NGINX is a free, open-source, high-performance HTTP server and reverse proxy known for its high performance, stability, rich feature set, simple configuration, and low resource consumption.
NGINX can be utilized to customize the hosting of the CUWB Manager. In this application note, NGINX is used to serve CUWB Manager using HTTPS on the default port (443) and to require authentication to access the service. This example uses a self-signed certificate.
Related NGINX topics include hostname support, HTTP redirect to HTTPS, and using a certificate from a security authority. These topics are well-covered on elsewhere on the Internet.
sudo apt install nginx
sudo rm /etc/nginx/site-enabled/default
Being similar to Apache, NGINX allows for the use of htpasswd files in controlling access to your chosen CUWB Manager path. To make things simpler, install and use htpasswd via the apache2-utils package.
sudo apt install apache2-utils
sudo htpasswd -c /etc/nginx/cuwb.htpasswd user1
sudo htpasswd /etc/nginx/cuwb.htpasswd user2
sudo nginx -t -c /etc/nginx/nginx.conf
sudo systemctl restart nginx
Basic authentication will not do much good if sent over-the-wire in plaintext. We will neeed to add HTTPS to conform to best practices. We are going to create a self-signed certificate here, but you can generate keys with a trusted Certificate Authority if your computer is accessible from the web. (for more info: see Let’s Encrypt)
sudo apt install openssl
openssl req -newkey rsa:2048 -nodes -keyout domain.key -x509 -days 365 -out domain.crt
sudo mv domain.crt /etc/ssl/certs/cuwb-manager.crt
sudo mv domain.key /etc/ssl/private/cuwb-manager.key
sudo chown root. /etc/ssl/private/cuwb-manager.crt /etc/ssl/private/cuwb-manager.key
sudo chmod 644 /etc/ssl/private/cuwb-manager.crt /etc/ssl/private/cuwb-manager.key
We are almost done. Now, we will need to edit our CUWB Manager NGINX configuration file via nano (or your favorite editor of choice)
sudo nano /etc/nginx/sites-available/cuwb-manager.conf
upstream socketio {
server 127.0.0.1:17111;
}
server {
listen 443 ssl;
server_name $hostname;
ssl_certificate /etc/ssl/certs/cuwb-manager.crt;
ssl_certificate_key /etc/ssl/private/cuwb-manager.key;
access_log /var/log/nginx/cuwb-manager.access.log;
error_log /var/log/nginx/cuwb-manager.error.log;
auth_basic "Restricted Area";
auth_basic_user_file /etc/nginx/cuwb.htpasswd;
location /manager/ {
rewrite ^/manager(/.*)$ $1 break;
proxy_pass http://localhost:5000/;
}
location /socket.io/ {
proxy_pass http://socketio;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Lastly, issue the commands to enable your new CUWB Manager configuration and restart nginx following a command to test it for any syntax errors.
sudo ln -s /etc/nginx/sites-available/cuwb-manager.conf /etc/nginx/sites-enabled/cuwb-manager.conf
sudo nginx -t -c /etc/nginx/nginx.conf
sudo systemctl restart nginx
You should now be able to access CUWB Manager on your chosen host via HTTPS at the subdirectory of /manager/. Please note you can adjust this in your cuwb-manager.conf if you wish. Just ensure it is adjusted on both the location and rewrite rule lines. Additionally, our second command at the start of the article deleted your default NGINX welcome page to lower your web application vulnerability profile. If you would like to add a link to your CUWB Manager and other Intranet links in the root path of this NGINX host, that is fully up to your discretion.
Note: The CUWB Manager doesn’t block port 5000 using HTTP, so if security is a concern, you will want to setup a firewall.