Wednesday, February 27, 2019

Nginx Key and Certificate Creation 

SSL Key and Certificate creation in Nginx:

Ubuntu@Server:/etc/nginx$ mkdir ssl
Ubuntu@Server:/etc/nginx$ cd ssl

//Below commands are explained at the end of this....

Ubuntu@Server:/etc/nginx/ssl$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/dmodi_nginx.key -out /etc/nginx/ssl/dmodi_nginx.crt
[sudo] password for wibmoapp:
    Generating a 2048 bit RSA private key
    ...................................+++
    .....................................+++
    writing new private key to '/etc/nginx/ssl/dmodi_nginx.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:IN
    State or Province Name (full name) [Some-State]:Karnataka
    Locality Name (eg, city) []:Bengaluru
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Wibmo
    Organizational Unit Name (eg, section) []:Payzapp Team
    Common Name (e.g. server FQDN or YOUR name) []:www.deepakmodi.com
    Email Address []:deepak.modi@wibmo.com
    
Ubuntu@Server:/etc/nginx/ssl$ ls -lrth
total 8.0K
-rw-r----- 1 root root 1.7K Feb 27 18:53 dmodi_nginx.key
-rw-r----- 1 root root 1.5K Feb 27 18:53 dmodi_nginx.crt
Ubuntu@Server:/etc/nginx/ssl$


Now modify the nginx.conf file:
server {
        listen 80 default_server;
        listen [::]:80 default_server ipv6only=on;

        listen 443 ssl;

        root /usr/share/nginx/html;
        index index.html index.htm;

        server_name your_domain.com;
        ssl_certificate /etc/nginx/ssl/dmodi_nginx.crt;
        ssl_certificate_key /etc/nginx/ssl/dmodi_nginx.key;

        location / {
                try_files $uri $uri/ =404;
        }
}

Restart the Nginx:
service nginx restart

Now Try:
http://server_domain_or_IP
and
https://server_domain_or_IP

Command Explanation:
openssl: This is the basic command line tool for creating and managing OpenSSL certificates, keys, and other files.

req: This subcommand specifies that we want to use X.509 certificate signing request (CSR) management. The "X.509" 
    is a public key infrastructure standard that SSL and TLS adheres to for its key and certificate management. 
    We want to create a new X.509 cert, so we are using this subcommand.
    
-x509: This further modifies the previous subcommand by telling the utility that we want to make a self-signed 
    certificate instead of generating a certificate signing request, as would normally happen.
    
-nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Nginx to be 
        able to read the file, without user intervention, when the server starts up. A passphrase would prevent 
        this from happening because we would have to enter it after every restart.
        
-days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here.

-newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did 
    not create the key that is required to sign the certificate in a previous step, so we need to create it along 
    with the certificate. The rsa:2048 portion tells it to make an RSA key that is 2048 bits long.
    
-keyout: This line tells OpenSSL where to place the generated private key file that we are creating.

-out: This tells OpenSSL where to place the certificate that we are creating.
Posted by at No comments:

Squid Proxy Installation and Configuration 

Squid

Squid is a most popular caching and forwarding HTTP web proxy server. It is used to cache web pages from 
a web server to improve web server speed, reduce response times and reduce network bandwidth usage.

Installation of Squid in Ubuntu:
sudo apt update    --To update ubuntu.
sudo apt -y install squid
sudo systemctl start squid
sudo systemctl enable squid
sudo systemctl status squid

Squid configuration file: /etc/squid/squid.conf
Squid Access log: /var/log/squid/access.log
Squid Cache log: /var/log/squid/cache.log

Configure Squid:
vi /etc/squid/squid.conf

http_port : This is the default port for the HTTP proxy server, by default it is 3128, you may change 
            it to any other port that you want, you may also add the “transparent” tag to the end of 
            the line like http_port 8888 transparent to make Squid proxy act like a transparent proxy if you want.
            
http_access deny all : This line won’t let anybody to access the HTTP proxy server, that’s why you need to change 
            it to http_access allow all to start using your Squid proxy server.
            
visible_hostname : This directive is used to set the specific hostname to a squid server. You can give any hostname to squid.


Restart Squid:
sudo systemctl restart squid


Configure squid as an HTTP proxy using only the client IP address for authentication. To allow only one IP address to 
access the internet through your new proxy server, you will need to define new acl (access control list) in the configuration file.

vi /etc/squid/squid.conf
acl localnet src XX.XX.XX.XX
Where XX.XX.XX.XX is the IP address of client machine. This acl should be added in the beginning of the ACL’s section.
Example: acl localnet src 192.168.0.102  #Boss IP address, Some comments

You will need to restart Squid service to take the new changes into effect.
$ sudo systemctl restart squid

Open Ports in Squid Proxy. By default, only certain ports are allowed in the squid configuration, add like below: 
acl Safe_ports port XXX    --Where XXX is the port number that you wish to allow. 


Block Websites:
sudo touch /etc/squid/blacklisted_sites.acl    --Create a file
.badsite1.com    --File content
.badsite2.com    --File content
Squid will block all references to that sites including www.badsite1, subsite.badsite1.com etc. 

acl bad_urls dstdomain "/etc/squid/blacklisted_sites.acl"
http_access deny bad_urls



Block Specific Keyword with Squid
sudo touch /etc/squid/blockkeywords.lst
    facebook
    instagram
    gmail

acl blockkeywordlist url_regex "/etc/squid/blockkeywords.lst"
http_access deny blockkeywordlist

sudo systemctl restart squid

Configure Proxy in Browser now to hit Squid:
Open Firefox and go to Edit –> Preferences –> Advanced –> Network –> Settings and select “Manual proxy configuration”.

Hint: https://www.tecmint.com/install-squid-in-ubuntu/
Posted by at No comments:
Subscribe to: Posts (Atom)