Setting up HTTPS on Newired application server (CentOS/RedHat)

Modified on Wed, 26 Jul, 2023 at 3:13 PM

Introduction


The guide will help you install the Nginx reverse proxy for the Newired application server, so that you can easily insert your own or SSL/TLS certificate, which will make the application available to you via https.


 Prerequisites


  • Newired portal installed and available on port 8090 (http://localhost:8090/newired)
    Newired installation location:/opt/Newired

  • DNS settings that point to the IP address of the server
    (for example, newired.example.com)

  • Allow port 80 and 443 for http and https communication on firewall

  • Prepare own certificate for your domain in format PEM (x509)
    (for example, newired.example.com)
    or
    we will use self-signed certificate for localhost domain name


 


Prepare SSL/TLS certificates for using in proxy


Recommended SSL/TLS certificate format


We have several certificate formats (see table below) and we will primarily use the PEM format (x509).


It is necessary to keep in mind that the file "extension" (for example .cer or .crt) does not decide at all in what format the SSL certificate is stored! For example, the SSL certificate in the certificate.crt file can be in both DER and PEM format.



SSL format



Storage method



Common extensions



Further details



PEM (x509)



Base64/ASCII



.pem, .crt, .cer, .ker., .txt



Contains an SSL certificate or the entire root chain.


May contain a private key.



DER



binary



.der, .crt, .cer



Contains an SSL certificate or the entire root chain.


May contain a private key.



P7B (PKCS#7)



Base64/ASCII



.p7b, .p7c



Contains an SSL certificate or the entire root chain.


Do not contain a private key.



PFX (PKCS#12)



binary



.p12, .pfx



Contains an SSL certificate or the entire root chain.


May contain a private key.



 


Add own certificate to certs folder for Newired application


If you have your own certificate in PEM format (x509) (see above section Recommended SSL/TLS certificate format) and it is valid and trusted.


A private key or intermediate CA certificate is also part of your certificate. So please rename it, for example, according to the domain name you will use:


  • newired.example.com.pem.crt (certificate and intermediate CA certificate)
  • newired.example.com.pem.key (private key)


and copy these files to a folder [Newired_installation_location]/certs/


 


If you do not have a certificate in PEM format but for example PFX. You can very easily convert this type of certificate to the required format using the OpenSSL tool, see. section Conversion between different formats and then continue renaming and moving the certificate as instructed above.


 


Use Newired self-sign certificate


We have prepared a self-signed certificate for you, which is part of the installation from version 21.1.0 (or you can download it from https://download.newired.com).


You can find the certificate in folder: [Newired_installation_location]/certs/


  • localhost.pem.crt
  • localhost.pem.key
  • localhost-ca.pem.crt



If you have an older version of the Newired application. You download the self-signed certificate from download.newired.com. You unzip files and move them to [Newired_installation_location]/certs/

In order to use a self-signed certificate validly, you still need to import the certificate into a trusted one in your client system. If your system is Windows you can use this tutorial  - Add self-signed certificates to Trusted Root Certification Authorities


Conversion between different formats


You can use these commands to convert between different SSL certificate formats.


DER => PEM



openssl x509 -inform der -in certificate.der -out certificate.pem



PKCS#12 (private key + SSL certificates) => PEM



openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes


You can also add -nokeys, which will only export the SSL certificate without the private key.


Install Nginx


Nginx is a popular open-source web server and reverse proxy, known for its high performance, stability, rich feature set, simple configuration, and low resource consumption.


Install Nginx from the official repository of your Linux distribution


  1. Command for installation in the terminal



sudo yum install nginx 


  1. Enable service on system boot:



sudo systemctl enable nginx


  1. Start service



sudo systemctl start nginx


  1. Check service



sudo systemctl status nginx


Output:



● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
   Active: active (running) since 
  Process: 2104 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
  Process: 2103 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
  Process: 2101 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
 Main PID: 2106 (nginx)
    Tasks: 3 (limit: 11486)
   Memory: 7.5M
   CGroup: /system.slice/nginx.service
           ├─2106 nginx: master process /usr/sbin/nginx
           ├─2107 nginx: worker process
           └─2108 nginx: worker process





Allow Firewall and SELinux


Enable http and https on Firewall



sudo firewall-cmd --zone=public --add-port=80/tcp
sudo firewall-cmd --zone=public --permanent --add-port=80/tcp
sudo firewall-cmd --zone=public --add-port=443/tcp
sudo firewall-cmd --zone=public --permanent --add-port=443/tcp


We can verify that this was successful using the --list-ports operation:



sudo firewall-cmd --zone=public --list-ports


Allow http communication for SELinux (CentOS/RedHat)


Overview of SELinux


SELinux is enabled by default on modern RHEL and CentOS servers. Each operating system object (process, file descriptor, file, etc.) is labeled with an SELinux context that defines the permissions and operations the object can perform.
In RHEL 6.6/CentOS 6.6 and later, NGINX is labeled with the httpd_t context. 
The httpd_t context permits NGINX to listen on common web server ports, to access configuration files in /etc/nginx, and to access content in the standard docroot location (/usr/share/nginx). It does not permit many other operations, such as proxying to upstream locations or communicating with other processes through sockets.


