Breadcrumbs

nginx

  • html5 ssh gate with nginx as a reverse proxy

    this objective for this thread is to explain how to set up a ssh gate for your private network to give you the possibility to connect to it through your browser in https in html5. 

    we will also use nginx as a reverse proxy to avoid exposing it directly on Internet. The authentication will be handle by nginx

     

    I will details how to do it using a raspberry PI.

     

  • Nginx - config example with PAM/LDAP auth

      

    config nginx.conf:

    user www-data;
    worker_processes 4;
    pid /var/run/nginx.pid;
     
    events {
    	worker_connections 768;
    	# multi_accept on;
    }
     
    http {
     
    	##
    	# Basic Settings
    	##
     
    	sendfile on;
    	tcp_nopush on;
    	tcp_nodelay on;
    	keepalive_timeout 65;
    	types_hash_max_size 2048;
    	# server_tokens off;
     
    	# server_names_hash_bucket_size 64;
    	# server_name_in_redirect off;
     
    	include /etc/nginx/mime.types;
    	default_type application/octet-stream;
     
    	##
    	# Logging Settings
    	##
     
    	access_log /var/log/nginx/access.log;
    	error_log /var/log/nginx/error.log;
     
    	##
    	# Gzip Settings
    	##
     
    	gzip on;
    	gzip_disable "msie6";
     
    	# gzip_vary on;
    	# gzip_proxied any;
    	# gzip_comp_level 6;
    	# gzip_buffers 16 8k;
    	# gzip_http_version 1.1;
    	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
     
    	##
    	# nginx-naxsi config
    	##
    	# Uncomment it if you installed nginx-naxsi
    	##
     
    	#include /etc/nginx/naxsi_core.rules;
     
    	##
    	# nginx-passenger config
    	##
    	# Uncomment it if you installed nginx-passenger
    	##
    	
    	#passenger_root /usr;
    	#passenger_ruby /usr/bin/ruby;
     
    	##
    	# Virtual Host Configs
    	##
     
    	include /apps/etc/nginx/conf.d/*.conf;
    	include /apps/etc/nginx/sites-enabled/*;
    }

    config example site-available:

    server {
    	listen   80; ## listen for ipv4; this line is default and implied
    	#listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
    	# Make site accessible from http://localhost/
    	server_name shinken shinken.soc.xxxx.fr;
    	return 301 https://shinken.soc.xxxx.fr$request_uri;
    }
    server {
    	listen 443 ssl; ## listen for ipv4; this line is default and implied
    	#listen   [::]:80 default_server ipv6only=on; ## listen for ipv6
    	# Make site accessible from http://localhost/
    	server_name shinken shinken.soc.xxxx.fr;
     
    	ssl_certificate /apps/ssl/shinken.chained.crt;
    	ssl_certificate_key /apps/ssl/shinken.key;
     
    	#auth ldap through pam
    	auth_pam        "Admin Zone";
    	auth_pam_service_name "admin_nginx";
     
     
    	# Proxy
    	location / {
    		proxy_pass http://localhost:7767;
    		include proxy_params;
    	}
    	
    	# Serve static content directly
    	location /static/(.*\/)? {
    		try_files htdocs/$uri plugins/$1/htdocs/$uri @webui;
    	}
     
    	location @webui {
    		root /var/lib/shinken/modules/webui/;
    	}
     
     
     
    	# deny access to .htaccess files, if Apache's document root
    	# concurs with nginx's one
    	#
    	location ~ /\.ht {
    		deny all;
    	}
     
    	error_page 500 502 503 504 /50x.html;
    	location = /50x.html {
    		root /usr/share/nginx/www;
    	}
     
    }

    pam.d:

    lagarjoc@sauron01:/etc/pam.d$ cat admin_nginx 
    auth	required	/lib/x86_64-linux-gnu/security/pam_ldap.so
    auth	required	/lib/x86_64-linux-gnu/security/pam_listfile.so onerr=fail item=group sense=allow file=/common/admin.groups.allow
    account	required	/lib/x86_64-linux-gnu/security/pam_ldap.so
    

     

  • ssh over ssl part 1 : server side

    1.Introduction

    This tutorial is made for you to be able to test how to do SSH over a standard https SSL/TLS connection (at least for the CONNECT). the objective is to understand how it's working and to be able for you to make a POC if you want to. I'm not responsible for what purpose you are using it to. most of this tutorial was possible thanks to the hard work of blog.chmd.fr

    this tutorial is definitely doable on a Raspbeery Pi

     do not hesitate to let me a comment to ask questions.