0

Compiling NGINX with — with-http_auth_request_module on Centos 7

While looking at SSO solutions I decided to investigate a bit more options how I could use Nginx with solutions like Okta to protect my resources. One of interesting ones was using authentication proxy with Nginx.

The afore functionality is available through use of http_auth_request_module. However this module is not compiled by default. This got me the idea that would be nice to exercise going step by step through compiling Nginx with auth module Centos 7.

Yes – I do know that there are solutions on the market/internet which would save me from this – however I value the learning process in this challenge as well 🙂 If you have interesting links to alternatives please leave them in the comment section.

Getting the sources

Our journey begins with getting the sources. I have tried following the official Nginx documentation but I find it …. somehow not up to the task. Hence there are some modifications or additions that I did to get this through 🙂

mkdir nginx-from-source && cd $_

Once we have our new folder we can download the pre-reqs

Here we are taking Nginx version 1.19.0 – please be sure to check whats the latest version before running the command

   wget https://ftp.pcre.org/pub/pcre/pcre-8.44.tar.gz
   wget http://zlib.net/zlib-1.2.11.tar.gz
   wget http://www.openssl.org/source/openssl-1.1.1g.tar.gz
   wget https://nginx.org/download/nginx-1.19.0.tar.gz
   tar zxf nginx-1.19.0.tar.gz

Compile PCRE

tar -zxf pcre-8.44.tar.gz
cd pcre-8.44
./configure
make
sudo make install

Compile ZLIB

tar -zxf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure
make
sudo make install

Compiling OpenSSL

OpenSSL deserves spot for bit more insights than just dry code. We will use never version than the one running on the box right now.

Pre-reqs

We will start off by installing required packages via yum and extracting the content of downloaded archive

yum group install 'Development Tools'
yum install perl-core zlib-devel -y
tar -xf openssl-1.1.1g.tar.gz 
cd openssl-1.1.1g

Configure & install OpenSSL

sudo ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib
sudo make
sudo make test
sudo make install

Configure shared libraries

Navigate to /etc/ld.so.conf.d and run the following

sudo echo "/usr/local/ssl/lib" >> /etc/ld.so.conf.d/openssl-1.1.1g.conf

ldconfig is used to create, update and remove symbolic links for the current shared libraries based on the lib directories present in the /etc/ld.so.conf

Reload with verbose

sudo ldconfig -v

Configure OpenSSL binary

Start with backing up the current OpenSSL

sudo mv /bin/openssl /bin/openssl.backup

Create script which will be executed on the system…

sudo vi /etc/profile.d/openssl.sh

… and set contents to

OPENSSL_PATH="/usr/local/ssl/bin"
export OPENSSL_PATH
PATH=$PATH:$OPENSSL_PATH
export PATH

Once done we need to make sure that the script is allowed to be executed

sudo chmod +x /etc/profile.d/openssl.sh

Next reload the profile to get the openSSL new binary with your PATH

source /etc/profile.d/openssl.sh

Verify openSSL version

 which openssl
 openssl version -a

If you reached this moment then we are ready to move on the next part 🙂

Compiling Nginx with extra modules

Create user under which the process will be running

useradd -s/sbin/nologin -d/usr/local/nginx -M nginx

Navigate to folder with nginx sources created during download of our pre-reqs and run the config command

./configure 
--user=nginx 
--group=nginx 
--error-log-path=/var/log/nginx/error.log 
--http-log-path=/var/log/nginx/access.log 
--sbin-path=/usr/local/nginx/nginx 
--pid-path=/usr/local/nginx/nginx.pid 
--with-pcre=../pcre-8.44 
--with-zlib=../zlib-1.2.11 
--with-http_auth_request_module 
--with-http_geoip_module 
--with-http_gzip_static_module 
--with-http_gunzip_module 
--with-http_realip_module 
--with-http_secure_link_module 
--with-http_slice_module 
--with-http_ssl_module 
--with-http_v2_module

The above compiles Nginx with extra modules. For a comprehensive list with detailed information about each of the extra modules please refer to official Nginx documentation.

Once the above command finishes run

  make
  make install

When the above process finishes you should have nginx installed in /usr/local/nginx

Initial configuration of Nginx

In order to use Nginx we need to configure it. Right now our system knows nothing about running it.

Run vi /etc/systemd/system/nginx.service and set the content to

[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/usr/local/nginx/nginx.pid
ExecStartPre=/usr/local/nginx/nginx -t
ExecStart=/usr/local/nginx/nginx
ExecReload=/usr/local/nginx/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target

Now when you run systemctl status nginx you should see our service available.

