wtorek, 17 maja 2022

basic nginx config


server {
  listen 80;
  listen [::]:80;
  
  server_name catch-all-for-nginx-wyga-cf;
  server_name ~^test\d*\.nginx\.wyga\.cf$;
  
  location /.well-known {
    root /var/www/acme;
  }
  
  location / {
    return https://$host;
  }
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name catch-all-for-nginx-wyga-cf;
  server_name ~^test\d*\.nginx\.wyga\.cf$;

  ssl_certificate /etc/nginx/tls/wyga-ca.pem;
  ssl_certificate_key /etc/nginx/tls/wyga-ca.key;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 5m;

  root /var/www/wyga;

  index index.html;
  
  location = /favicon.ico {
     access_log off;
     return 204;
  }

  location / {
    try_files $uri $uri/ =404;
  }
}

self-signed certificate take 2

Generate self-signed certificate (with basic constraints extension CA:TRUE):
openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 \
  -keyout /etc/nginx/tls/wyga-ca.key \
  -out /etc/nginx/tls/wyga-ca.pem \
  -subj '/CN=WYGA-CA/'
Add CA as trusted to you browser (works with Chrome).

Regenerate certificate with SNI names:
openssl req -x509 -nodes -sha256 -days 3650 \
  -key /etc/nginx/tls/wyga-ca.key \
  -out /etc/nginx/tls/wyga-ca.pem \
  -subj '/CN=WYGA-CA/' \
  -addext "subjectAltName = DNS:test.nginx.wyga.cf, DNS:test1.nginx.wyga.cf, DNS: test2.nginx.wyga.cf"
Firefox is more secure in that matter. This will not work with that browser ;)

środa, 11 maja 2022

nginx proxy for HP iLO BMC (HTML5 console only)

This some PoC for proxing access to HP iLO module via nginx. This allow accessing HTML console (no Java or .NET console).
Tested only with iLO 4 (on proliant gen9 servers)

bmc.conf:
include /etc/nginx/bmc-nodes.conf;

# https://www.rfc-editor.org/rfc/rfc7230#section-6.1
# https://datatracker.ietf.org/doc/html/rfc6455#section-4.2.1
# For iLO Connection: Upgrade is case-sensitive... 
map $http_upgrade $connection_upgrade {
    default Upgrade;
    ''      close;
}

# You need to listen on https port
# This will create mapping for  to map name to IP adddress
# For ex:
#  server1.bmc.example.com
#  serverN.bmc.example.com
#  etc...
server {
    listen 443 ssl;
    server_name ~(?.+)\.bmc\.example\.com;

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_certificate /etc/nginx/tls/bmc.example.com.crt;
    ssl_certificate_key /etc/nginx/tls/bmc.example.key;

    proxy_http_version 1.1;
    proxy_set_header Host $bmc_node;
	
    # Set some message for unmapped hosts
    #error_page 502 /bmc-missing.html;

    # Set HTTP auth
    #error_page 401 /bmc-auth.html;
    #auth_basic            "[BMC PROXY]";
    #auth_basic_user_file  /etc/nginx/bmc.passwd;

    location / {
        # Forece keep-alive to upstream...
        proxy_set_header Authorization '';
        proxy_set_header Connection '';
        proxy_pass https://$bmc_node;
    }

    # WebSocket connection for HTML5 Console
    location /wss/ircport {
        proxy_set_header Authorization '';
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_read_timeout 1800;
        proxy_pass https://$bmc_node;
    }

    # error page for 502
    #location = /bmc-missing.html {
    #    auth_basic off;
    #    internal;
    #    root /var/www/bmc/;
    #}
    # error page for 401
    #location = /bmc-auth.html {
    #    auth_basic off;
    #    internal;
    #    root /var/www/bmc/;
    #}
}

bmc-nodes.conf
upstream server1 {
    server 10.0.0.1:443;
    keepalive 4;
}

upstream server2 {
    server 10.0.0.2:443;
    keepalive 4;
}
...    
upstream serverN {
    server 10.0.0.N:443;
    keepalive 4;
}