Part HTTPS and part http Nginx deployment

Recommended for you: Get network issues from WhatsUp Gold. Not end users.

In general, large sites have many sets of Web server and application server, a user request may be through Varnish, HAProxy, Nginx to the application server, the middle of several layer. While the typical deployment of small and medium size is Tomcat/jboss Nginx+ the two layer configuration, while Tomcat or JBoss will be more than one, Nginx as a static document processing and load balancing. The following key on the nginx+ jboss+ SSL part page HTTPS part page http

If the Nginx as a front-end proxy, Tomcat/jboss does not deal with their own HTTPS, all by Nginx is possible. (general nginx and Tomcat/jboss security issues at the same LAN, ignore. Between nginx and JBoss encryption transmission that end in this paper) the user first and Nginx connection, Complete the SSL handshake, Then Nginx as a proxy to the HTTP protocol will request to Tomcat processing, Nginx then the output of the Tomcat/jboss encryption is sent back to the user through the SSL, This intermediate is transparent, Tomcat/JBoss is in the HTTP request processing. Therefore, this case does not need to configure the Tomcat SSL, only need to configure the Nginx SSL and Proxy.

SSL to consume more CPU resources than HTTP (mainly in the connection establishment phase, even after encrypting the content), so for general site, only need to place the part of HTTPS, most of the content is not necessary, depending on your business requirements. For example, for a lot of safety requirements low site, completely no HTTPS is acceptable.


Some pages are also supports HTTP and HTTPS, still only supports HTTPS, forced HTTPS?


At the same time support is the user what protocol access can be, then the user request is mainly composed of the page itself links to the guide, because users don't they have to modify the address bar.

In general we site can be made to support both HTTP and HTTPS, can access. But it is easy to have mixed content or mixed script behind that question.

Also planning as part of the page to support HTTPS, the general public pages without HTTPS, only part of the local link to HTTPS on it. Special expect to access to the HTTPS page, the absolute URL reference can clear the use of HTTPS links.

Whether forced HTTPS? For some pages high safety website or web site, can be forced to access HTTPS in the address bar, even if the user manual convert HTTPS to HTTP, will be automatically redirected back to HTTPS. For example, the HTTP URL can be automatically redirected to the corresponding HTTPS URL by configuring the web server rewrite rules (such maintenance is relatively simple, and does not need to change the application)


To solve the problem of mixed content (HTTP and HTTPS)


Mixed content refers to: in the HTTPS pages mixed with non HTTPS resource request, such as pictures, CSS, JS etc.. If it is mixed with non HTTPS JS code, called mixed script.

Harm of mixed content: if only mixed with unsafe pictures and CSS, so the man in the middle attack tamper, generally affects only the page display, relatively little harm. If it is mixed with unsafe JS code, the unsafe JS can access and modify any content page, this is very dangerous.

Therefore, only the page itself and all referenced resources are HTTPS browser is considered to be safe, as long as the reference to non security resources (even the image), the browser will give no safety tips, especially in the case of JS. If the browser is not safe, so we can't achieve the original purpose. We took a lot of effort to apply for SSL certification, to configure the Web server, if because of mixed content and waste all the previous efforts would be too bad.

In theory, a mixture of third party content, even the third party content of SSL also is not very good. Because the user trust you, rather than third, even if the third party also support HTTPS, but you can guarantee that the third party is absolutely safe. Don't refer to any third that is absolutely safe, but this is too strict , safety is a tradeoff problem, need to consider many aspects of balance.

Chrome carved block mixing scripting vulnerabilities:

Google browser mix display content would indicate:


Google browser mix script execution, the original page will be affected, because the browser to prevent mixed content loading. If Chrome UI showed the presence of mixed content website, development tool orientation can try Google. Useful information is usually recorded in the JavaScript console (menu -> -> JavaScript console), as long as the non HTTPS content delivery prompt to HTTPS transmission can be, this later in the code show.

In other browsers (such as IE9 or FF4) need to click on the confirmation dialog to determine whether to display a mixed content.


Nginx+jboss+http/HTTPS detailed configuration


1, The nginx.conf configuration example

http {

upstream cluster{

server 172.18.0.33:80 weight=1;

server 172.18.0.101:8088 weight=5;

}

upstream clusterssl{

server 172.18.0.33:8443 weight=1;

server 172.18.0.101:8443 weight=5;

}

server {

listen 80;

server_name www.AAA.com;

location / {

proxy_pass http://cluster;

index index.htm;

proxy_set_header Host $host;

proxy_set_header X-Real-Ip $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_connect_timeout 10;

proxy_read_timeout 120;

}

location ~* /*login.htm {

#rewrite ^(.*) https://$host$1 permanent;

rewrite ^(.*) $1 permanent;

}

location ~ \.(css|js|gif)$ {

#rewrite ^(.*) https://$host$1 permanent;

rewrite ^(.*) $1 permanent;

}

# HTTPS server

server {

listen 443;

server_name www.BBB.com;

ssl on;

ssl_certificate server.pem;

ssl_certificate_key server.key;

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 5m;

ssl_protocols SSLv3 TLSv1;

ssl_ciphers HIGH:!ADH:!EXPORT56:RC4+RSA:+MEDIUM;

ssl_prefer_server_ciphers on;

location / {

rewrite ^(.*) http://www.AAA.com$1 permanent;

