Monday, September 07, 2009

How to Proxy a Website to HTTPS with nginx, Start to Finish

Setting up a secure website is a trivial task often overlooked by site owners, possibly because they believe it is costly or technically challenging. Anyone who has set up their own HTTP webserver can easily proxy that site to HTTPS using free software. SSL certificates cost around £10 a year, a similar cost to registering a domain name.

I'm going to describe the steps I took to proxy QatarLiving to a secure site at F1a.me. QatarLiving is one of the most popular websites in Qatar, a small Middle Eastern state.

Step 0. Prerequisites

You'll need administrator (root) privileges to your own server to run an HTTPS site on port 443. I'm happy with my virtualized Linux box, hosted by Media Temple. It costs $50 a month, which is not the cheapest deal out there nor is the server particularly powerful, but I'm happy with the company's service and the box is sufficient to host all my websites and twitter feeds. If you sign up with Media Temple, you should install compilers and development tools.

Step 1. Buy your SSL certificate

Purchase an SSL certificate for your secure site. I bought mine from 123-reg. It is possible to run a secure site without buying a certificate, which is known as "self signing"; however, users of your site will be presented with scary warnings by their browser. It's best just to splash out on the SSL certificate: they're cheap.

Step 2. Downloads

If you've never come across nginx (pronounced Engine-X), don't feel too down-heartened. This tiny webserver fits into a niche of specialized webservers (including boa, lighttpd and thttpd) that compete on speed and small memory footprint. Many large sites have chosen nginx as their front-line server, including one of the very largest blogging sites, WordPress.com. I chose to use nginx because its small footprint is crucial on my limited-memory server.

Download the latest development release of nginx, currently version 8.1.14 [homepage | nginx-0.8.14.tar.gz]

Step 3. Installation

Unpack the nginx source, compile and install. The following commands work for me, on my fairly standard centos Linux box, but some of the paths may require tweaking on other systems.


$ tar zxvf nginx-0.8.14.tar.gz
$ cd nginx-0.8.14
$ ./configure \
--prefix=/usr \
--sbin-path=/usr/sbin/nginx-ssl \
--conf-path=/etc/nginx-ssl/nginx.conf \
--http-log-path=/var/log/nginx_ssl_access_log \
--error-log-path=/var/log/nginx_ssl_error_log \
--pid-path=/var/run/nginx-ssl.pid \
--http-client-body-temp-path=/var/tmp/nginx_ssl_client \
--http-proxy-temp-path=/var/tmp/nginx_ssl_proxy \
--http-fastcgi-temp-path=/var/tmp/nginx_ssl_fastcgi \
\
--with-http_ssl_module \
--with-http_stub_status_module \
\
--without-http_charset_module \
--without-http_gzip_module \
--without-http_userid_module \
--without-http_auth_basic_module \
--without-http_autoindex_module \
--without-http_geo_module \
--without-http_map_module \
--without-http_referer_module \
--without-http_fastcgi_module \
--without-http_limit_zone_module \
--without-http_browser_module \
--without-http_upstream_ip_hash_module
$ make
$ su
# make install


If any errors appear with the above commands, it probably means you need to install some required library. In most cases, using Google on an error message will provide the fastest solutions. Options may vary slightly between versions. Always check ./configure --help for the current list.

Step 4. Server Configuration

Download your server SSL certificate and private key, rename them to server.crt and server.key, and move them to your nginx config directory (/etc/nginx-ssl/). If you've bought a cheap SSL certificate like I did, the certificating authority probably won't be built into your users' browsers by default. You'll need to find the certificate of your CA and concatinate it with your server's SSL certificate. Your server.crt will then look something like this:


-----BEGIN CERTIFICATE-----
[your certificate here]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[your CA's certificate here]
-----END CERTIFICATE-----


Now, all that's left is to edit your config file /etc/nginx-ssl/nginx.conf. You'll want to play around with some of these setting, but they provide a good starting point.


