Nginx ModSecurity (OWASP) Reverse Proxy & SSL Configuration Guide
Danushka Stanley
Senior DevOps Engineer | Ethical Hacker | Google Cybersecurity Certified | TryHackMe {MASTER} - TOP 2% Lv11
Introduction:
In today's digital age, ensuring secure and efficient web communication is paramount for businesses of all sizes. One effective method to achieve this is through the use of reverse proxies, particularly with Nginx within a Docker container environment. This article outlines the benefits and step-by-step guide on configuring a reverse proxy using Nginx, focusing on enhancing security through SSL/TLS certificate management.
What is a reverse proxy?
A reverse proxy is a type of server that sits in front of web servers and forwards client (e.g., browser) requests to those web servers. It is a crucial component in maintaining website security, performance, and reliability. Nginx, a powerful open-source web server, is widely used for its reverse proxy capabilities, providing an additional layer of abstraction and control to ensure smooth and secure web communications.
Why It's Important:
Implementing a reverse proxy using Nginx in a Docker environment can significantly enhance your web application's security and efficiency. It enables better load balancing, provides a centralized point for SSL termination, and ensures encrypted communication, protecting sensitive data from potential breaches.
Implementing Nginx Reverse Proxy and SSL Configuration:
The guide provides a comprehensive walkthrough on setting up the reverse proxy using Docker Compose, configuring Nginx, adjusting WordPress settings, and managing SSL certificates for secure HTTPS communication. This setup ensures that your web applications are not only secure but also optimized for performance.
New Trends in Web Security:
With the increasing threat landscape, adopting modern security measures such as SSL/TLS encryption, reverse proxy services, and containerized environments like Docker has become crucial. These technologies work together to provide a robust security framework, protecting against common vulnerabilities and enhancing overall web application performance.
The Role of SSL Certificates:
SSL certificates are vital in establishing a secure connection between a web server and a client. The guide details how to implement SSL certificates provided by Sectigo SSL, although any preferred SSL provider can be used. Proper configuration ensures encrypted communication, safeguarding data integrity and confidentiality.
(Nginx Mod security + Reverse proxy + WordPress (You can use any application))
Docker Configuration
We have utilized Docker Compose to manage the multi-container Docker application. Here’s the docker-compose.yaml file used:
领英推荐
version: '3.3'
services:
reverseproxy:
container_name: reverse-proxy-nginx
ports:
- '80:80'
- '443:443'
volumes:
- /opt/nginx/proxy.conf:/etc/nginx/conf.d/proxy.conf:ro
- /opt/nginx/ssl/STAR_domain_xyz.crt:/etc/nginx/ssl/STAR_domain_xyz.crt:ro
- /opt/nginx/ssl/My_CA_Bundle.ca-bundle:/etc/nginx/ssl/My_CA_Bundle.ca-bundle:ro
- /opt/nginx/ssl/private.key:/etc/nginx/ssl/private.key:ro
environment:
- PROXY=1
image: owasp/modsecurity-crs:nginx-alpine
networks:
reverse-proxy:
aliases:
- reverse-proxy-nginx
networks:
reverse-proxy:
external: true
This configuration sets up a service named reverse proxy using the owasp/modsecurity-crs:nginx-alpine image. The container is named reverse-proxy-nginx and has several volume mappings for Nginx and SSL configuration files. The service is part of the reverse-proxy network.
Note: make sure to run below command to create the docker network before start the reverse proxy container:
docker network create reverse-proxy
Nginx Reverse Proxy Configuration
We have configured Nginx as a reverse proxy to forward requests to your application. Here is the Nginx configuration snippet:
server {
listen 443 ssl;
server_name example-domain.xyz;
ssl_certificate /etc/nginx/ssl/STAR_domain_xyz.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
ssl_trusted_certificate /etc/nginx/ssl/My_CA_Bundle.ca-bundle;
location / {
proxy_pass https://origin_host.com;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header 'Access-Control-Allow-Origin' 'https://example-domain.xyz';
proxy_set_header Cache-Control $http_cache_control;
}
}
This setup ensures secure communication and proper request forwarding to your application hosted on WP Engine or any other host.
WordPress Configuration Changes
We made the following changes to the wp-config.php file to accommodate the reverse proxy setup:
# WP Engine Settings
if ( ! empty( $_SERVER['HTTP_X_FORWARDED_HOST'] ) ) {
$_SERVER['HTTP_HOST'] = 'example-domain.xyz';
}
define('WP_SITEURL', 'https://' . $_SERVER['HTTP_HOST']);
define('WP_HOME', 'https://' . $_SERVER['HTTP_HOST']);
These changes ensure that WordPress recognizes the correct URL structure and operates under the defined reverse proxy settings.
SSL Configuration
We have implemented SSL certificates provided by Sectigo SSL. However, the client has the flexibility to use any SSL provider they prefer. The necessary SSL files have been placed and referenced in the Nginx configuration to ensure encrypted communication.
Steps for Future Modifications