Introduction
This document describes the steps required to install and configure Nginx to act at a reverse proxy for FCSDK calls.
It is assumed that the following items are installed and running before installing Nginx.
Install Fusion Application Server (FAS)
Install Fusion Client SDK
These instructions were written against Nginx version 1.4.7.
1. Installation
This section describes the steps involved in installing Nginx.
Firstly you need to add the Nginx Yum repository. This is done by creating the following file:
/etc/yum.repos.d/nginx.repo
In this file you need to paste the following:
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1
Then to install Nginx you simple enter the following at the terminal:
yum install nginx
Nginx and its dependencies will be installed.
2. Operation
This section describes basic operation of the Nginx server.
Service operation
To start, stop or restart the Nginx server you can use the service as below:
service nginx start | stop | restart
Log location in defined in the configuration files, in the case of this install we will configure them to be in the following location:
/var/log/nginx
3. Configuration
This section describes what needs to be configured in order for Nginx to act as a reverse proxy for FCSDK.
3.1 Basic Configuration
Firstly you should remove or rename the existing .conf files located in the following directory on the nginx server:
/etc/nginx/conf.d
Then add a file called proxy.conf an example of the formatting below, full example file attached.
server {
#listen 80;
#listen 8080;
listen 443 ssl;
listen 8443 ssl;
server_name cs-nginx-reverse-proxy.cba.com;
ssl_certificate /etc/nginx/certificate.crt;
ssl_certificate_key /etc/nginx/privateKey.key;
resolver 192.168.20.120; #(Your DNS Server)
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /gateway/ {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_pass http://fas-server.cba.com:8080$request_uri;
proxy_read_timeout 3000s;
}
#REQUIRE FOR CSDK SAMPLE APP
location /csdk-sample/ {
proxy_set_header Host $http_host;
proxy_pass https://fas-server.cba.com:8443$request_uri;
proxy_redirect http://fas-server.cba.com:8080 https://$http_host:443/;
}
#REQUIRE FOR LIVE ASSIST SAMPLE APP
location /assistsample/ {
proxy_set_header Host $http_host;
proxy_pass http://fas-server.cba.com:8080$request_uri;
proxy_redirect http://fas-server.cba.com:8080 https://$http_host:443/;
}
#REQUIRE FOR AGENT ASSIST SAMPLE APP
location /assist-agent-console/ {
proxy_set_header Host $http_host;
proxy_pass http://fas-server.cba.com:8080$request_uri;
proxy_redirect http://fas-server.cba.com:8080 https://$http_host:443/;
}
#REQUIRE FOR NEW AGENT ASSIST SAMPLE APP
location /agent/console/ {
proxy_set_header Host $http_host;
proxy_pass http://fas-server.cba.com:8080$request_uri;
proxy_redirect http://fas-server.cba.com:8080 https://$http_host:443/;
}
#REQUIRE FOR LIVE ASSIST DOCS SHARING
#note turn chunking encoding off to allow larger data transfers
location /assist-resourcemanager/ {
proxy_set_header Host $http_host;
proxy_pass http://fas-server.cba.com:8080$request_uri;
#If you get ERR_INCOMPLETE_CHUNKED_ENCODING errors
#You need to disable it with:
chunked_transfer_encoding off;
}
#REQUIRE FOR LIVE ASSIST SCREEN SHARING
location /assistserver/topic {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_pass http://cs-ha-wg.cba.com:8080$request_uri;
proxy_read_timeout 3000s;
}
}
HTTP Strict Transport Security HSTS
FCSDK does not apply Strict-Transport-Security headers on responses for web sockets.
NGINX can add this header by adding the following directive under web socket locations:
add_header Strict-Transport-Security “max-age=31536000; includeSubDomains” always;
4. Creating a self-signed cert for testing
If you want to encrypt the leg to the reverse proxy you can run the following commands from within /etc/nginx to create a self-signed cert (as in the example config).
NOTE you make need to install openssl tools, yum install openssl openssl-devel
4. 1 Create private key
openssl genrsa -out privateKey.key 2048
4.2 Sign a CRT locally (Use the FQDN for your nginx server)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
This will give you a /etc/nginx/privateKey.key & /etc/nginx/certificate.crt and is enough to encrypt the traffic with a self-signed cert. .
5. Creating a CSR to get signed by a CA.
5.1 Create a CSR (Use the FQDN for your nginx server)
openssl req -new -sha256 -key privateKey.key -out certificate.csr
5.2 Check the CSR
openssl req -noout -text -in certificate.csr
5.3 Send CSR to you CA and reference that when returned.
You will get a crt file back from your CA which you can reference in the nginx config /etc/nginx/certificate.crt.
Comments
0 comments
Please sign in to leave a comment.