...

We recommend using NGINX mainline . By - by default, most linux Linux distributions will instead install NGINX stable. While the stable branch will receive security updates, the version number will not always reflect the latest published version of NGINX, and scanning tools and other security compliance frameworks in your organisation may deem this as a failure to patch to the latest version.

...

We recommend installing custom error pages for common HTTP errors. Without this, certain errors are handled by NGINX, and this can reveal the version number of NGINX; other errors are handled by tomatTomcat, and this can reveal information about the version of tomcat Tomcat in use, and a stack trace for the error.

...

• If you want to add details such as the web address, phone number or email address for your own support desk, update the text in the custom error file custom_error.html below.

• If you wish to show different pages for different errors, or to include images in your error pages, configuring NGINX to do this is well documented on the web.

In the phixflow.conf file provided below, the following lines specify the errors to be handed using a custom page, and the location of the page. Update these if you want to configure something different:

...

Leaving port 80 open and including a redirect is widely recommended (including, for example, by Let’s Encrypt: https://letsencrypt.org/docs/allow-port-80/https://letsencrypt. org/docs/allow-port-80/https://letsencrypt.org/docs/allow-port-80/. In particular, this allows Let’s Encypt Encrypt to automatically renew the certificate using the default HTTP-01 challenge.

...

In this installation, we hide the version number on the default NGINX page. This is a useful secuity security measure. Because errors are already redirected to a standard error page (see above), in this installation you are unlikely to see this in a browser. But this can be viewed using a client such a as curl that does not apply the port 80 redirect, or by querying for the header information for the service.

Using

...

Let’s Encrypt to provide certificates

The method below uses https://certbot.eff.org/ to issue and install certificates from https://letsencrypt.org/ to provide secure connections over HTTPS. Let’s Encrypt is a well known Certificate Authority (CA) that is free to use. Check with your organisation on standards for certificates. You may need to use a different public CA, or an internal CA. Using CAs aside from Let’s Encrypt is well documented on the web. In particular, most public CAs will docuemnt document how their certificates can be installed into NGINX.

If you do not use Certbot, skip the section ‘Install certificate using Certbot’ below, and follow instructions appropriate for your CA.

...

The following instructions assume that NGINX is installed on the same server as PhixFlow itself (i.e. the same server as the tomcat Tomcat installation), and with a single installation of PhixFlow (a “webapp”). If you have multiple webapps on a single server, multiple webapps across several several servers, or a single webapp on a different server from the reverse proxy, see ‘Multiple PhixFlow webapps or multiple servers’ below.

Set up a domain record

...

Install NGINX from the repository. Instructions for various linux Linux distributions can be found here: http://nginx.org/en/linux_packages.html.

The example given here is taken from those instructions, and is for installation of NGINX mainline on Ubuntu.

...

Anchor
installCertificateUsingCertbot installCertificateUsingCertbot

Install certificate using Certbot

...

Install certificate using Certbot

The following instructions are based on the recommended installation of certbot Certbot with snap: https://certbot.eff.org/instructions?ws=nginx&os=ubuntubionic. This link also includes alternative instructions for installing certbot Certbot if you don’t want to use snap.

These instructions also assume that snap is installed on your system. If it is not, you can following instructions here: https://snapcraft.io/docs/installing-snapd.

Make sure that any firewalls on the server are open to port 80 (HTTP).

Ensure that snapd is up to date:

sudo snap install core; sudo snap refresh core

Install certbotCertbot:

sudo snap install --classic certbot

Link certbot Certbot command to make it accessible:

...

When the final command runs, it will prompt for several respsonsesresponses:

• An email address (for urgent renewal and security notices): e.g. security.notifications@mycompany.com

• Terms of service: you must agree to these (press Y)

• Agreement to share your email address with EFF: you can choose either option, i.e. Y or N

• The domain name assigned to this service: e.g. phixflow.mycompany.com

...

Create configuration file for PhixFlow: open editing on a file /etc/nginx/conf.d/phixflow.conf (e.g. with sudo nano /etc/nginx/conf.d/phixflow.conf), and paste in the following, replacing [domindomain] with your domain, e.g. phixflow.mycompany.com:

...

Create a custom error page: open editing on a file /usr/share/nginx/html/custom_error.html (e.g. with sudo nano /usr/share/nginx/html/custom_error.html), and paste in the following:

<!doctype html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
        <meta http-equiv="X-UA-Compatible" content="IE=11" />
        <title>PhixFlow Error</title>
    </head>
    <body>
        <div class="access-error" style="font-family: Verdana, Helvetica, Arial, sans-serif; font-size: 24px; text-align: center; position:absolute; top:300px; width:100%; ">
            An unexpected error has occurred opening PhixFlow, please contact the support desk.
        </div>
    </body>
</html>

Hide version number: Edit edit the file /etc/nginx/nginx.conf, and in the http context add the line server_tokens off;. This will result in a file that looks similar to:

...

sudo nginx -s reload
sudo service nginx stop
sudo service nginx start

Notes

...

• You may need to reboot the server as well in order for NGINX to restart successfully.

• Run netstat -tln to check the server is listening on port 443 and port 80.

• Check the PhixFlow application loads in the browser.

Configure SSL cipher restriction

...

ssl_ciphers "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256";

Close Save and save close the file.

Run the following to reload the NGINX configuration:

...

A single reverse proxy can handle connections to different webapps (i.e. installations of PhixFlow), whether these are hosted on a single server, or across several servers. See *** for common network configuration for PhixFlow installation. However, whichever configruation configuration you choose, the configuration is the same: you need an IP address and a webapp name to define each PhixFlow installation.

Note that, since NGINX is acting as the the point of SSL termination, that if you specify a PhixFlow installation at an IP address , you must make sure that the route from the reverse proxy to the PhixFlow installation is secure. The suggested configurations in *** will provide this since traffic is sent within a private network.

In the following example, a single reverse proxy on a dedicated server is handling incoming connections to four different webapps:

...