...
| Excerpt |
|---|
There are two separate Nginx services on the server: one service for internal application use, and one service that functions as a proxy between users and the . To install the SSL certificate, all configuration are applied to the proxy process only.Steps: Log into the as the centos user. Switch to the root user:
Enable the proxy nginx service so that it starts on boot: | Code Block |
|---|
systemctl enable nginx |
Create a folder for the private key and limit access to it: | Code Block |
|---|
sudo mkdir /etc/ssl/private/ && sudo chmod 700 /etc/ssl/private |
Copy the following files to the server. If you copy and paste the content, please ensure that you do not miss characters or insert unwanted characters. - The
.key file should go into the /etc/ssl/private/ directory. The .crt file and the CA bundle/intermediate certificate bundle should go into the /etc/ssl/certs/ directory. | Info |
|---|
NOTE: The delivery name and format of these files varies by provider. Please verify with your provider's documentation if this is unclear. |
Your certificate and the intermediate/authority certificate must be combined into one file for nginx. Here is an example of how to combine them together: | Code Block |
|---|
cat example_com.crt bundle.crt >> ssl-bundle.crt |
Update the permissions on these files. Modify the following filenames as necessary: | Code Block |
|---|
sudo chmod 600 /etc/ssl/certs/ssl-bundle.crt
sudo chmod 600 /etc/ssl/private/your-private-cert.key |
Use the following commands to deploy the example SSL configuration file provided on the server:
| Code Block |
|---|
cp /opt/trifacta/conf/ssl-nginx.conf.sample /etc/nginx/conf.d/trifacta.conf && \
rm /etc/nginx/conf.d/default.conf |
Edit the following file: | Code Block |
|---|
/etc/nginx/conf.d/trifacta.conf |
Please make the following modifications: | Directive | Description |
|---|
server_name | FQDN of the host, which must match the SSL certificate's Common Name | ssl_certificate | Path to the file of the certificate bundle that you created on the server. This value may not require modification. | ssl_certificate_key | Path to the .key file on the server. |
Example file:
| Code Block |
|---|
server {
listen 443;
ssl on;
server_name EXAMPLE.CUSTOMER.COM;
# Don't limit the size of client uploads.
client_max_body_size 0;
access_log /var/log/nginx/ssl-access.log;
error_log /var/log/nginx/ssl-error.log;
ssl_certificate /etc/ssl/certs/ssl-bundle.crt;
ssl_certificate_key /etc/ssl/certs/EXAMPLE-NAME.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
keepalive_timeout 60;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / {
proxy_pass http://localhost:3005;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Front-End-Https on;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_redirect off;
}
proxy_connect_timeout 6000;
proxy_send_timeout 6000;
proxy_read_timeout 6000;
send_timeout 6000;
}
server {
listen 80;
return 301 https://$host$request_uri;
} |
Save the file. To apply the new configuration, start or restart the nginx service: | Code Block |
|---|
service nginx restart |
Modify listening port for If you have changed the listening port as part of the above configuration change, then the proxy.port setting in configuration must be updated.If you have enabled SSL on the platform, you can optionally insert the following additional headers to all requests to the :| Header | Protocol | Required Parameters |
|---|
| X-XSS-Protection | HTTP and HTTPS | proxy.securityHeaders.enabled=true | | X-Frame-Options | HTTP and HTTPS | proxy.securityHeaders.enabled=true | | Strict-Transport-Security | HTTPS | proxy.securityHeaders.enabled=true and
proxy.securityHeaders.httpsHeaders=true
|
| Info |
|---|
NOTE: SSL must be enabled to apply these security headers. |
Steps: To add these headers to all requests, please apply the following change: Locate the following setting and change its value to true: | Code Block |
|---|
"proxy.securityHeaders.httpsHeaders": false, |
- Save your changes and restart the platform.
Enable secure cookiesIf you have enabled SSL on the platform, you can optionally enable the use of secure cookies. | Info |
|---|
NOTE: SSL must be enabled. |
Steps: Locate the following setting and change its value to true: | Code Block |
|---|
"webapp.session.cookieSecureFlag": false, |
- Save your changes and restart the platform.
|
Troubleshooting
Problem - SELinux blocks proxy service from communicating with internal app service
If the
is installed on SELinux, the operating system blocks communications between the service that manages the proxy between users and the application and the service that manages internal application communications.To determine if this problem is present, execute the following command:
| Code Block |
|---|
sudo cat /var/log/audit/audit.log | grep nginx | grep denied |
The problem is present if an error similar to the following is returned:
| Code Block |
|---|
type=AVC msg=audit(1555533990.045:1826142): avc: denied { name_connect } for pid=25516 comm="nginx" dest=3005 scontext=system_u:system_r:httpd_t:s0 |
For more information on this issue, see https://www.nginx.com/blog/using-nginx-plus-with-selinux.
Solution:
The solution is to enable the following network connection through the operating system:
| Code Block |
|---|
sudo setsebool -P httpd_can_network_connect 1 |
Restart the platform.
