Versions Compared

Version Old Version 9 New Version 10
Changes made by

Samuel Kirby

Samuel Kirby

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Installing NGINX mainline

Install NGINX from the repository

  1. Run sudo apt install curl gnupg2 ca-certificates lsb-release to install the prerequisites.

  2. Run the following to set up the repository for mainline packages:

    Code Block
    echo "deb http://nginx.org/packages/mainline/ubuntu `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list

  3. Run curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo apt-key add - to import an official NGINX signing key so apt can verify the package's authenticity.

  4. Run sudo apt-key fingerprint ABF5BD827BD9BF62 to verify you have the proper key - the output should contain the full fingerprint: 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62.

  5. Run sudo apt update and sudo apt install nginx.

Install Certbot

Note

These steps are a work in progress

Follow the instructions here: https://certbot.eff.org/instructions?ws=nginx&os=ubuntubionic. In Step 7, run the first command: sudo certbot --nginx - the final step of this (installing the certificate into NGINX) will fail. Continuing with the instructions here will install the certificate manually.

Configure NGINX

  1. Run sudo rm /etc/nginx/conf.d/default.conf to remove the default configuration.

  2. Run sudo vim /etc/nginx/conf.d/phixflow.conf and paste in the following, replacing [subdomain] with the appropriate subdomain of the server:

    Code Block
    server {
    listen 443 ssl;
    listen [::]:443 ssl ipv6only=on;

    server_name [subdomain].phixflow.com;

    location / {
        proxy_pass http://127.0.0.1:8080;
    }

    ssl_certificate /etc/letsencrypt/live/[subdomain].phixflow.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/[subdomain].phixflow.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    client_max_body_size 40M;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
}

  3. Restart NGINX:

    Code Block
    sudo nginx -s reload
sudo service nginx stop
sudo service nginx start

  4. Run netstat -tln to check the server is listening on port 443 rather than 80.

  5. Check the PhixFlow application loads in the browser. Check the security settings in the browser console.

  6. Run nginx -V to check the version.

Install Certbot

Follow the instructions here: https://certbot.eff.org/instructions?ws=nginx&os=ubuntubionic.

...

Configure SSL cipher restriction

This is based on recommendations given at: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations. Note that there is a scheduled audit to review these on a regular basis and update our build instructions to continue to comply with the recommendations.

...