top of page
Search

Oracle Cloud CentOs Nginx HTTPS Reverse Proxy Nodejs Digest API

  • Writer: Personal Chao yu
    Personal Chao yu
  • Jul 21, 2021
  • 4 min read

Why: Recently I have got in contact with a client where they use Digest Auth for their API, then this API is consumed with oracle PLSQL. I actually have never heard of it nor used Digest Auth. So with a curious mind, i started to dig around and try to create my own API with Digest as authentication method. Also to be able to use plsql to consume it, i will also need to make it HTTPS ready. So off we go.


First, I made myself a shopping list :

- nodejs ( really easy to start )

- oracle free cloud centos instance (host)

- domain ( www.chaoyu.nl ) 1 euro per year + 0.45 euro per year for DNS

- ssl letencrypt it (free)

- Nginx ( proxy server )


1. Create a new Centos Instance .


Remember to download SSH key so you can connect to instance via ssh


IP is : 130.61.155.224

Let us create a .bat file where we can use ssh to connect to this server.


Right click on your desktop and create a new text file, change the extension to .bat and put it the following code in it and save it. 

rem make sure you have the ssh key downloaded ands stored in your local drive and change the location accordingly
ssh -i C:\Users\cyu\Downloads\ssh-key-2021-07-20.key opc@130.61.155.224

after you saved the file, double click on this .bat file. You would see a CLI window and ask if you wan to connect , like this. 


C:\Users\cyu\Desktop>rem make sure you have the ssh key downloaded ands stored in your local drive and change the location accordingly

C:\Users\cyu\Desktop>ssh -i C:\Users\cyu\Downloads\ssh-key-2021-07-20.key opc@130.61.155.224
The authenticity of host '130.61.155.224 (130.61.155.224)' can't be established.
ECDSA key fingerprint is SHA256:0000.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Type

 yes

and Enter. 

C:\Users\cyu\Desktop>ssh -i C:\Users\cyu\Downloads\ssh-key-2021-07-20.key opc@130.61.155.224
[opc@centos-ngnix ~]$

2. Create new Sudo user

[opc@centos-ngnix ~]$ sudo adduser myproxyserver
[opc@centos-ngnix ~]$ sudo passwd myproxyserver

First we create a new user then give the username a password, at the end we assign user to the user group wheel which has sudo privileges.

See more detailed guide


3. Enable Password Authentication 


sudo nano /etc/ssh/sshd_config

this will open the file sshd_config for editing. 


#PasswordAuthentication yes
PasswordAuthentication no

to 

PasswordAuthentication yes
#PasswordAuthentication no

Once done 'Ctrl + X ' to save and close file. Press 'Y' to save buffer to file.

And the end remember to restart the service with the following code

sudo service sshd restart

This will make sure that we can login to user myproxyserver using password, to login we need the following code... 


ssh myproxyserver@130.61.155.224

this will prompt and ask for password. if you see something else, it means you did not save file sshd_config correctly or you did not restart sshd service. 


C:\Users\cyu>ssh myproxyserver@130.61.155.224
myproxyserver@130.61.155.224's password:
Last login: Tue Jul 20 13:38:47 2021
[myproxyserver@centos-ngnix ~]$

Create SSL for HTTPS , link it can only encrypt domain name not ip address.

install 

sudo yum install certbot python2-certbot-nginx

allow https in firewall

sudo firewall-cmd --permanent --add-service=http --add-service=https
sudo firewall-cmd --reload

obtain certification

sudo certbot --nginx -d www.yourdomain.com

follow the prompt and answer questions, at the end you will receive ssl certificates valid for 90 days.

To renew it after 90 days : 

sudo certbot renew
sudo nginx -s reload

We are not done yet, to be able to tell Nginx we have ssl certification, we will need to go to the following folder and edit or create a new .conf file. Make sure you only have 1 conf file here. 

sudo nano /etc/nginx/conf.d/anyname.conf

the content of this .conf file should look like this. The domain_name is what you have enterred during obtain certificates. 

