ssl certificate proxy

Posted on Saturday, June 21, 2014

I recently had an issue with testing a license on a flash program.  This flash program would only work when being accessed through certain urls.  For example it would only work on www.example.com or https://test.example.com but not on others.
Unfortunately the license I was using had not added a test address I commonly use and the only addresses they did add where secure addresses https….
Had it not been a secure address I could just simple update my /etc/hosts file and point that particular url to localhost 127.0.0.1.   But that was not what I had been given.
Here is my solution to this problem using an nginx server.


I am running this nginx locally on Mac OS X

For this example I am going to redirect https://mytest.google.com to my local nginx instance



Edit the /etc/hosts


Edit the /etc/hosts file

> sudo vi /etc/hosts

And add the following line

127.0.0.01 mytest.google.com localhost


Open a new terminal and test it with a ping

> ping mytest.google.com







Create SSL certificates


Create some self-signed certificates.  For this part I used the simple notes I found at http://www.cyberciti.biz/faq/howto-linux-unix-setup-nginx-ssl-proxy/  [1]

I created a ssl folder in the same folder where the nginx.conf folder is


> cd /usr/local/etc/nginx/
> sudo mkdir ssl
> cd ssl


Run the following command

> openssl genrsa -des3 -out mytest.key 1024



Enter a key,  I entered "1234" , do not worry about this since we will remove it later.



Run the following command

> openssl req -new -key mytest.key -out mytest.csr


 
Make sure you set the Common name the URL you want to use.



Run the following command (to remove the pass phrase)

> cp mytest.key mytest.key.BACK
> openssl rsa -in mytest.key.BACK -out mytest.key


Run the following command

> openssl x509 -req -days 365 -in mytest.csr -signkey mytest.key -out mytest.crt



Fix permission (adjust this to your settings)


> sudo chown nginx:staff .
> sudo chown nginx:staff *






Edit nginx.conf

Edit the nginx.conf file… on my install it happens to be at /usr/local/etc/nginx/nginx.conf  on my Ubuntu server its at      /etc/nginx/nginx.conf

> vi /usr/local/etc/nginx/nginx.conf

Here is my nginx.conf file (I highlighted some of the more interesting parts)

user  nginx staff;
worker_processes  4;

error_log  /Users/patman/Desktop/www/logs/error.log;
pid           /Users/patman/Desktop/www/logs/nginx.pid;


events {
  worker_connections  1024;
  multi_accept on;
}


http {
  include       mime.types;
  default_type  application/octet-stream;

  log_format  main_fmt '$remote_addr - $remote_user [$time_local]  $status '
   '"$request" $body_bytes_sent "$http_referer" '
   '"$http_user_agent" "$http_x_forwarded_for"';

  access_log /Users/patman/Desktop/www/logs/access.log main_fmt;   

  sendfile     on;
  tcp_nopush   on;
  tcp_nodelay on;
  server_names_hash_bucket_size 128;
  keepalive_timeout    70;
  types_hash_max_size 2048;


  gzip on;
  gzip_disable "msie6";

  proxy_buffering    off;
  proxy_set_header   X-Real-IP $remote_addr;
  proxy_set_header   X-Scheme $scheme;
  proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header   Host $http_host;

  server {
    listen       80;
    root /Users/patman/Desktop/www;
  }

  server {
    listen       80;
    listen       443;
    ssl          on;
    server_name mytest.google.com;


    ### SSL log files ###
    access_log      /Users/patman/Desktop/www/logs/ssl-access.log;
    error_log       /Users/patman/Desktop/www/logs/ssl-error.log;

    ### SSL cert files ###
    ssl_certificate      /usr/local/etc/nginx/ssl/mytest.crt;
    ssl_certificate_key  /usr/local/etc/nginx/ssl/mytest.key;


    ssl_protocols        SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers RC4:HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    keepalive_timeout    60;
    ssl_session_cache    shared:SSL:10m;
    ssl_session_timeout  10m;

    access_log   /Users/patman/Desktop/www/logs/mytest.access.log main_fmt;
    error_log   /Users/patman/Desktop/www/logs/mytest.error.log;
    location / {
      proxy_pass  http://127.0.0.1:8080;
    }
  }
}


Now restart nginx. On OSX (brew install you run the following command)

> sudo nginx -s stop
> sudo nginx




Try it

I found one interesting issue when trying to open https://mytest.google.com in google chrome.  The non secure url (drop the s) works just fine… but it seems Chrome takes some offence to using a fake google secure site.
I got the following error

So I used safari and confirmed it's working just fine.
This allowed me to complete my test and confirm that the new license worked as intended.

Update:  I later got Chrome to work, I am not sure what the problem was…

References
[1]  nginx: Setup SSL Reverse Proxy (Load Balanced SSL Proxy)
       Visited 6/2014


Category:

No comments:

Post a Comment