}

location ~* /*login.htm {

proxy_pass http://cluster;

proxy_redirect off;

proxy_set_header Host $host;

proxy_set_header X-Real-Ip $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

}

location ~ \.(css|js|gif)$ {

proxy_pass http://cluster;

proxy_set_header Host $host;

proxy_set_header X-Real-Ip $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

}

}

}

First of all, the user access to the http://www.AAA.com, enter the website home page, click on the login page when the http://www.AAA.com/login.htm page, as the following configuration on port 80:

location ~* /*login.htm {

#rewrite ^(.*) https://$host$1 permanent;

#When AAA and BBB are identical, the available $host constant

rewrite ^(.*) $1 permanent;

}

The Url rewrite, to port 443, and then through the proxy configuration for 443 port:

proxy_pass http://cluster;

Nginx HTTPS requests to the background of the JBoss application server. Because the HTTPS state will remain, jump to other pages after landing, if not for the mandatory use of HTTP, remains in the HTTPS state, the following configuration port 443:

location / {

rewrite ^(.*) http://www.AAA.com$1 permanent;

}

The HTTPS under the condition of non login.htm links using HTTP protocol.

On the login page into CSS, JS, GIF and other resources, as is the back end of the JBoss to HTTP state back to nginx, so the login.htm page will have mixed content, the browser that is not safe, not loaded, will appear page layout arrangement etc. phenomenon, Google browser prompts are as follows:



Open the browser menu Google: -> -> JavaScript console, information is as follows



IE9 is shown below:




The following configuration in 80 port:

location ~ \.(css|js|gif)$ {

#rewrite ^(.*) https://$host$1 permanent;

rewrite ^(.*) $1 permanent;

}

The following configuration on port 443:

location ~ \.(css|js|gif)$ {

proxy_pass http://cluster;

}

Can solve the problem with mixed content page.

Now, There was another problem, If the allocation according to the above, Then the other non login page CSS, JS, GIF would go HTTPS, affecting the efficiency, The HTTP page HTTPS into the content, The solution is to the login page to resources on the path below one can distinguish, When location matching, Let the path of CSS, JS, GIF and other resources to take HTTPS, The other path following resource http.


In the proxy mode, jboss The direct request to identify user (URL, IP, HTTPS or HTTP)?


In the transparent proxy, if you don't do any JBoss configuration that all requests are Nginx out, it will cause the following error results:

request.getScheme() //Always HTTP, HTTP or HTTPS instead of the actual

request.isSecure() //Always false (because HTTP always)

request.getRemoteAddr() //Always nginx the IP of the request, rather than on the user's IP

request.getRequestURL() //Always nginx request URL instead of the actual user request URL

Response.sendRedirect (URL) // always redirects to the HTTP (because that the current HTTP request)

If the program the user request to do when the actual processing is a problem. The solution is simple, only need to configure the Nginx, without having to change procedures.

Forwarding options for configuring the Nginx:

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;


Optimization


1, OptimizationrewriteSentence:

Rewrite complex and inefficient, instead of using the return statement, such as

rewrite (.*) $1;

Instead of

retrun 301 $request_uri;


2, Optimization of SSL configuration


SSL operation need to consume CPU resources, so in the multi processor system, you need to start a work in progress, and the number of required not less than the number of available CPU. The CPU resource consuming SSL operation is SSL handshake, there are two ways to the number of hands operation each client to a minimum: the first is to keep the client connection, connection to send multiple requests in a SSL; the second is in the concurrent connections or SSL session parameters with subsequent connection, such it can avoid the SSL handshake operation. The session cache is used to save the SSL session, the shared cache in the work process, you can use the ssl_session_cache command to configure. The 1M cache can store about 4000 sessions. The default cache timeout is 5 minutes, you can use the ssl_session_timeout to increase it. The following is a for the configuration optimization of 4 nuclear system example, sharing session cache using 10M:

worker_processes 4;

http {

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 10m;

server {

listen 443;

server_name www.example.com;

keepalive_timeout 70;

ssl on;

ssl_certificate www.example.com.crt;

ssl_certificate_key www.example.com.key;

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers HIGH:!aNULL:!MD5;

...


Certificate of protection key:


The server certificate is open, Will be sent to each client that connects to a server, and the private key is not open to the public, Will not be sent, On the server to protect it, For example, stored in a restricted access file, For example: Chmod 400 ssl.key (root only readable), Of course, Nginx main process must have read permissions for the key; or for the private key file password, The private key is safe, But every time to restart the nginx service to input a password, More trouble


The Nginx front-end and back-end JBoss part HTTP and part of HTTPS channel


If you want to achieve encryption transmission between nginx and JBoss, only need to do the following key points of revision:

(1)In the JBoss terminal configuration server certificate, and open HTTPS port (the port 8443 for example)

(2)Part HTTPS and part HTTP configuration at the JBoss

(2)The following changes in the nginx listen on port 443 service:

location ~* /*login.htm {

proxy_pass https://clusterssl;

proxy_set_header Host $host;

proxy_set_header X-Real-Ip $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

}

(3)Modify the other mixed content

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download

Posted by Carry at December 17, 2013 - 5:05 PM