nginx and TLS v1.2

Given that SSL and TLS, especially v1.0, suffer from serious security issues (e.g. https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS) I thought it would be a good idea to use the latest and more secure version of it: v1.2. On CentOS 6.4 the openssl version included is quite old and doesn’t support TLS v1.1 and 1.2. So, first of all we have to install the latest version 1.0.1e, it can be done compiling from sources or by adding a third party repository; I chose the latter. …

Posted on

WordPress admin, SSL, Apache + nginx

Let’s say we have a WordPress blog and we would like to encrypt our login pages and the whole back-end of the site. There are many ways to do it, but since I already have a nginx instance configured as reverse proxy running in front of Apache I’ll use it to protect my admin pages and logins. In this page I’ll not cover Apache’s configuration, which, by the way, is trivial to say the least, so please refer to this other post: Apache + nginx as reverse proxy. Using the configuration posted in the above’s link as starting point, to add SSL encryption to admin pages we should add a couple more bunch of lines of code. First of all, we must create our own Certificate Authority and issue a SSL certificate. Another option is buying a certificate, but I don’t trust CA (certificate forgery anyone?) and I don’t mind having a properly signed certificate for a page I am the only one accessing to. Follows a brief explanation on how to create a CA and issue a certificate. …

Posted on

Apache + nginx as reverse proxy

One of the things I was planning to do but never did is installing nginx as reverse proxy in front of Apache. nginx is present in the epel repos for CentOS, so the installation process is just a matter of: yum install nginx mysql mysql-server phpmyadmin httpd wget -q -O - http://www.atomicorp.com/installers/atomic | sh yum install mod_rpaf mkdir /etc/nginx/v.hosts vi /etc/nginx/nginx.con http { include v.hosts/*.conf; include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; charset utf-8; keepalive_timeout 65; server_tokens off; sendfile on; tcp_nopush on; tcp_nodelay off; # Default Server Block to catch undefined host names # server { # listen 80; # server_name _; # root /usr/share/nginx/html; # index index.html index.htm; } } /usr/sbin/nginx -t server { listen 80; server_name uwot.eu; access_log off; error_log off; location / { proxy_pass http://127.0.0.1:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_redirect off; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; client_max_body_size 10m; client_body_buffer_size 128k; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; } } sudo /usr/sbin/nginx -t service nginx restart

Posted on