ssl certificate proxy

I recently had an issue with testing a license on a flash program.  This flash program would only work when being accessed through certain urls.  For example it would only work on www.example.com or https://test.example.com but not on others.

Unfortunately the license I was using had not added a test address I commonly use and the only addresses they did add where secure addresses https….

Had it not been a secure address I could just simple update my /etc/hosts file and point that particular url to localhost 127.0.0.1.   But that was not what I had been given.

Here is my solution to this problem using an nginx server.

I am running this nginx locally on Mac OS X

For this example I am going to redirect https://mytest.google.com to my local nginx instance

Edit the /etc/hosts

Edit the /etc/hosts file

> sudo vi /etc/hosts

And add the following line

127.0.0.01 mytest.google.com localhost

Open a new terminal and test it with a ping

> ping mytest.google.com

Create SSL certificates

Create some self-signed certificates.  For this part I used the simple notes I found at http://www.cyberciti.biz/faq/howto-linux-unix-setup-nginx-ssl-proxy/  [1]

I created a ssl folder in the same folder where the nginx.conf folder is

> cd /usr/local/etc/nginx/ > sudo mkdir ssl > cd ssl

Run the following command

> openssl genrsa -des3 -out mytest.key 1024

Enter a key,  I entered "1234" , do not worry about this since we will remove it later.

Run the following command

> openssl req -new -key mytest.key -out mytest.csr

 

Make sure you set the Common name the URL you want to use.

Run the following command (to remove the pass phrase)

> cp mytest.key mytest.key.BACK > openssl rsa -in mytest.key.BACK -out mytest.key

Run the following command

> openssl x509 -req -days 365 -in mytest.csr -signkey mytest.key -out mytest.crt

Fix permission (adjust this to your settings)

> sudo chown nginx:staff . > sudo chown nginx:staff *

Edit nginx.conf

Edit the nginx.conf file… on my install it happens to be at /usr/local/etc/nginx/nginx.conf  on my Ubuntu server its at      /etc/nginx/nginx.conf

> vi /usr/local/etc/nginx/nginx.conf

Here is my nginx.conf file (I highlighted some of the more interesting parts)

user  nginx staff; worker_processes  4; error_log  /Users/patman/Desktop/www/logs/error.log; pid           /Users/patman/Desktop/www/logs/nginx.pid; events {   worker_connections  1024;   multi_accept on; } http {   include       mime.types;   default_type  application/octet-stream;   log_format  main_fmt '$remote_addr - $remote_user [$time_local]  $status '    '"$request" $body_bytes_sent "$http_referer" '    '"$http_user_agent" "$http_x_forwarded_for"';   access_log /Users/patman/Desktop/www/logs/access.log main_fmt;      sendfile     on;   tcp_nopush   on;   tcp_nodelay on;   server_names_hash_bucket_size 128;   keepalive_timeout    70;   types_hash_max_size 2048;   gzip on;   gzip_disable "msie6";   proxy_buffering    off;   proxy_set_header   X-Real-IP $remote_addr;   proxy_set_header   X-Scheme $scheme;   proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;   proxy_set_header   Host $http_host;   server {     listen       80;     root /Users/patman/Desktop/www;   }   server {     listen       80;     listen       443;     ssl          on;     server_name mytest.google.com;     ### SSL log files ###     access_log      /Users/patman/Desktop/www/logs/ssl-access.log;     error_log       /Users/patman/Desktop/www/logs/ssl-error.log;     ### SSL cert files ###     ssl_certificate      /usr/local/etc/nginx/ssl/mytest.crt;     ssl_certificate_key  /usr/local/etc/nginx/ssl/mytest.key;     ssl_protocols        SSLv3 TLSv1 TLSv1.1 TLSv1.2;     ssl_ciphers RC4:HIGH:!aNULL:!MD5;     ssl_prefer_server_ciphers on;     keepalive_timeout    60;     ssl_session_cache    shared:SSL:10m;     ssl_session_timeout  10m;     access_log   /Users/patman/Desktop/www/logs/mytest.access.log main_fmt;     error_log   /Users/patman/Desktop/www/logs/mytest.error.log;     location / {       proxy_pass  http://127.0.0.1:8080;     }   } }

Now restart nginx. On OSX (brew install you run the following command)

> sudo nginx -s stop > sudo nginx

Try it

I found one interesting issue when trying to open https://mytest.google.com in google chrome.  The non secure url (drop the s) works just fine… but it seems Chrome takes some offence to using a fake google secure site.

I got the following error

So I used safari and confirmed it's working just fine.

This allowed me to complete my test and confirm that the new license worked as intended.

Update:  I later got Chrome to work, I am not sure what the problem was…

References

[1]  nginx: Setup SSL Reverse Proxy (Load Balanced SSL Proxy)

       http://www.cyberciti.biz/faq/howto-linux-unix-setup-nginx-ssl-proxy/

       Visited 6/2014