Jump to content

Passwordstate and NGINX Reverse Proxy Configuration


Recommended Posts

Hello Everyone,

A customer recently shared their NGINX Reverse Proxy Configuration with us, in the hope it would also help out some of our other customers if they wish to configure Passwordstate access in this manner.

 

Below is an example of their config, using 1.10.3, and you will need to update the URL/Domain details as appropriate for your environment - this will secure the PasswordState server behind NGINX with only 80/443 opened on any firewall:

 

/etc/nginx/snippets/ssl-params.conf
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem; # Use openssl to generate handshake file
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver DNS-IP-1 DNS-IP-2 DNS-IP-3 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
add_header X-Frame-Options SAMEORIGIN; # This must be set to SAMEORIGIN or else PasswordState will not show frames containing passwords
add_header X-Content-Type-Options nosniff;


/etc/nginx/sites-available/default
#  ------------------ PAM System ---------------
server {
        listen 80;
        server_name passwordstate.domain.com;
        return 302 https://$server_name$request_uri;
}
server {
        listen 443;
        ssl on;
        server_name passwordstate.domain.com;

        access_log /var/log/nginx/reverseproxy/pam-access.log combined gzip;
        error_log /var/log/nginx/reverseproxy/pam-error.log error;

        include snippets/wildcard-cert.conf; # configuration file should contain ssl private / public keys location
        include snippets/ssl-params.conf;

        location / {
           proxy_pass https://internal-hostname.domain.local:9119/;
           proxy_set_header X-FORWARDED-PROTO $scheme;
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Url-Scheme $scheme;
           proxy_redirect off;
           proxy_connect_timeout 150;
           proxy_send_timeout 100;
           proxy_read_timeout 100;
           proxy_buffers 4 32k;
           client_max_body_size 8m;
           client_body_buffer_size 128k;
        }
}

#  ------------------ Mobile PAM System ---------------
server {
        listen 80;
        server_name mpam.domain.com;
        return 301 https://passwordstate.domain.com/mobile;
}
server {
        listen 443;
        ssl on;
        server_name mpam.domain.com;

        access_log /var/log/nginx/reverseproxy/mpam-access.log combined gzip;
        error_log /var/log/nginx/reverseproxy/mpam-error.log error;

        include snippets/wildcard-cert.conf; # Conf file should contain location of public and private keys location
        include snippets/ssl-params.conf;

        location / {
           return 301 https://passwordstate.domain.com/mobile;
        }
}

----------------------------------------------------------------------------------------END

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...