6
INSTALL SSL CERTIFICATE
We’re going to add and manage our required Let’s Encrypt
certificate using Certbot:
$ sudo apt-get install python-certbot-nginx
>> Once installed, reopen the “default” file in nano, and insert
the following {location} block inside the {server} block set to
listen on port 80 [Image C]:
location /.well-known {
alias /var/www/html/.well-known;
}
>> Save and close the file, then reload nginx as before. You
are now ready to request your SSL certificate—one command
should do it:
$ sudo certbot certonly --webroot -w /var/www/html/ -d
myservers.domain.com
>> Follow the prompts—once it’s done, your certificate keys
and files will reside under /etc/letsencrypt/live/myservers.
domain.com.
>> Once installed, you’ll want Certbot to renew the certificate
before the 90 days are up. Add the following line to crontab ( sudo
nano /etc/crontab ) to instruct Certbot to renew your certificate
after 60 days:
20 4 * * * root certbot renew --quiet --renew-hook “systemctl
reload nginx”
>> Windows users should substitute systemctl reload nginx
with service ngnix restart.7
DEMAND SECURE-ONLY CONNECTIONS
Back we go into the “default/nginx.conf”
configuration file. This time, you want to edit the
{server} block listening on port 80, so it only listens for
secure connections. Comment out any listen commands
for port 80, and uncomment the two “listen 443” lines
beneath them. You’ll also need to add additional lines to
make use of the Let’s Encrypt certificate you generated
earlier. The annotation opposite reveals the most secure
setup to follow, but if you’re in a hurry, the following lines
will suffice for now—place them beneath the “server_
name” line:
ssl_certificate /etc/letsencrypt/live/myservers.
domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myservers.
domain.com/privkey.pem;
add_header Strict-Transport-Security “max-
age=31536000”;
>> Save your changes, test them using sudo nginx
-t before reloading nginx. Now open your browser and
you’ll find you can no longer access http://myservers.
domain.com, but you should now be able to access
https://myservers.domain.com. Click the padlock next
to the domain name and it should now be verified by
Let’s Encrypt. Congratulations, you’ve secured your
reverse proxy.
>> If you’d like to automatically redirect HTTP (port 80)
to HTTPs (port 443), rather than throw up an error, add
an additional {server} block to your configuration file
beneath the first block:
server {
listen 80;
listen [::]:80;
server_name myservers.domain.com;
return 301 https://$host$request_uri;
}8
YOUR FIRST REDIRECTION
We have got just enough space to set up your
first reverse proxy: NextCloud. As we discussed
earlier, you need separate {server {location}} blocks for
each server you wish to add to your reverse proxy. The
“server” block is where you configure the connection
parameters—the annotation opposite reveals some
of the basic components you need to include: the port
you are listening on, plus details about the security you
are implementing, along with your SSL certificates.
This largely remains unchanged for each server—the
main changes are the port you’re listening on and what
SSL protocols to use, depending on what your server
supports. Don’t forget to include the “client_max_CWhen opening your network to the wider Internet, remember
to stay secure. We’ve tightened security to some degree on
the reverse proxy itself—by forcing use of TLS 1.2 and TLS- 3 —a n d y o u c a n m a ke t h i n g s e v e n m o r e s e c u r e b y f o l l o w i n g
g u i d e s l i k e t h a t a t R a y m i i. o r g ( https://raymii.org/s/tutorials/
Strong_SSL_Security_On_nginx.html). That’s the beauty
of reverse proxies—rather than having to strengthen each
individual server, you can add an extra layer of protection for
them all. Apply these tweaks to all your server blocks, including
the one set to listen to port 443 by default. Visit http://www.ssllabs.
com/ssltest/ to see how secure your reverse proxy really is.
You should strengthen the security of each service you open
for Internet access. Avoid non-secure (HTTP) connections, and
ensure your accounts are protected by strong passwords. Look
for options to block brute-force attacks—either natively, or (as
is the case with NextCloud) via the Brute-Force Settings app.
Where possible, add additional forms of authentication—for
example, NextCloud users can install the TOTP app to add 2FA
authentication, then check “Enforce two-factor authentication”
in “Settings” under “Administration > Security.”
TIGHTEN SECURITY
58 MAXIMUMPC JAN 2020 maximumpc.com
R&D