Using NGINX as a third party proxy service to apply your SSL certificates

Update: February 3rd, 2021:

This article is in process of being transformed.

Please contact farmerswife support directly, to get the latest documentation; the following information is no longer up to date.

In this related article “How to SSL farmerswife using your own certificates” we provided information that you can use a

third party solution (with v6.5 "legacy"/deprecated "Proxy WIFE Server") to proxy the connection between your

internet facing farmerswife Server and the farmerswife clients to secure them by using your own SSL certificates.

You can also use solutions like F5, HAproxy, NGINX or the solution of your choice.

As an example we here provide a set of NGINX configuration files, which will use your subdomain and your already

configured ports exposed to the internet to point to your local fw Server host machine, by using strict SSL policies.

IMPORTANT: This example here is intended to be used by Linux IT administrators.

If you need support for the installation please contact sales for a quote.

An advantage of using NGINX or a third party solution is, that you can set which protocols to use and also which ciphers.

For example, you can set this up in a way to only allow TLS 1.2 and the newest TLS 1.3.

For this example explained here we allowed both TLS 1.2 and TLS 1.3 with a custom set of ciphers.

This example used a Debian 10 Buster server and NGINX version 1.14.2 with the stream module, which normally comes by default installing from Debian repositories.

The below rough diagram shows how this will work once your farmerswife system is proxied through NGINX:

On your new local e.g. Linux Ubuntu machine, located within your "DMZ":

First you will need to create the folder /etc/nginx/ssl if it doesn't exist and execute the following commands to generate the needed Diffie-Hellman key:

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096

NOTE: this process may take several minutes time to finish (typically 20 to 30 min.)

DO NOT COPY & PASTE from here! What you see below is just an old example.

Please Request the latest "3 config files as a guide" directly from farmerswife support, which then contains a detailed "ReadMe.txt".

nginx.conf old example:

user www-data;
worker_processes auto;
include /etc/nginx/modules-enabled/*.conf;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
    worker_connections 10240;
}

http {
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/clients/*-http.conf;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for"';
    log_format main_ext '$remote_addr - $remote_user [$time_local] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for" '
    '"$host" sn="$server_name" '
    'rt=$request_time '
    'ua="$upstream_addr" us="$upstream_status" '
    'ut="$upstream_response_time" ul="$upstream_response_length" '
    'cs=$upstream_cache_status' ;
    log_format vhosts '$host $remote_addr - $remote_user [$time_local] '
    '"$request" $status $body_bytes_sent '
    '"$http_referer" "$http_user_agent"';

    access_log /var/log/nginx/access.vhost.log  vhosts;
    access_log /var/log/nginx/access.log  main;

    sendfile on;

    server_tokens off;

    keepalive_timeout 65;

    gzip on;
    gzip_http_version 1.0;
    gzip_comp_level 9;
    gzip_proxied any;
    gzip_types text/plain text/xml text/css text/comma-separated-values text/javascript application/javascript application/x-javascript font/ttf font/otf image/svg+xml application/atom+xml;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384';
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_ecdh_curve secp384r1;
    ssl_session_timeout 10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=60s;
    resolver_timeout 2s;
}

stream {
    include /etc/nginx/clients/*-stream.conf;
    log_format basic '$remote_addr [$time_local] '
    '$protocol $status $bytes_sent $bytes_received '
    '$session_time';

    access_log /var/log/nginx/access.stream.log basic;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384';
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_ecdh_curve secp384r1;
    ssl_session_timeout 10m;
    #ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
}

The following values are some of the ones you will need to modify within this "nginx.conf" file:

user www-data: Change it to the user running the NGINX process. (Note: on latest Debian packages it's user changed to be www-data.)

Then you have to create the folder /etc/nginx/clients to add the two following files.

farmerswife-http.conf old example:

upstream farmerswife-webcal {
    server 192.168.0.100:27000;
}
upstream farmerswife-webclient {
    server 192.168.0.100:26000;
}
upstream farmerswife-api {
    server 192.168.0.100:25000;
}

## Legacy HTTPS / WebCal
server {
    listen 27000 ssl http2;
    server_name farmerswife.yourdomain.com;

    ssl_certificate /etc/nginx/ssl/certificate.crt;
    ssl_trusted_certificate /etc/nginx/ssl/certificate.trusted.crt;
    ssl_certificate_key /etc/nginx/ssl/certificate.key;

    location / {
        proxy_intercept_errors on;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_pass http://farmerswife-webcal$request_uri;
    }
}

## WebClient / Mobile WebClient / Play
server {
    listen 26000 ssl http2;
    server_name farmerswife.yourdomain.com;

    ssl_certificate /etc/nginx/ssl/certificate.crt;
    ssl_trusted_certificate /etc/nginx/ssl/certificate.trusted.crt;
    ssl_certificate_key /etc/nginx/ssl/certificate.key;

    location /webcal {
        proxy_intercept_errors on;
        rewrite ^.* https://farmerswife.yourdomain.com:27000/webcal$request_uri;
    }

    location / {
        proxy_intercept_errors on;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_pass http://farmerswife-webclient$request_uri;
    }
}

## iOS / API
server {
    listen 25000 ssl http2;
    server_name farmerswife.yourdomain.com;

    ssl_certificate /etc/nginx/ssl/certificate.crt;
    ssl_trusted_certificate /etc/nginx/ssl/certificate.trusted.crt;
    ssl_certificate_key /etc/nginx/ssl/certificate.key;

    location / {
        proxy_intercept_errors on;
        #proxy_max_temp_file_size 0;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_pass https://farmerswife-api$request_uri;
    }
}

The following values are some of the ones you will need to modify within this "farmerswife-http.conf" file:

server_name: change this on all fields and you need to match this to your sub-domain structure.
listen: change this to point to the according farmerswife Server port.
ssl_certificate: change this to point to your own "public" certificate.
ssl_trusted_certificate: change this to point to your "trusted" certificate CA.
ssl_certificate_key: change this to point to your "private" certificate key.
upstream: point this to the correct private IP and port of the actual host machine of your farmerswife server's main "Server Port".

farmerswife-stream.conf old example:

## Desktop Client
server {
    listen 22000 ssl;

    ssl_certificate /etc/nginx/ssl/certificate.crt;
    ssl_trusted_certificate /etc/nginx/ssl/certificate.trusted.crt;
    ssl_certificate_key /etc/nginx/ssl/certificate.key;
    ssl_verify_client off;
    #ssl_session_cache builtin:1000 shared:SSL:10m;

    proxy_ssl on;
    proxy_ssl_verify off;
    proxy_ssl_session_reuse off;

    proxy_pass 192.168.0.100:22000;
}

## File Transfer Port (Raw-Sockets)
server {
    listen 24000;
    proxy_pass 192.168.0.100:24000;
}

The following values are some of the ones you will need to modify in this "farmerswife-stream.conf" file:

listen: change this to point to the according farmerswife Server port.
ssl_certificate: change this to point to your own "public" certificate.
ssl_trusted_certificate: change this to point to your "trusted" certificate CA.
ssl_certificate_key: change this to point to your "private" certificate key.
proxy_pass: point this to the correct private IP and port of the actual host machine of your farmerswife server's main "Server Port".

UPDATE from 3. February 2021:

These config files as a guide are NO longer available here! Please request them directly from farmerswife support:

"Please send me the nginx.conf, farmerswife-http.conf and farmerswife-stream.conf files as a guide"

Once this is configured and running, this will need to be maintained from your side.

Related Articles