1/ Description
Nginx is web proxy that acts between a user's device and the internet. A proxy receives the user's request, forward it and return the web application's response to the user. It adds a layer a security for any user's browsing, before forwarding it, it can check if the url requested by the user is forbidden.
On this installation, we will use Nginx as a reverse proxy. A reverse proxy receives requests from external clients, forward them to a backend servers of your environment. It serves as a gateway in front of the servers and manage the incoming traffic. The forwarding depends on the reverse proxy configuration that we will explain in this article.
Certbot is an open-source tools to obtain and manage the TLS certificates for web applications. It requests the TLS certificates from Let's Encrypt.
2/ Installation
The installation will be based on docker container. Create a docker-compose.yml file to define your containers.
version: '3'
services:
webserver:
image: nginx:latest
ports:
- 80:80
- 443:443
restart: always
Run the container with
docker compose up
With the mapping of port in the docker compose file, nginx web server should be reachable on http://localhost
Edit the docker-compose file and add:
volumes:
- ./nginx/conf.d/:/etc/nginx/conf.d/:ro
- ./certbot/www:/var/www/certbot/:ro
The volume links your local directory ./nginx/conf.d/ to the container's directory /etc/nginx/conf.d. and the other volume will be needed for certbot
RO = Read Only
In ./nginx/conf.d, add a nginx configuration file "default.conf".
server {
listen 80;
listen [::]:80;
server_name example.org www.example.org;
server_tokens off;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://example.org$request_uri;
}
}
This indicates that nginx will listen on the port 80 for the domain example.org. You can change
example.org for your own domain name.
The configuration indicates that nginx will redirect automatically every http request to https except if the path is the url path is
/.well-known/acme-challenge/ used by certbot for the https configuration.
Once done, edit the docker compose file to define certbot container.
certbot:
image: certbot/certbot:latest
volumes:
- ./certbot/www/:/var/www/certbot/:rw
rw: read-write is allowed for certbot to write in /var/www/certbot.
Every file created by certbot will be mapped to the local directory ./certbot/www
Run the container: docker compose up -d
To see the logs: docker compose logs -f
Test run certbot
docker compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ --dry-run -d example.org
A successful response should give you this message:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for example.org
The dry run was successful.
Otherwise, a failure response would be:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems
...
Some challenges have failed.
If successful, Certbot creates certificates under /etc/letsencrypt/
A mapping must be done between this folder and a local directory.
Add the following entry under Volumes in the docker compose file:
./certbot/conf/:/etc/letsencrypt/:rw
Restart the docker and run certbot without dry-run.
$ docker compose run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ -d example.org
If this is successful, certbot has generated the files for https.
3/ Configuration
Certbot generates the files for https under /etc/letsencrypt/
Nginx must read the files for https.
Certbot (/etc/letsencrypt/) <-- LOCAL(./certbot/conf) --> Nginx(/etc/nginx/ssl)
Nginx definition:
nginx:
image: nginx:latest
container_name: nginx
restart: always
ports:
- '80:80'
- '443:443'
volumes:
- ./nginx/conf.d/:/etc/nginx/conf.d/:ro
- ./certbot/www:/var/www/certbot/:ro
- ./certbot/conf/:/etc/nginx/ssl/:ro
Certbot definition:
certbot:
container_name: certbot
image: certbot/certbot
volumes:
- ./certbot/www:/var/www/certbot/:rw
- ./certbot/conf/:/etc/letsencrypt/:rw
Edit nginx configuration in ./nginx/conf.d/default.conf, we will add the https section.
server {
listen 443 ssl;
server_name example.org //Put your own domain here
ssl_certificate /etc/nginx/ssl/live/example.org/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/example.org/privkey.pem;
location /thehive {
proxy_pass http://thehive:9000/thehive; //thehive is the hostname of the container that host TheHive
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
proxy_http_version 1.1;
}
location /cortex {
proxy_pass http://cortex:9001/cortex; //cortex is the hostname of the container that host Cortex
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
proxy_http_version 1.1;
}
}
// Configuration for Tracecat below
server {
listen 443 ssl;
server_name tracecat.example.org //Put your own domain here
ssl_certificate /etc/nginx/ssl/live/tracecat.example.org/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/live/tracecat.example.org/privkey.pem;
location / {
proxy_pass http://ui:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
proxy_http_version 1.1;
}
location /api {
rewrite ^/api/(.*)$ /$1 break;
proxy_pass http://api:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
proxy_http_version 1.1;
}
}
If you ever need to add other web application on the same reverse proxy nginx, just append in the configuration file for the other web application.
This comes to the end of Cortex & Cerbot installation and configuration.