I'm currently working with the following tools to allow web-based access for containers: Client Web Browser > Nginx > ShinyProxy > Docker. The server is running on Ubuntu 22.04 LTS. Docker forwards the container to ShinyProxy, then ShinyProxy outputs on :8080, and I'm using Nginx to reverse proxy any requests from the URL (and 80) to 443, HTTPS.
We have a couple of web apps that run off this system, and they work quite well, however I cannot seem to nail that padlock for HTTPS/SSL even when the web apps are not running and you get the base 404/502 Nginx error page.
However simple Nginx's key declaration seems to be, either I've missed a step somewhere, or something is in the wrong format or configuration.
I'm using a configuration file for Nginx based off of some settings ShinyProxy has given (https://shinyproxy.io/documentation/security/) And ours (nginx's sites-available linked to sites-enabled using ln -s) looks like this:
server {
listen 80;
server_name ourwebserverurl;
rewrite ^(.*) https://$server_name$1 permanent;
}
server {
listen 443 ssl;
server_name ourwebserverurl;
access_log /var/log/nginx/shinyproxy.access.log;
error_log /var/log/nginx/shinyproxy.error.log error;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/ssl/certs/ourwebserverurl.crt;
ssl_certificate_key /etc/ssl/private/ourwebserverurl.key;
location / {
proxy_pass http://127.0.0.1:8080/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 600s;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
For creating the keys, we started with this command:
openssl req -sha256 -newkey rsa:2048 -keyout ourserverurl.key.enc -out ourserverurl.csr
This created two files, an encrypted PEM key, and a CSR, and we gave the CSR to GlobalSign, who issued a server certificate.
Nginx requires two key files, the first declared in ssl_certificate, is the keychain bundle consisting of the Issued Server GlobalSign cert, their Intermediate, and their Root cert (Intermediate and Root Certs found here https://support.globalsign.com/ca-certificates/intermediate-certificates/intranetssl-root-intermediate-certificates) I have them all in the correct SHA format, SHA256. I have concatenated them into a single .crt in the following chain: Issued > Intermediate > Root. While not the greatest idea to copy and paste a key into a webservice, I checked it with (https://tools.keycdn.com/ssl), and I get a "No Chain Issue Detected" from the output on that site.
I've contacted GlobalSign, and it seems that I do have every key I should have, now it's just down to configuration.
Now for the final key, the key.enc that was output- I unencrypted the key, and changed it to ourserverurl.key, and sticking with PEM format, although I have it in .key. I've seen some Nginx configurations have it in .pem, however I also have the same file but different file extension with no change.
I've tried multiple different formats, checking the issued GlobalSign key vs our unencrypted private key, and I get matches on that front, but Nginx will not change the HTTPS that shows up as red and strikethrough to a nice padlock.
It feels like I have all the right keys, however I'm not sure I have everything configured correctly. Nginx tells me I have no errors in my configuration if I use
sudo nginx -t
And I get this output
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
My firewall is currently open for 80 and 443 requests on both IPv4 and IPv6 requests for standard webpage access.
I feel like I'm missing some config command, and I'm unsure of where the hiccup is here.
CodePudding user response:
I found out that our organization issued us the wrong certificate type from GlobalSign: They gave us an IntranetSSL cert-type when it should have been OrganizationSSL. I made the correct chain using the OrganizationSSL Intermediate and Root certs, and placing my new issued Server Cert on top. The chain checked out, Nginx checked out, I restarted Nginx and it flipped right over to the padlock.
Edit: Turns out I don't need the Root Cert: I deleted it in my chain and only used the issued Server Cert Intermediate Cert in the .crt.