Tag: SSL

Nginx Multiple Upstreams with HTTPS Support

This example can make sure all requests to the upstreams are handled via HTTPS.

upstream source.example.tld {
  server s1.example.tld:443;
  server s2.example.tld:443 max_fails=2 fail_timeout=5s;
  server s2.example.tld:443;
}

server {
    proxy_pass https://source.example.tld/;
    proxy_ssl_protocols     TLSv1.2 TLSv1.3;
    proxy_ssl_verify        off;
    proxy_ssl_session_reuse on;
}

December 14, 2021

HTTPS on UniFi Cloud Key, with Remote Access Support, the Easy Way
You can try this method if you meet one of the following situation:
- You have a public IP to the internet (both static and dynamic IPs should work, but you should need DDNS service if you don’t have static IP)
- Your ISP restricts 80 or 443 access to the internet (like in China)
- You don’t want hacks or some tricky commands on Unifi Cloud Key like HOWTO: Install Signed SSL Certificate on Cloudkey and use for secure portal or Setting up HTTPS on the UniFi CloudKey
  . (Both require install CA issued certificates on UCK)
Requirements
- A public IP to the internet (to access Unifi Security Gateway remotely)
- A server running Nginx on public internet
- A CA issued certificate
Set port forwarding for your Cloud Key

In general, you can access your Unifi Secuiry Gateway (USG) via your public IP (USG_IP), so in my method you need to forward your UCK management dashboard (UCK_IP:8443 by default) traffic to your public IP. it’s under Settings – Routing & Firewall – Port Forwarding. Enter your Cloud Key address IP as Forward IP, use default 8443 as Port and Forward Port. You can also limit from destination to your server IP for security best practice.

Setup Nginx proxy

Use the following Nginx configuration, please note that this is a simplified version.
```
server {
  listen                  80;
  listen                  [::]:80;

  server_name             unifi.example.com;

  return                  301 https://$server_name$request_uri;
}

server {
  listen                  443       ssl http2;
  listen                  [::]:443  ssl http2;

  # To avoid unreachable port error when launching dashboard from unifi.ubnt.com
  listen                  8443       ssl http2;
  listen                  [::]:8443  ssl http2;

  server_name             unifi.example.com;

  # Certificate
  ssl_certificate         /etc/nginx/ssl/unifi.example.com.crt;
  ssl_certificate_key     /etc/nginx/ssl/unifi.example.com.key;

  location /wss {
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header CLIENT_IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_read_timeout 86400;
    proxy_pass https://USG_IP:8443;
  }

  location / {
    proxy_set_header Host $http_host;
    proxy_set_header CLIENT_IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_read_timeout 180;
    proxy_pass https://USG_IP:8443;
  }
}
```
Update DNS records

Point your unifi.example.com to your public IP. Access it in your browser and everything now should works!

References
March 26, 2018
Using SSL Certificates with HAProxy – Servers for Hackers

What programmers need to know about servers.

Source: Using SSL Certificates with HAProxy – Servers for Hackers

November 12, 2015
Export Website RSA Private Key for Apache Server Certificate from OS X Server
If you’re using OS X Server and MAMP Pro at the same time, and you’d like to export OS X site certificates to use them for MAMP Pro sites, you can do the following:
- Locate certificate (Category -> Certificates)
- control + click -> Export… -> Certificate.p12
Next, I need to split the PKCS12 archive, to get the old private key out:
```
$ openssl pkcs12 -in site.p12 -nocerts -out site.key
```
Remove passphrase from the key (otherwise you have to enter it lots when you restart services.)
```
$ openssl rsa -in site.key -out site.unprotected.key
```
Read more: Renewing a SSL Certificate on OSX Server
July 10, 2014
How to Generate SSL Certificate Chain for Nginx
I’m using Comodo Certificate, you will get these files from their email:
- Root CA Certificate – AddTrustExternalCARoot.crt
- Intermediate CA Certificate – UTNAddTrustSGCCA.crt
- Intermediate CA Certificate – ComodoUTNSGCCA.crt
- Intermediate CA Certificate – EssentialSSLCA_2.crt
- Your EssentialSSL Certificate – www_example_com.crt
Correct order:
1. Your EssentialSSL Certificate – www_example_com.crt
2. Intermediate CA Certificate – EssentialSSLCA_2.crt
3. Intermediate CA Certificate – ComodoUTNSGCCA.crt
4. Intermediate CA Certificate – UTNAddTrustSGCCA.crt
5. Root CA Certificate – AddTrustExternalCARoot.crt
You can create a chained certificate required by Nginx:
```
cat www_example_com.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > example.com.chained.crt
```
In fact, you can only need the first three certificates: most systems have their root CA.
```
cat www_example_com.crt EssentialSSLCA_2.crt ComodoUTNSGCCA.crt  > example.com.chained.crt
```
Update Mar 21, 2015:

Comodo updated their certificates filename, so the correct order now is:
1. Your EssentialSSL Certificate – www_example_com.crt
2. Intermediate CA Certificate – COMODORSADomainValidationSecureServerCA.crt
3. Intermediate CA Certificate – COMODORSAAddTrustCA.crt
4. Root CA Certificate – AddTrustExternalCARoot.crt
```
cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > example.com.chained.crt
```
June 17, 2014

Tag: SSL

Nginx Multiple Upstreams with HTTPS Support

HTTPS on UniFi Cloud Key, with Remote Access Support, the Easy Way

Requirements

Set port forwarding for your Cloud Key

Setup Nginx proxy

Update DNS records

References

Using SSL Certificates with HAProxy – Servers for Hackers

Export Website RSA Private Key for Apache Server Certificate from OS X Server

How to Generate SSL Certificate Chain for Nginx