Disabling SELinux for NGINX


To temporarily disable SELinux restrictions for the httpd_t context, so that NGINX can perform all the same operations as in non‑SELinux OSs, assign the httpd_t context to the permissive domain. See the next section for details.



sudo semanage permissive -a httpd_t


More details for security SELinux and NGINX for your system:
https://www.nginx.com/blog/using-nginx-plus-with-selinux/




Semanage app doesn't installed in CentOS



sudo yum install policycoreutils-python-utils


Configure NGINX as a reverse proxy


  1.  Copy nginx configuration file for Newired reverse proxy



# backup before configuration
sudo cp -f /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bck
# copy prepare configuration
sudo cp -f /opt/Newired/tomcat/conf/nginx-proxy/linux/nginx.conf /etc/nginx/


  1. Copy Newired configuration template file from /opt/Newired/tomcat/conf/nginx-proxy/linux/conf.d/newired.conf to /etc/nginx/conf.d/



sudo cp -f /opt/Newired/tomcat/conf/nginx-proxy/linux/conf.d/newired.conf /etc/nginx/conf.d/


  1. Open the file newired.conf as root user in a text editor and replace its contents, if any, with the following lines (for example domain name).

    {{ app_domain_name }} =>       newired.example.com     or         localhost
    {{ path_certificates }} =>           /opt/Newired/certs/




upstream backend {

   server 127.0.0.1:8090;

   keepalive 32;

}

server {
    listen              80;
    server_name         {{ app_domain_name }};

    return 301 https://$host$request_uri;
}

server {
    listen              443 ssl;
    server_name         {{ app_domain_name }};

    ssl_certificate     {{ path_certificates }}/{{ app_domain_name }}.pem.crt;
    ssl_certificate_key {{ path_certificates }}/{{ app_domain_name }}.pem.key;

    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 5m;

    ssl_protocols TLSv1.2;
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-
SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

    ssl_prefer_server_ciphers on;

    root                      /dev/null;

    location / {

         proxy_set_header        X-Forwarded-Proto $scheme;
         proxy_set_header        Host              $http_host;
         proxy_set_header        X-Real-IP         $remote_addr;
         proxy_set_header        X-Forwarded-For   $proxy_add_x_forwarded_for;
         proxy_set_header        Upgrade           $http_upgrade;
         proxy_set_header        Connection        "Upgrade";

         proxy_pass http://backend;
    }


}



  1.  Restart Nginx services



sudo systemctl restart nginx


  1. Done and you can now enter an https address into your browser 
    https://localhost/newired 
    or 
    https://newired.example.com/newired


Note: The configuration includes automatic redirect from http to https



If the newired site login does not appear after entering the address, we recommend checking the logs /var/log/nginx/error.log


 


Change the portal domain name configuration


After completing the reverse proxy configuration, we need to change https configuration in the application.


  1. Open the file /opt/Newired/tomcat/conf/newired.properties as root (administrator) user in a text editor
  2. Change values to new https protocol for localhost



...
newired.backendUrl=https\://localhost/newired
newired.contentDeliveryUrl=https\://localhost/newired/content
newired.collectorUrl=https\://localhost/collector
newired.objectStorageUrl=https\://localhost/newired/storage
...


or new domain name with https



...
newired.backendUrl=https\://newired.example.com/newired
newired.contentDeliveryUrl=https\://newired.example.com/newired/content
newired.collectorUrl=https\://newired.example.com/collector
newired.objectStorageUrl=https\://newired.example.com/newired/storage
...


  1. Restart Newired application



sudo systemctl stop newired
sudo systemctl start newired


Uninstall Nginx


  1. Stop Nginx

sudo systemctl stop nginx


  1. Uninstall Nginx

sudo yum remove nginx


  1. Delete folder with Nginx configurations and logs



sudo rm -R /etc/nginx
sudo rm -R /var/log/nginx



Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article