Skip to content
This repository has been archived by the owner on Jul 15, 2021. It is now read-only.

Run the RPKI Validator UI and API behind an nginx proxy

Jump to bottom
Mikhail Puzanov edited this page Jan 8, 2020 · 1 revision
Minimalistic example to use Nginx as a proxy to the RPKI Validator
Allowing to use Nginx for handling HTTP/HTTPS, and using basic authentication
to disallow unauthenticated updates.

Install Nginx on Centos: (Skip if you already have Nginx installed)

sudo yum install -y epel-release
sudo yum install -y nginx
sudo systemctl start nginx
sudo systemctl enable nginx

HTTP example

location / {

    limit_except GET HEAD {
      auth_basic 'Private property';
      auth_basic_user_file /etc/nginx/.htpasswd;
    }

    proxy_pass_request_headers on;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection keep-alive;
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_pass http://localhost:8080;

}

The location can be added on any virtual host in Nginx, or if the server is using only RPKI you can replace nginx.conf location.

Install LetsEncrypt with Centos (Skip if you already have SSL certificate)

sudo yum install epel-release
sudo yum install certbot-nginx
certbot --nginx -d rpki.example.com

Don't forget to add LetsEncrypt to automated renewal of certificate.

crontab -e
15 3 * * * /usr/bin/certbot renew --quiet

HTTPS example using LetsEncrypt with domain

server {
    server_name rpki.example.com; # managed by Certbot
    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
            limit_except GET HEAD {
              auth_basic 'Private property';
              auth_basic_user_file /etc/nginx/.htpasswd;
            }

            proxy_pass_request_headers on;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection keep-alive;
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
            proxy_pass http://localhost:8080;
    }

    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/rpki.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/rpki.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = rpki.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen       80 ;
    listen       [::]:80 ;
    server_name rpki.example.com;
    return 404; # managed by Certbot
}

The HTTPS version will allow only https connections to the server, and any http requests will be redirected to HTTPS.

Creating a password protection file /etc/nginx/.htpasswd

htpasswd -c /etc/nginx/.htpasswd youruser
#SETSOMEHARDPASSWORD
Clone this wiki locally