Document toolboxDocument toolbox

NGINX: Example Configuration for as Reverse Proxy in IGEL OS with SSL Offloading

This article describes the configuration of the IGEL Universal Management Suite (UMS) and NGINX for SSL offloading. You can use this document when you want the SSL to be terminated not at the UMS Server, but at the load balancer / reverse proxy. The article is based on the example of NGINX. For more information on NGINX, see https://www.nginx.com/resources/glossary/nginx/.

General compatibility is tested with the configurations described in this article. There could be different ways to do the configuration.
As the reverse proxy is an external software we cannot provide full support for each version. 


Requirements

Requirements for UMS and certificate configuration for reverse proxy are summarized in Configure the UMS to Integrate Reverse Proxy with SSL Offloading.

Process Overview

The configuration tasks of the reverse proxy are:

NGINX Installation (Example Based on Ubuntu)

→ Install NGINX on your system:

sudo apt update sudo apt install nginx



→ If a firewall is used, check the configuration:

  1. Check the firewall configuration:

    sudo ufw app list


    The output of the command should look like this:

    Output Available applications: Nginx Full Nginx HTTP Nginx HTTPS OpenSSH

     

  2. Enable 'Nginx Full':

     

  3. Check the firewall configuration with

     

  4. For the UMS support, it might be necessary to open further ports. For more information on UMS ports, see IGEL UMS Communication Ports.

  5. Get the current state of NGINX:

     

  6. Check the current configuration of NGINX:

NGINX Configuration

The configuration of the server is done in configuration files. In an Ubuntu installation, the main configuration file is /etc/nginx/nginx.conf.

In this example, a separate configuration file umsSSLOffloading.conf is used. This file has to be included in the nginx.conf file:

The keys and certificates extracted in Configure the UMS to Integrate Reverse Proxy with SSL Offloading can be copied to a directory under /etc/nginx: for example,  /etc/nginx/ssl –  create the directory if it does not exist.

NGINX Configuration File for SSL Offloading

→ Create a new config file umsSSLOffloading.conf.

This file must contain

  • upstream server configuration

  • server configuration

  • location configuration

This is an example configuration to use with UMS 12 and IGEL OS 12:

  • The upstream umsserver block defines the UMS Server in the backend.

     

  • The server block contains the configuration for the NGINX listener and the location.
    The UMS web certificate and the client certificate validation should be added here.
    Server common configuration:

     

  • At least two location definitions are required:

    • Location definition for all connections via WebSocket. The WebSocket connection requires the forwarding of the client certificate within the header. A second header information to add is the upgrade header which is required for WebSockets.



    • Location definition for all other connections.



The whole configuration file: