Home

Hosting Wakanda with Nginx

Details: Written by: Eric Naujock; Category: Wakanda; Published: 28 February 2018; Hits: 4716

Hosting a backend web service with NGINX as the front end is one of the best ways I have found to create a safer and easier managed environment for the public. NGINX is a very powerful and capable front-end web server that does what it needs to do quickly and efficiently. In this article, I will outline how to get a basic Wakanda setup running with an NGINX frontend forwarding the Wakanda backend site.

In this article, I focus on getting Wakada hosting the REST component of the server. I will later come back and show how to also get this NGINX server to host the front end of Wakanda.

Setting up to use server side certificates for your NGINX server.

Details: Written by: Eric Naujock; Category: NGINX; Published: 08 July 2018; Hits: 6525

There are a number of articles out there that describe the process. But many seem to leave out small bits and pieces of the final solution. I am trying to cover all the bits and pieces I have learned as I have had to solve this problem for some of my own projects.

Select where you will be holding this CA folder. I am using one separate CA for each site hosted to prevent certificate cross-contamination. There were also issues in the past where NGINX did not like to play with non-root certificate authorities.

When you choose where you want to put your CA for the service you may want to choose a common location. Especially if you are going to run multiple sites on your server. Some common places to consider putting the files include your /etc/nginx folder or the /opt folder.

You will notice that I do not have my key files encrypted. This is because I plan to have scripts be able to generate and manage my user certificates. If you are backing up your keys or storing them outside of the CA make sure you encrypt your keys. By encrypting your keys you will have to store your password for the key somewhere close by to allow recovery for the OpenSSL commands to work with the keys. Ideally, you would now use AES256 for saving your keys. Always protect your key files, especially the root key since if you lose that key its game over and you will have to rebuild everything from scratch. If you are going to export your keys or allow your users to retrieve their keys you should password protect and encrypt your keys.

Letsencrypt with NGINX making sure the http block works

Details: Written by: Eric Naujock; Category: NGINX; Published: 03 July 2018; Hits: 3095

When working with LetsEncrypt I have had a number of sites that did not want to work with the HTTP block and as a result, they would defer to the HTTPS block.

When trying to use the HTTP block for a location be sure to specify the IP address that NGINX should bind to. If not you may find that your LetsEncrypt location will not be read. Resulting in a 404 error when trying to read the verification file from certbot.

Make sure you use the IP address with the 'listen' command and the port number.

This is an example of a working and configured location block with the server. This block will redirect all traffic my encrypted site except for the robots.txt file and the Cerbot folders. This way you can verify the doming for LetsEncrypt no matter what you have in your HTTPS block.

server {
        listen  172.22.1.3:80;
        server_name  mysite.lcco.co.lucas.oh.us www.mysite.oh.us;
        root /var/www/mysite;
        location / {
                return 301 https://$host$request_uri;
        }
        location ~ /robots.txt {
                access_log off;
                try_files $uri =404;
        }
        location /.well-known/acme-challenge {
        root /var/www/mysite;
                access_log off;
                allow all;
                try_files $uri =404;
        }
}

Ubuntu Letsencrypt installation.

Details: Written by: Eric Naujock; Category: LetsEncrypt; Published: 03 July 2018; Hits: 3531

When installing letsencrypt use the installer packages from letsencrypt. The Ubuntu packages can be a bit dated and result in buggy issues that have been resolved.

Use the Certbot PPA For those of you who may already have installed the old libraries you can do the following to uninstall and install the new libraries.

First, install the new repositories.

sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

Then remove your old libraries.

sudo apt remove certbot python3-certbot

Finally, install the new libraries. Since I usually use NGINX as my web server this line adds the NGINX component. But you can also install the apache 'python3-certbot-apache' file as well.

sudo apt-get install certbot python3-certbot letsencrypt python3-certbot-nginx python-certbot-doc

Page 2 of 2