Sunday, October 21, 2018

Oracle Apex - Implement HTTPS with NGNIX (LETSENCRYPT SIGNED CERT)

Today, I have just setup an HTTPS service to my Oracle Apex server.  It is using reverse proxy feature of NGNIX with Let's Encrypt signed certificate. 

This is notes for CentOS 6.9 with Oracle Apex running on port 8080.




1. Install Ngnix with root login

# yum install epel-release
# yum install nginx
# service nginx start
# chkconfig nginx on

 2. Generating SSL certificate.

Three things to ensure before this.
  1. there is an A record in your DNS server which is pointing to this machine (e.g. apex.yourdomain.com pointing to a external fixed ip address)
  2. if your machine is behind firewall and using private ip address, make sure you have proper Virtual Server setting. Try to map external ports 80 and 443 to internal 188.4.72.11:80 and 443. 
  3. if your machine is behind firewall and using private ip address, make sure you have proper dedicated NAT for this server outgoing packet.  

Testing to ensure it works,

  1. ping apex.yourdomain.com from any external machine and make sure it resolve the true ipaddress, it doesn’t matter if ping time out.
  2. run the following command to make sure all outgoing packets are using true ip address
# dig +short myip.opendns.com @resolver1.opendns.com
make sure the displayed ip address is same as that on step 1.

Now you can install Certbot
login as root
# cd /root
# wget https://dl.eff.org/certbot-auto
# chmod a+x certbot-auto

Then generate the certificate for NGINX

# /root/certbot-auto --nginx certonly




3. config the cert for nginx

# vi /etc/nginx/conf.d/ssl.conf

add following lines  to the file

server {
    listen [::]:443 ssl ipv6only=on;
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/apex.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/apex.yourdomain.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
4. restart nginx
# service nginx restart

now you can use https://apex.yourdomain.com

5. setup Reverse proxy for apex

# cd /etc/nginx/conf.d/ssl.conf

add following lines within server {} block

       location / {
               # Fix the "It appears that your reverse proxy set up is broken" error.
               proxy_pass http://localhost:8080;
               proxy_read_timeout      90;

               proxy_redirect http://localhost:8080/apex https://apex.yourdomain.com/apex;

               proxy_set_header        Host $host;
               proxy_set_header        X-Real-IP $remote_addr;
               proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
               proxy_set_header        X-Forwarded-Proto $scheme;

       }


# service nginx restart

now you can use https://apex.yourdomain.com/apex
 
 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)