Monday, April 15, 2019

NGINX with custom HTTPS local test domain on Mac OS

This is more a note  to myself, because I'm always forgetting the easiest way to generate a self signed trusted SSL wild-card certificate for local test domain, like sample.test. You can use OpenSSL tool to generate it like this:

openssl req -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -keyout sample.test.key -out sample.test.crt -subj /CN=*.sample.test

You can also add it to your Mac OS Keychain Access with this:

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain sample.test.crt

But in my case was still not trusted, so it didn't work fine in Google Chrome.

The easiest way is to use open-source mkcert. You can install it with brew on Mac OS or download the latest release version for your OS. Just follow the docs to install it and generate a new certificate, which will be also automatically properly registered:

mkcert sample.test "*.sample.test" localhost 127.0.0.1

After renaming the files as sample.test.key and sample.test.crt, copying them in NGINX folder change nginx.conf file (or an included file) to something like this:

upstream sample-test {
        server localhost:5001;
        server localhost:5002;
    }

server {
    listen *:80;
    server_name     www.sample.test sample.test;
    add_header Strict-Transport-Security max-age=15768000;
    return 301 https://$host$request_uri;
}

server {
    listen *:443    ssl;
    server_name     www.sample.test sample.test;
    ssl_certificate sample.test.crt;
    ssl_certificate_key sample.test.key;
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    access_log  /usr/local/etc/nginx/logs/access.log;
    location / {
        proxy_pass  http://sample-test;
    }
}

This uses NGINX SSL termination, so traffic from NGIX to application server is not encrypted, and uses NGINX upstream to load balance HTTP traffic to multiple (2) web application instances. All traffic on port 80 (HTTP) is automatically redirected to port 443 (HTTPS), which uses newly generated certificates.


1 comment:

  1. CNC router kits can work with DSP, Mach3, Mach4, NcStudio, LNC, OSAI, LinuxCNC, PlanetCNC, Syntec, Siemens, FANUC, and extra controllers primarily based on the business necessities. CNC routers can do reduction carving, rotary carving, flatbed chopping, 3D routing for wood, aluminum, copper, brass, glass, plastic, acrylic, and foam. CNC machines are electrical discharge machines that combine mechanical, electrical, hydraulic, pneumatic, and data applied sciences. It is a working Stockings machine with the advantages of|some nice advantages of|the advantages of} high precision, high effectivity, high automation, and high flexibility, stability and dependable quality in mechanical manufacturing processes. CNC machining centers are used for elements processing of industries such as army, aerospace, power, equipment manufacturing, ship manufacturing, and large-scale mold making. Being a subtractive know-how, machining advanced geometries come at an increased price.

    ReplyDelete