# HTTPS server
server {
   listen 443 ssl;
   server_name domain_name;
   ssl_certificate /etc/letsencrypt/live/domain_name/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/domain_name/privkey.pem;
   ssl_session_cache shared:SSL:10m;
   ssl_session_timeout 5m;
   ssl_protocols TLSv1.1 TLSv1.2;
   ssl_prefer_server_ciphers on;
   ssl_dhparam /etc/ssl/certs/dhparam.pem;
   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256;
   add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
   location / {
      root /usr/share/nginx/html;
      index index.html index.htm;
   }
}

# HTTP redirect
server {
   listen 80;
   server_name domain_name;
   return 301 https://$server_name$request_uri;
}

Here is the link to explain more about each steps we take here.


-------------------------------------------------------------------------------------------------


Install Nodejs : link1 link2 ( link1 shows how to upgrade lower version of node to newer version, link2 shows you how to install node from scratch)

curl -sL https://rpm.nodesource.com/setup_14.x | sudo bash -
sudo yum install nodejs
node --version
# shows the version of the node you have installed

Install Git

sudo yum install git
git --version
#check the version of git and test if it is installed correctly

Clone my git repo 

[myproxyserver@centos-ngnix ~]$ cd
# to go to root folder of current user 
[myproxyserver@centos-ngnix ~]$ sudo mkdir youfoldername
# anynameyou like
[myproxyserver@centos-ngnix ~]$ cd youfoldername
[myproxyserver@centos-ngnix youfoldername]$ sudo git clone https://github.com/chaoyuim/digestAPI.git 
# this should be one line.
[myproxyserver@centos-ngnix youfoldername]$ ls
# you should now see folder digestAPI    
[myproxyserver@centos-ngnix youfoldername]$ cd digestAPI
[myproxyserver@centos-ngnix digestAPI]$ sudo npm install
[myproxyserver@centos-ngnix digestAPI]$ node index.js
# to start the server it is listening to port 3000

Before we are going to test it, we need to do two things

- Oracle Cloud settings


- linux firewall 

sudo firewall-cmd --permanent --add-port=3000/tcp
sudo firewall-cmd --reload

When both settings are done correctly, go to your own ip address at port 3000, hopefully you will see this. this means our Digest auth is live and kicking.


The next step is to configure reverse proxy server, this step is actually pretty easy.


Remember earlier we created a .conf file? we need to add some extra lines(green) in it. 

# HTTPS server
server {
   listen 443 ssl;
   server_name domain_name;
   ssl_certificate /etc/letsencrypt/live/domain_name/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/domain_name/privkey.pem;
   ssl_session_cache shared:SSL:10m;
   ssl_session_timeout 5m;
   ssl_protocols TLSv1.1 TLSv1.2;
   ssl_prefer_server_ciphers on;
   ssl_dhparam /etc/ssl/certs/dhparam.pem;
   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256;
   add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
   location / {
      root /usr/share/nginx/html;
      index index.html index.htm;
   }
   location /digestapi{
      proxy_pass http://domain_name:3000;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection 'upgrade';
      proxy_set_header Host $host;
      proxy_cache_bypass $http_upgrade;
    }
}
# HTTP redirect
server {
   listen 80;
   server_name domain_name;
   return 301 https://$server_name$request_uri;
}
contrl + x 
# to close and save file
sudo systemctl restart nginx
# dont forget to restart server

The last step to add port 3o00 to http_port_t via this commands. 

semanage port -a -t http_port_t  -p tcp 3000

Moment of truth;



Some links for trouble shooting.

"502 Bad Gateway" check here : link

details about semanage link.

details about nginx as reverse proxy link.






 
 
 

Comments

  • Facebook
  • Twitter
  • LinkedIn

Subscribe Form

©2021 by chaotic. Proudly created with Wix.com

bottom of page