| Table of Contents | ||||
|---|---|---|---|---|
|
Background to the recommended installation
Using NGINX mainline
We recommend using NGINX mainline - by default, most Linux distributions will instead install NGINX stable. While the stable branch will receive security updates, the version number will not always reflect the latest published version of NGINX, and scanning tools and other security compliance frameworks in your organisation may deem this as a failure to patch to the latest version.
Using a custom error page
We recommend installing custom error pages for common HTTP errors. Without this, certain errors are handled by NGINX, and this can reveal the version number of NGINX; other errors are handled by Tomcat, and this can reveal information about the version of Tomcat in use, and a stack trace for the error.
...
| Code Block |
|---|
proxy_intercept_errors on;
error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 /custom_error.html;
location = /custom_error.html {
internal;
root /usr/share/nginx/html;
} |
Including a redirect to connections to port 80
Leaving port 80 open and including a redirect is widely recommended (including, for example, by Let’s Encrypt: https://letsencrypt.org/docs/allow-port-80/. In particular, this allows Let’s Encrypt to automatically renew the certificate using the default HTTP-01 challenge.
Hide version number
In this installation, we hide the version number on the default NGINX page. This is a useful security measure. Because errors are already redirected to a standard error page (see above), in this installation you are unlikely to see this in a browser. But this can be viewed using a client such as curl that does not apply the port 80 redirect, or by querying for the header information for the service.
Using Let’s Encrypt to provide certificates
The method below uses https://certbot.eff.org/ to issue and install certificates from https://letsencrypt.org/ to provide secure connections over HTTPS. Let’s Encrypt is a well known Certificate Authority (CA) that is free to use. Check with your organisation on standards for certificates. You may need to use a different public CA, or an internal CA. Using CAs aside from Let’s Encrypt is well documented on the web. In particular, most public CAs will document how their certificates can be installed into NGINX.
If you do not use Certbot, skip the section ‘Install certificate using Certbot’ below, and follow instructions appropriate for your CA.
Installing with apt
The instructions below are based on installation on a Debian-based distribution of Linux, and use the apt command. If you are installing on a RedHat-based distribution of Linux, the equivalent yum commands for NGINX installation are well documented on the web.
Single server, single PhixFlow webapp
The following instructions assume that NGINX is installed on the same server as PhixFlow itself (i.e. the same server as the Tomcat installation), and with a single installation of PhixFlow (a “webapp”). If you have multiple webapps on a single server, multiple webapps across several servers, or a single webapp on a different server from the reverse proxy, see ‘Multiple PhixFlow webapps or multiple servers’ below.
Set up a domain record
Choose a domain, e.g. phixflow.mycompany.com, and set up an A record on your DNS to point this domain at the public IP address of the server that you are installing NGINX on.
Install NGINX
Install NGINX from the repository. Instructions for various Linux distributions can be found here: http://nginx.org/en/linux_packages.html.
...
| Code Block |
|---|
sudo apt update sudo apt install nginx |
| Anchor | ||||
|---|---|---|---|---|
|
The following instructions are based on the recommended installation of Certbot with snap: https://certbot.eff.org/instructions?ws=nginx&os=ubuntubionic. This link also includes alternative instructions for installing Certbot if you don’t want to use snap.
...
An email address (for urgent renewal and security notices): e.g. security.notifications@mycompany.com
Terms of service: you must agree to these (press Y)
Agreement to share your email address with EFF: you can choose either option, i.e. Y or N
The domain name assigned to this service: e.g. phixflow.mycompany.com
Configure NGINX
Most distributions of NGINX no longer include sites-enabled and sites-available directories. This example installation is based on distribution that does not include these directories, and places the configuration file in the /etc/nginx/conf.d directory. If your installed version of NGINX includes sites-enabled and sites-available directories, consult the NGINX documentation for further guidance.
...
| Code Block |
|---|
sudo nginx -s reload sudo service nginx stop sudo service nginx start |
Notes
You may need to reboot the server as well in order for NGINX to restart successfully.
Run
netstat -tlnto check the server is listening on port 443 and port 80.Check the PhixFlow application loads in the browser.
Configure SSL cipher restriction
This is based on recommendations given at: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations.
...
| Code Block |
|---|
sudo service nginx restart |
| Anchor | ||||
|---|---|---|---|---|
|
A single reverse proxy can handle connections to different webapps (i.e. installations of PhixFlow), whether these are hosted on a single server, or across several servers. See *** for common network configuration for PhixFlow installation. However, whichever configuration you choose, the configuration is the same: you need an IP address and a webapp name to define each PhixFlow installation.
...