Go ahead and run it! Type systemctl start nginx

At this moment you should have Nginx running with extra modules compiled!

0

“Help me Cloudflare .. you are my only hope!”

With this catchy post title I would like to start series of short technical blog posts how Cloudflare solutions can help out in solving challenges in our IT world ( at least the ones I came across ).

If you have not heard the name before then go ahead and check cloudflare.com and to find answer what Cloudflare is exactly look at their blog post 🙂 Before I start I would like to also let you know that this website does run on Cloudflare 🙂 but not all scenarios covered will be touching this property 😛 ( for obvious reasons )

My plan for the coming week ( or two ) would be to show you test case scenarios of the following :

 

With this cloud swiss army knife tool we should be able to build several case scenarios where we will see how using them can address our challenges. Now what is really cool about all of those – it is completely API driven … which means we would also get a chance to play around with “no-gui” … so the essence we all engineers like so much 🙂

 

Subscribe to not miss out on posts coming your way with all the goodies!

 

If there are some use case scenarios you would have and would like to see please leave your ideas in comments ( BTW – comments are moderated 🙂 )

0

HAproxy – securing Piwik stats

So today we will be discussing how to secure Piwik stats with help of HAproxy. I didn’t find direct articles relating to how to do that so google and quick tests were my companions for this 🙂

So Piwik is quite cool project for getting your statistics. I have created a simple docker container out of it ( available on DockerHub ) and now run it on my server. Looking at documentation I wanted to have it secured so I have found the following quote :

” Use .htaccess to restrict access to a few files only, and to restrict by defined IP address.
For those running an Apache web server, it should be easy to use .htaccess (Apache’s Access Control List) files to restrict entry to Piwik. For example, when you restrict access to files, you will need to allow external access to the piwik.php and piwik.js files, as well as to the URL index.php?module=CoreAdminHome&action=optOut (for the opt-out iframe).”

 

So what I have done – was creating simple ACL for piwik ( yep – you can have the same name of ACLs 🙂 ) called piwik_stats and used it when deciding for backend so backend would be accessible only if coming from whitelisted IP address or only when using whitelisted parts of URL 🙂

    # Whitelist : MyHome
    acl net_whitelist_myhome  src -f /etc/haproxy/myhome

    # Piwik stats security
    acl piwik_stats  url  /index.php?module=CoreAdminHome&action=optOut
    acl piwik_stats  path /piwik.php
    acl piwik_stats  path /piwik.js

    use_backend stats_piwik  if domain_stats.example_com piwik_stats or net_whitelist_myhome

 

Now I know there are probably better ways to do that- if you have one – share your comments / thoughts.

 

Enjoy 🙂

 

 

0

HAproxy – SSL domains in crt-list

I think for those using high throughput to load balancers will know HAproxy immediately. If HAproxy is something new to you – I highly recommend to scatter around and get your self familiar with this great product. I use it personally and as well recommend it ( if the requirements match ) to my customers. I thought I will create separate category especially for this awesome piece of art and will share with you some of my challenges and discoveries I came across with.

So today I will start with the fact that HAproxy supports SNI and that you can have multiple certificates assigned. If you look at internet ( or even at the documentation ) you will see its common to use syntax like :

frontend https-in
    bind *:443 ssl crt /etc/ssl/server1.pem crt /etc/ssl/server2.pem
    
    http-request set-header X-Forwarded-Proto https 
    
    default_backend application-backend

 

What you can see here is that we are specifying certificates ( detailed way of HApoxy handles this can be found under link ) .  However I have been recently using crt-list which allows me to specify certificates for domains ( and also do filtering within that file ) .

File looks as easy as (basic no filtering ) :

/etc/ssl/web/domain1.net.pem domain1.net
/etc/ssl/web/domain2.net.pem domain2.net

 

From there in my config I use the following :

#  _____                    _                    _
# |  ___|_ __  ___   _ __  | |_  ___  _ __    __| | ___
# | |_  | '__|/ _ \ | '_ \ | __|/ _ \| '_ \  / _` |/ __|
# |  _| | |  | (_) || | | || |_|  __/| | | || (_| |\__ \
# |_|   |_|   \___/ |_| |_| \__|\___||_| |_| \__,_||___/


frontend http-in
    bind 0.0.0.0:80
    redirect scheme https code 301 if !{ ssl_fc }


frontend https-in
    bind 0.0.0.0:443 ssl crt-list /etc/haproxy/crt-list.txt

    http-request set-header X-Forwarded-Proto https if { ssl_fc }

 

And thats how easy it is. In coming posts I will try to publish more interesting information abut HAproxy.