Oracle Cloud CentOs Nginx HTTPS Reverse Proxy Nodejs Digest API
- Personal Chao yu
- Jul 21, 2021
- 4 min read
Why: Recently I have got in contact with a client where they use Digest Auth for their API, then this API is consumed with oracle PLSQL. I actually have never heard of it nor used Digest Auth. So with a curious mind, i started to dig around and try to create my own API with Digest as authentication method. Also to be able to use plsql to consume it, i will also need to make it HTTPS ready. So off we go.
First, I made myself a shopping list :
- nodejs ( really easy to start )
- oracle free cloud centos instance (host)
- domain ( www.chaoyu.nl ) 1 euro per year + 0.45 euro per year for DNS
- ssl letencrypt it (free)
- Nginx ( proxy server )
1. Create a new Centos Instance .
Remember to download SSH key so you can connect to instance via ssh
IP is : 130.61.155.224
Let us create a .bat file where we can use ssh to connect to this server.
Right click on your desktop and create a new text file, change the extension to .bat and put it the following code in it and save it.
rem make sure you have the ssh key downloaded ands stored in your local drive and change the location accordingly
ssh -i C:\Users\cyu\Downloads\ssh-key-2021-07-20.key opc@130.61.155.224after you saved the file, double click on this .bat file. You would see a CLI window and ask if you wan to connect , like this.
C:\Users\cyu\Desktop>rem make sure you have the ssh key downloaded ands stored in your local drive and change the location accordingly
C:\Users\cyu\Desktop>ssh -i C:\Users\cyu\Downloads\ssh-key-2021-07-20.key opc@130.61.155.224
The authenticity of host '130.61.155.224 (130.61.155.224)' can't be established.
ECDSA key fingerprint is SHA256:0000.
Are you sure you want to continue connecting (yes/no/[fingerprint])?Type
yesand Enter.
C:\Users\cyu\Desktop>ssh -i C:\Users\cyu\Downloads\ssh-key-2021-07-20.key opc@130.61.155.224
[opc@centos-ngnix ~]$2. Create new Sudo user
[opc@centos-ngnix ~]$ sudo adduser myproxyserver
[opc@centos-ngnix ~]$ sudo passwd myproxyserverFirst we create a new user then give the username a password, at the end we assign user to the user group wheel which has sudo privileges.
See more detailed guide
3. Enable Password Authentication
sudo nano /etc/ssh/sshd_configthis will open the file sshd_config for editing.
#PasswordAuthentication yes
PasswordAuthentication noto
PasswordAuthentication yes
#PasswordAuthentication noOnce done 'Ctrl + X ' to save and close file. Press 'Y' to save buffer to file.
And the end remember to restart the service with the following code
sudo service sshd restartThis will make sure that we can login to user myproxyserver using password, to login we need the following code...
ssh myproxyserver@130.61.155.224this will prompt and ask for password. if you see something else, it means you did not save file sshd_config correctly or you did not restart sshd service.
C:\Users\cyu>ssh myproxyserver@130.61.155.224
myproxyserver@130.61.155.224's password:
Last login: Tue Jul 20 13:38:47 2021
[myproxyserver@centos-ngnix ~]$Create SSL for HTTPS , link it can only encrypt domain name not ip address.
install
sudo yum install certbot python2-certbot-nginxallow https in firewall
sudo firewall-cmd --permanent --add-service=http --add-service=httpssudo firewall-cmd --reloadobtain certification
sudo certbot --nginx -d www.yourdomain.comfollow the prompt and answer questions, at the end you will receive ssl certificates valid for 90 days.
To renew it after 90 days :
sudo certbot renewsudo nginx -s reloadWe are not done yet, to be able to tell Nginx we have ssl certification, we will need to go to the following folder and edit or create a new .conf file. Make sure you only have 1 conf file here.
sudo nano /etc/nginx/conf.d/anyname.confthe content of this .conf file should look like this. The domain_name is what you have enterred during obtain certificates.
# HTTPS server
server {
listen 443 ssl;
server_name domain_name;
ssl_certificate /etc/letsencrypt/live/domain_name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain_name/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
# HTTP redirect
server {
listen 80;
server_name domain_name;
return 301 https://$server_name$request_uri;
}Here is the link to explain more about each steps we take here.
-------------------------------------------------------------------------------------------------
Install Nodejs : link1 link2 ( link1 shows how to upgrade lower version of node to newer version, link2 shows you how to install node from scratch)
curl -sL https://rpm.nodesource.com/setup_14.x | sudo bash -sudo yum install nodejsnode --version
# shows the version of the node you have installedInstall Git
sudo yum install gitgit --version
#check the version of git and test if it is installed correctlyClone my git repo
[myproxyserver@centos-ngnix ~]$ cd
# to go to root folder of current user [myproxyserver@centos-ngnix ~]$ sudo mkdir youfoldername
# anynameyou like[myproxyserver@centos-ngnix ~]$ cd youfoldername[myproxyserver@centos-ngnix youfoldername]$ sudo git clone https://github.com/chaoyuim/digestAPI.git
# this should be one line.[myproxyserver@centos-ngnix youfoldername]$ ls
# you should now see folder digestAPI [myproxyserver@centos-ngnix youfoldername]$ cd digestAPI[myproxyserver@centos-ngnix digestAPI]$ sudo npm install[myproxyserver@centos-ngnix digestAPI]$ node index.js
# to start the server it is listening to port 3000Before we are going to test it, we need to do two things
- Oracle Cloud settings
- linux firewall
sudo firewall-cmd --permanent --add-port=3000/tcpsudo firewall-cmd --reloadWhen both settings are done correctly, go to your own ip address at port 3000, hopefully you will see this. this means our Digest auth is live and kicking.
The next step is to configure reverse proxy server, this step is actually pretty easy.
Remember earlier we created a .conf file? we need to add some extra lines(green) in it.
# HTTPS server
server {
listen 443 ssl;
server_name domain_name;
ssl_certificate /etc/letsencrypt/live/domain_name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain_name/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /digestapi{
proxy_pass http://domain_name:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
# HTTP redirect
server {
listen 80;
server_name domain_name;
return 301 https://$server_name$request_uri;
}contrl + x
# to close and save filesudo systemctl restart nginx
# dont forget to restart server The last step to add port 3o00 to http_port_t via this commands.
semanage port -a -t http_port_t -p tcp 3000Moment of truth;
Some links for trouble shooting.
"502 Bad Gateway" check here : link
details about semanage link.
details about nginx as reverse proxy link.
Comments