Skip to content

Drupal BOA NGINX setup for multiple, secure HTTPS domains

Jump to bottom Edit New page
Amstercad edited this page Nov 24, 2016 · 3 revisions

DEPRECATED November 24, 2016 because because the new process implemented by Omega8 is so sweet. This document remains for reference only, and possibly so others can score an A+ at SSL Labs.

====

It is important to keep in-mind several rules when creating or modifying custom HTTPS domains.

  1. Nginx loads configuration files in alphabetical order, so the filename matters when using multiple files.

  2. BOA is configured by default to use a self-signed certificate. The default file used is /var/aegir/config/server_master/nginx/pre.d/nginx_wild_ssl.conf. This file is not overwritten on upgrade, and you can modify it to suit your requirements.

    You can add more server {} sections to setup additional, unique HTTPS domains in pre.d/nginx_wild_ssl.conf - but make certain they are added below the wildcard domain {}.

    You can also create separate config files in pre.d/, but you must use safe filenames, like pre.d/z_foo.com_ssl.conf to make sure they will be loaded after pre.d/nginx_wild_ssl.conf

    Restart NGINX to see your changes take effect. As root: "service nginx reload"

  3. Only one wildcard HTTPS domain is possible on the server. This is denoted as: server_name _;

    The wildcard server {} with server_name _; must be listed first (not last).

    If you have purchased a wildcard subdomain certificate such as *.foo.com, your certificate will replace BOA's default, self-signed certificate mechanism.

    Place the .key and .crt files of your purchased wildcard certificate in /etc/ssl/private/

  4. Extra server {} instances such as "server_name foo.com www.foo.com;" should be written explicitly. (Replace _; with these domain names in the template below)

    You can then use "listen *:443" in every extra server {} configuration, with its own SSL cert/key defined, and each will use the single IP address of the BOA server in TLS/SNI mode.

    Place the .key and .crt files for each purchased HTTPS domain certificate in /etc/ssl/private/

    Copy the following to use as a template for each HTTPS domain on the server. Search and replace *.example.com with each HTTPS domain you have purchased a certificate for:

#########################################################
### BEGIN *.example.com
###
### /var/aegir/config/server_master/nginx/pre.d/custom_single_ip_ssl.conf
upstream nginx_http {
  server  localhost:80;
}
server {
# The 'spdy' at the end of the listen command below turns on SPDY support.
  listen                       *:443 ssl spdy;
  server_name                  _;
  ssl                          on;
  ssl_certificate              /etc/ssl/private/*.example.com.crt;
  ssl_certificate_key          /etc/ssl/private/*.example.com.key;
# Tell browsers to require SSL (warning: difficult to change your mind)
  add_header Strict-Transport-Security max-age=31536000;
# Turn on session resumption, using a 10 min cache shared across nginx processes,
# as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;
# Cut out (the old, broken) SSLv3 entirely.
# This **excludes IE6 users** and (apparently) Yandexbot.
  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  ssl_ciphers                  'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
  ssl_prefer_server_ciphers    on;
  keepalive_timeout            70;
# Buffer size of 1400 bytes fits in one MTU.
# nginx 1.5.9+ ONLY
  ssl_buffer_size 1400;
# SPDY header compression (0 for none, 9 for slow/heavy compression). Preferred is 6.
#
# BUT: header compression is flawed and vulnerable in SPDY versions 1 - 3.
# Disable with 0, until using a version of nginx with SPDY 4.
  spdy_headers_comp 6;
# Now let's really get fancy, and pre-generate a 2048 bit random parameter
# for DH elliptic curves. If not created and specified, default is only 1024 bits.
#
# Generated by OpenSSL with the following command:
# openssl dhparam -outform pem -out dhparam2048.pem 2048
#
# Note: raising the bits to 2048 excludes Java 6 clients. Comment out if a problem.
  ssl_dhparam /etc/ssl/private/dhparam2048.pem;
  ###
  ### Deny known crawlers.
  ###
  if ($is_crawler) {
    return 403;
  }
  location / {
    proxy_pass                 http://nginx_http;
    proxy_redirect             off;
    gzip_vary                  off;
    proxy_buffering            off;
    proxy_set_header           Host              $host;
    proxy_set_header           X-Real-IP         $remote_addr;
    proxy_set_header           X-Forwarded-By    $server_addr:$server_port;
    proxy_set_header           X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header           X-Local-Proxy     $scheme;
    proxy_set_header           X-Forwarded-Proto $scheme;
    proxy_pass_header          Set-Cookie;
    proxy_pass_header          Cookie;
    proxy_pass_header          X-Accel-Expires;
    proxy_pass_header          X-Accel-Redirect;
    proxy_pass_header          X-This-Proto;
    proxy_connect_timeout      180;
    proxy_send_timeout         180;
    proxy_read_timeout         180;
    access_log                 on;
    log_not_found              on;
  }
}
###
### END *.example.com
###
Add a custom footer
Add a custom sidebar
Clone this wiki locally