How To
Summary
This document will go through how to configure NGINX as an SSL reverse proxy to an IBM Apache server. This will allow TLSv1.3 connections, which NGINX currently supports, to an IBM Apache server that does not currently allow this.
Environment
Requirements
- The OS must be at V7R2 or higher
- NGINX must be installed
- OpenSSL 1.1.1+ must be installed
- An IBM Apache server must be configured
NGINX Installation instructions:
https://www-01.ibm.com/support/docview.wss?uid=ibm10743711
NGINX SSL Configuration instructions:
https://www-01.ibm.com/support/docview.wss?uid=ibm10744529
Steps
NOTE: In this example we will configure NGINX to use an SSL certificate exported from Digital Certificate Manager (DCM), the same SSL certificate assigned to the IBM Apache server.
1) First we will need to go through the installation instructions provided above to ensure that the NGINX server is configured for SSL and that it is using the same certificate as the IBM Apache server.
2) We can then update our NGINX server configuration to look like the following (replace https://systemName:63443 with your URL for your IBM Apache server):
server { listen 443 ssl; ssl_certificate /home/cert.pem; ssl_certificate_key /home/cert.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_protocols TLSV1.1 TLSV1.2 TLSV1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass https://systemName:63443; proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2; }
This will route all requests to the URL referenced in the proxy_pass statement and will allow access to the site with TLSv1.3, the backend Apache server currently does not allow for TLSv1.3 and will communicate with NGINX with the proxy_ssl_protocols specified.
3) Once the NGINX configuration has been updated we need to either stop/start the server, or perform a reload operation:
A) On the IBM i command line type STRQSH
B) Type the following commands to stop/start the server:
cd /QOpenSys/pkgs/bin nginx -s stop
nginx
NOTE: If you want to use a different configuration than the default '/QOpenSys/etc/nginx/nginx.conf' you would use this command to start it instead:
nginx -c /path/nginx.conf
If you would like to perform a reload instead of a stop/start run the following command:
nginx -s reload
The reload will gracefully end the existing worker processes and start new ones, which will pick up the new configuration changes.
Additional Information
NGINX Product Documentation:
https://www-prd-trops.events.ibm.com/node/how-configure-nginx-ssl-ibm-i
Was this topic helpful?
Document Information
Modified date:
18 December 2019
UID
ibm10787811