ADD NEW DOMAIN TO NGINX

Nginx configuration will be created inside /etc/nginx/conf.d

Assume sf1.solvay.com is the Domain and erptestwebdisp.solvay.com:44338 is the backend URL.

First we need to create Configuration for each domain.

cd     /etc/nginx/conf.d

 vi  sf1.solvay.com.conf

Add Below Content for Proxypass:

server {

    listen     80;

    server_name  sf1.solvay.com;

 location / {

   proxy_pass https://erptestwebdisp.solvay.com:44338/;

}

}

Above is the simple configuration for Proxy_pass without SSL.

After adding configuration we need to check the configuration is correct .

You can test it with nginx -t .If everything is fine . Then we can reload nginx via service nginx reload

Domain with SSL and Reverse Proxy

Important

Before you generate a Certificate Signing Request (CSR) file, there are several things you should take note of:

  • Private Key (*.key) file you will generate must always be kept secret and kept safe.
  • To remain secure, SSL certificates must use keys that are 2048-bits in length or greater.
  • Remember to include the Subject Alternate Name (SAN) field – FQDN and Email.
  • Only share the generated CSR file (extension *.txt or *.csr); do not share the Private Key (*.key) file with anyone.

To Create SSL certificate, We need to create CSR certificate and request to Remedyforce Self Service for SSL certificate.

You can find 2 files in /home/ubuntu for SSL Setup

Csr-request.sh and req.conf

  1. Install OpenSSL on Server. It will be already installed .

Install openssl by entering the following commands in the terminal:

sudo apt update

sudo apt install openssl

Openssl will be already installed

  1. You can see req.conf in /home/ubuntu

[req]

distinguished_name = req_distinguished_name

req_extensions = v3_req

prompt = no

[req_distinguished_name]

C = BE

ST = Brussels

L = Brussels

O = Solvay

OU = SBS

CN = YourApplicationFQDN.solvay.com

emailAddress =  PrimaryEmailContact@solvay.com

[v3_req]

keyUsage = keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

[alt_names]

DNS.1 = YourApplicationFQDN.solvay.com

  1. Replace both instances of YourApplicationFQDN.solvay.com with the actual Fully Qualified Domain Name (FQDN) of your Web Application;
  2. Replace the instances of PrimaryEmailContact@solvay.com with the emails of the persons or shared mailbox to receive crucial information (e.g. notifications about expiry) about the certificate.

           Save the changes.

3.            Run the following command to generate Public Key and CSR file:

openssl req -new -out YourApplicationFQDN.solvay.com.csr -newkey rsa:2048 -nodes -sha256 -keyout YourApplicationFQDN.solvay.com.key -config req.conf

4. Login to Remedy and Request for SSL certificate with created CSR 

Login to Remedy 

Click on Remedyforce Self Service 

Click Authentication -PKI – Issue Web Authentication Certificate.

Fill Application name , Fully Qualified Domain name as Our Domain name and Attatch CSR certificate.

Once it done , You will get SSL certificate as Email

Assume We have created CSR for sf1.solvay.com. Once we request we can keep both Private Key and Certificate inside folder  /etc/ssl/YourApplicationFQDN.solvay.com/

Here it will be  /etc/ssl/sf1.solvay.com/

Both Private Key and Certificate Key we need to Keep inside  /etc/ssl/sf1.solvay.com

As  sf1.solvay.com.key and sf1.solvay.com.crt

So, Now We SSL certificate for the Setup.

server {

listen 80;

server_name  sf1.solvay.com;

 location / {

   proxy_pass https://erptestwebdisp.solvay.com:44338/;

}

}

server {

listen 443 ssl;

server_name  sf1.solvay.com;

ssl_certificate          /etc/ssl/sf1.solvay.com/sf1.solvay.com.crt;

ssl_certificate_key     /etc/ssl/sf1.solvay.com/sf1.solvay.com.key;

ssl_session_cache       builtin:1000 shared:SSL:10m;

ssl_protocols           TLSv1.2 TLSv1.3;

ssl_ciphers “ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256”;

ssl_ecdh_curve secp384r1;

ssl_prefer_server_ciphers   on;

large_client_header_buffers 8 1024k;

location / {

   access_log on;

   proxy_pass https://erptestwebdisp.solvay.com:44338/;   }

  }

Once Configuration added , test configuration with nginx -t.

If it’s successful.

Reload nginx via service nginx reload

Leave a Reply

Your email address will not be published. Required fields are marked *