# the number of worker processes should be
# equal to the number of processor cores in your server
worker_processes 4;

# disable error logging by uncommenting the next line
# error_log /dev/null crit;


events {
# max connections - 2048 is reasonable
worker_connections 2048;
}

http {
include mime.types;
default_type application/octet-stream;

# TCP tuning
sendfile on;
tcp_nopush on;
tcp_nodelay off;

# keepalive is highly beneficial for SSL
keepalive_timeout 10;

# disable logging
access_log off;

server {
listen 443;

# change this to your own website hostname
server_name f1a.me;

# these SSL options have been chosen to maximize
# throughput on small servers
ssl on;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;

location / {
proxy_pass http://www.qatarliving.com;
proxy_set_header X-Forwarded-For $remote_addr;
}

# don't proxy static content, redirect instead
location ~* \.(gif|jpg|jpeg|png|ico|js)$ {
rewrite ^/(.*?)$ http://www.qatarliving.com/$1 permanent;
}
}
}


Start up your server by running nginx-ssl as root:


$ su
# /usr/sbin/nginx-ssl


Tail the error log (/var/log/nginx_ssl_error_log) if the server fails to start.

Further Reading

Nginx English documentation

Useful changes to default nginx configuration file

O3 Magazine - Open-Source SSL Acceleration

SSL optimization and security

HTTPS performance tuning

Installing an intermediate authority certificate under nginx

Why SSL?

Outstanding issues

Cookies that contain the original site's domain will not be stored by the user's browser. Most websites don't set a domain within the cookie, so this isn't usually a problem. However, if your site is affected, it can be fixed by filtering the headers from the insecure site and removing domains. I'll post a blog entry in a few days about this, as it affects most Drupal sites including QatarLiving.

Navigation within a proxied site will only be successful if most links do not include the original hostname.

Thursday, June 19, 2008

News site rankings

Before I started QatarJournal in April last year, I took a snapshot of the Alexa page views from local news providers. Looking at the changes over the past year, it's obvious that QatarLiving is now serving more pages than any of the other news sites, and Watan's website is declining in relative terms against the other papers. Permalink here. A similar decline can be seen in terms of Watan's market share, with only QL showing a noticeable increase.

When we look at only visitors from Qatar, the ranking of sites providing news becomes clearer:
* Qatar Living
* BBC
* Al Raya
* Al Jazeera
* Al Sharq
* India Times
* The Rest.

Thursday, June 05, 2008

QatarJournal.com sold

Today I sold QatarJournal.com to a local businessman. I probably wouldn't have sold the site in January - I was quite upset about it. Now, it just seems like someone has given me a surprise gift. I'm going to have a good holiday this summer.

Wednesday, March 05, 2008

Back!

Qatar Journal is finished, so I'm back blogging here.

At the moment, I'm working on a CGI-IRC gateway, a cleanup of another codebase. It's mostly just a matter of replacing bits of code with CPAN modules, but after it's fairly tidy I'm going to replace the guts of the code with POE::Component::IRC by Chris Williams. That's mainly because I don't trust the IRC code I'm working with, and the POE code looks like it's well maintained.

The idea is that eventually, I'll authenticate web users with OpenID and some sort of NickServ. I haven't quite worked it out yet. Should be a fun bit of work, and very, very web 2.0 ;)

Monday, June 18, 2007

This blog has moved

There's an idiom in the software industry: "eating your own dog-food". If you've built some software, it's not right to ask other people to use if you don't. Hence, I've moved my blog to Qatar Journal.

Every user of Qatar Journal can have a blog on the site, so if you'd like one, you need to visit the signup page, choose a username, enter your email address (twice) and click 'Create Account'. Users can also choose to receive a nightly summary of all the local news headlines.

Sunday, June 17, 2007

Is Qtel a bit simple?


I've been banned from QatarLiving. I'm sure the ban wasn't intentional, but I've been banned nonetheless. This morning, it was obvious that QatarLiving discussions were being attacked by someone with the intent of disruption. There was some speculation about who was responsible. Eventually, someone at the website banned the IP address of the attacker.

