Introduction
The guide will help you install the Nginx reverse proxy for the Newired application server so that you can easily insert your own or SSL/TLS certificate, which will make the application available to you via HTTPS.
Prerequisites
- Newired portal installed and available on port 8090 (http://localhost:8090/newired)
Newired installation location: C:\Newired - DNS settings that point to the IP address of the server
(for example, newired.example.com) - Allow port 80 and 443 for HTTP and HTTPS communication on the firewall
Prepare your own certificate for your domain in format PEM (x509)
(for example, newired.example.com)
or
we will use a self-signed certificate for the localhost domain name
Prepare SSL/TLS certificates for use in proxy
Recommended SSL/TLS certificate format
We have several certificate formats (see table below) and we will primarily use the PEM format (x509).
It is necessary to keep in mind that the file "extension" (for example .cer or .crt) does not decide at all in what format the SSL certificate is stored! For example, the SSL certificate in the certificate.CRT files can be in both DER and PEM format.
SSL format | Storage method | Common extensions | Further details |
PEM (x509) | Base64/ASCII | .pem, .crt, .cer, .ker., .txt | Contains an SSL certificate or the entire root chain. May contain a private key. |
DER | binary | .der, .crt, .cer | Contains an SSL certificate or the entire root chain. May contain a private key. |
P7B (PKCS#7) | Base64/ASCII | .p7b, .p7c | Contains an SSL certificate or the entire root chain. Do not contain a private key. |
PFX (PKCS#12) | binary | .p12, .pfx | Contains an SSL certificate or the entire root chain. May contain a private key. |
Add own certificate to certs folder for Newired application
If you have your own certificate in PEM format (x509) (see above sectionRecommended SSL/TLS certificate format) and it is valid and trusted.
A private key or intermediate CA certificate is also part of your certificate. So please rename it, for example, according to the domain name you will use:
- newired.example.com.pem.crt (certificate and intermediate CA certificate)
- newired.example.com.pem.key (private key)
and copy these files to a folder [Newired_installation_location]/certs/
If you do not have a certificate in PEM format but for example PFX. You can very easily convert this type of certificate to the required format using the OpenSSL tool, see. section Conversion between different formats and then continue renaming and moving the certificate as instructed above.
Use Newired self-sign certificate
We have prepared a self-signed certificate for you, which is part of the installation from version 21.1.0 (or you can download it from https://download.newired.com).
You can find the certificate in folder: [Newired_installation_location]/certs/
- localhost.pem.crt
- localhost.pem.key
- localhost-ca.pem.crt
If you have an older version of the Newired application. You download the self-signed certificate from download.newired.com. You unzip files and move them to [Newired_installation_location]/certs/
In order to use a self-signed certificate validly, you still need to import the certificate into a trusted one in your system.
Add self-signed certificates to Trusted Root Certification Authorities
To add the saved certificate to the Trusted Root Certification Authorities store:
1. Right-click to localhost-ca.crt.pem and click to import certificate
2. On the Welcome page of the Wizard, click Next.
3. On the next page of the Certificate Import Wizard, click Next.
4. On the last page of the Certificate Import Wizard, click Finish.
5. We are now done
Conversion between different formats
We need to download OpenSSL for Windows: http://slproweb.com/products/Win32OpenSSL.html
You can use these commands to convert between different SSL certificate formats.
DER => PEM
openssl.exe x509 -inform der -in certificate.der -out certificate.pem |
PKCS#12 (private key + SSL certificates) => PEM
openssl.exe pkcs12 -in keyStore.pfx -out keyStore.pem -nodes |
You can also add -nokeys, which will only export the SSL certificate without the private key.
Install Nginx
Nginx is a popular open-source web server and reverses proxy, known for its high performance, stability, rich feature set, simple configuration, and low resource consumption.
NSSM is a simple program that integrates Nginx as a windows service into your system.
Preparation before use
- Create folder C:\Nginx
Note: We do not recommend putting Nginx in folders that contain spaces due to later custom configurations - Download the latest Nginx version 1.x from https://nginx.org/download
- Unzip and copy all content `nginx-1.x/*` to C:\Nginx\
- Download the latest NSSM - https://nssm.cc/release/nssm-2.24.zip
- Unzip and copy file `nssm-2.24/win64/nssm.exe` to C:\Nginx\
Installation as a service
- Run Powershell as administrator
C:\Nginx\nssm.exe install nginx-service "C:\Nginx\nginx.exe" |
- Start service
net start nginx-service |
Check that the service is running, so enter http://localhost in your browser
Output:
Sources: http://nginx.org/en/docs/windows.html
Configure NGINX as a reverse proxy
- Run Powershell as administrator
# backup before configuration Copy-Item -path C:\Nginx\conf\nginx.conf -destination C:\Nginx\conf\nginx.conf.bck -force # copy prepare configuration Copy-Item -path C:\Newired\tomcat\conf\nginx-proxy\windows\nginx.conf -destination C:\Nginx\conf\ -force |
- Copy Newired configuration template file from C:\Newired\tomcat\conf\nginx-proxy\windows\newired.conf to C:\Nginx\conf\
Copy-Item -path C:\Newired\tomcat\conf\nginx-proxy\windows\newired.conf -destination C:\Nginx\conf\ -force |
- Open the file newired.conf as root (administrator) user in a text editor and replace its contents, if any, with the following lines (for example domain name).
{{ app_domain_name }} => newired.example.com or localhost
{{ path_certificates }} => C:\Newired\certs\
upstream backend { server 127.0.0.1:8090; keepalive 32; } server { listen 80; server_name {{ app_domain_name }}; return 301 https://$host$request_uri; } server { listen 443 ssl; server_name {{ app_domain_name }}; ssl_certificate {{ path_certificates }}/{{ app_domain_name }}.pem.crt; ssl_certificate_key {{ path_certificates }}/{{ app_domain_name }}.pem.key; ssl_session_cache shared:SSL:50m; ssl_session_timeout 5m; ssl_protocols TLSv1.2; ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3- SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_prefer_server_ciphers on; root /dev/null; location / { proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_pass http://backend; } } |
- Restart Nginx services
Run Powershell as administrator
net stop nginx-service net start nginx-service |
- Done and you can now enter an HTTPS address into your browser
https://localhost/newired
or
https://newired.example.com/newired
Note: The configuration includes automatic redirect from HTTP to HTTPS
If the newired site login does not appear after entering the address, we recommend checking the logs C:\Nginx\logs\error
Change the portal domain name configuration
After completing the reverse proxy configuration, we need to change https configuration in the application.
- Open the file C:\Newired\tomcat\conf\newired.properties as root (administrator) user in a text editor
- Change values to new https protocol for localhost
newired.backendUrl=https\://localhost/newired newired.contentDeliveryUrl=https\://localhost/newired/content newired.collectorUrl=https\://localhost/collector newired.objectStorageUrl=https\://localhost/newired/storage |
or new domain name with https
newired.backendUrl=https\://newired.example.com/newired newired.contentDeliveryUrl=https\://newired.example.com/newired/content newired.collectorUrl=https\://newired.example.com/collector newired.objectStorageUrl=https\://newired.example.com/newired/storage |
- Restart Newired application (run Powershell as administrator)
net stop "Newired Portal" net start "Newired Portal" |
Uninstall Nginx
- Run Powershell as administrator
- Stop Nginx service
net stop nginx-service |
- Unistall Nginx service
C:\Nginx\nssm.exe remove nginx-service |
- Delete folder with Nginx files from C:\Nginx
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article