl.key.enc -out ourserverurl.csr

This created two files, an encrypted PEM key, and a CSR, and we gave the CSR to GlobalSign, who issued a server certificate.

Nginx requires two key files, the first declared in ssl_certificate, is the keychain bundle consisting of the Issued Server GlobalSign cert, their Intermediate, and their Root cert (Intermediate and Root Certs found here https://support.globalsign.com/ca-certificates/intermediate-certificates/intranetssl-root-intermediate-certificates) I have them all in the correct SHA format, SHA256. I have concatenated them into a single .crt in the following chain: Issued > Intermediate > Root. While not the greatest idea to copy and paste a key into a webservice, I checked it with (https://tools.keycdn.com/ssl), and I get a "No Chain Issue Detected" from the output on that site.

I've contacted GlobalSign, and it seems that I do have every key I should have, now it's just down to configuration.

Now for the final key, the key.enc that was output- I unencrypted the key, and changed it to ourserverurl.key, and sticking with PEM format, although I have it in .key. I've seen some Nginx configurations have it in .pem, however I also have the same file but different file extension with no change.

I've tried multiple different formats, checking the issued GlobalSign key vs our unencrypted private key, and I get matches on that front, but Nginx will not change the HTTPS that shows up as red and strikethrough to a nice padlock.

It feels like I have all the right keys, however I'm not sure I have everything configured correctly. Nginx tells me I have no errors in my configuration if I use

sudo nginx -t

And I get this output

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

My firewall is currently open for 80 and 443 requests on both IPv4 and IPv6 requests for standard webpage access.

I feel like I'm missing some config command, and I'm unsure of where the hiccup is here.

CodePudding user response:

I found out that our organization issued us the wrong certificate type from GlobalSign: They gave us an IntranetSSL cert-type when it should have been OrganizationSSL. I made the correct chain using the OrganizationSSL Intermediate and Root certs, and placing my new issued Server Cert on top. The chain checked out, Nginx checked out, I restarted Nginx and it flipped right over to the padlock.

Edit: Turns out I don't need the Root Cert: I deleted it in my chain and only used the issued Server Cert Intermediate Cert in the .crt.

  • Related