Unfortunately, Qtel employs a few Internet filters, and everyone behind a particular filter has the same public IP address. Thus, a system which is meant to make the web safer for Qatar's surfers has rendered one of the most popular discussion sites in Qatar completely inaccessible. This has happened before, of course. At the beginning of the year, Wikipedia saw a fair amount of abuse coming from a single IP address, and blocked the entire country from anonymous posting. It's not as if people don't know a solution to these problems - it's just that no one at Qtel is willing to make the fix.

Setting up a decent filtering proxy should be trivial, but Qtel's implementation masks users' true IP addresses from the sites they visit, and restricts the ability of site operators to punish abusers. How simple is Qtel? I'd say it's plain stupid.

Sunday, May 27, 2007

Best blogs in Qatar

<BLUSH> This blog has been chosen as one of the best blogs in Qatar. I'm choking back the tears, but will still manage to give a 10-minute acceptance speech, given half a chance.

Thursday, May 24, 2007

Qatar Journal - The Online Newspaper for Qatar

At the end of its first week, I'd say the launch of Qatar Journal has been a success. It's taken less than two months from the initial idea through to launching the site. I had hoped to launch a couple of weeks earlier, but I wanted to be in Qatar when it happened.

The response has been good from journalists and PR companies. I'm now getting a steady stream of stories, which is easing the administration of the site.

The technology has had some teething problems, with my server running out of memory on the first night, but it's now settled down. I've got a very long bug-list, which I'll start fixing in a couple of weeks. None of the bugs are serious, just annoying. Ben Figgis has pointed out a bug in the Qatar Journal feed that doesn't seem to be affecting slashdot, so I'll need to investigate. It's nice when people point out a problem, because noticing the bug is the difficult bit. Fixing is usually easy. Thanks Ben.

Thursday, May 10, 2007

Still in the UK

Sorry, I've been away from a PC for the past two weeks. I'm still in the UK because Sara has had surgery. She's OK, and is getting out of hospital today, but we can't return to Doha until at least May 20.

Wednesday, April 18, 2007

Qatar Journal

I had a leisurely coffee with Qatari from QL last Thursday. We were talking about the state of the IT sector in Qatar, and generally solving the world's problems. Anyway, he was hassling me saying I should have some sort of commercial project, because there was money to be made.

I'm a bit skeptical about making money from websites. There were a lot of good ideas during the dot-com boom that produced no cash. He started quoting some figures about google ads, and how little you need to spend on hosting. Anyway, I went home that night and had a chat with Sara about it.

There's a gap at the moment for serious local news. QL and others serve the demand for informal chat, but the local papers have abysmal websites and mainstream news sites don't cover Qatar. Thus, I'm going to start up a news site, named Qatar Journal. The official launch will be on 12 May 2007 (exactly one month after my chat with Qatari) - it will be rough around the edges, but it's better to launch quickly and fix things as we go along.

Basically, there's going to be no editorial. The easiest way to scare advertisers is to start getting cynical about press releases, so I'm going to leave all discussion to the readers. Obviously, there's going to be an editorial element in choosing stories, and here I have an advantage over the newspapers' sites: I only need to pick around 10 stories a day, whereas they are publishing (almost) everything.

Anyhow, I just wanted to blog this before anyone starts asking - "why are you trying to compete with QL?". I'm not. I'm a regular QL reader, and it's great. Qatar Journal is an online local newspaper, and when it generates its own community, it will have a very different tone to QL. Hopefully, some readers will visit both sites, but I would guess that most QL regulars will stick with what they know - I'm not trying to poach anyone.

Let me know what you think about the site, and keep an eye on progress. Everything should be working very soon, but it'll take a couple of weeks to get the site looking professional.



Also, discovered Alexa today. Here is an image snapshot of Qatar websites (April 2007), and a permalink for future comparison.