Skip to main content

Installing Nginx Reverse Proxy on CentOS for Domino Our Experience

Over the past few weeks there has been a significant number of discussions about Domino and the lack of SHA-2 support.  Jesse Gallagher had an entire MWLUG 2014 session on this very topic.  When I ask Jesse to present on this topic, unbeknownst to me what a hot topic this would become and so timely.  First, IBM should have fixed these problems years ago.  For us this is a critical issue that if not addressed will kill the market for Domino.

Thanks to Jess efforts and contributions, there is a workaround that he presented and published recently in a series of blog articles on this very topic.  His solution is to configure nginx as a reverse proxy for Domino so that SHA-2 certificates can be used with Domino. nginx is not just a Linux solution but can also be a Windows solution since it is available for the Windows platform.

Jesse's article focused on setting up nginx reverse proxy on a Ubuntu server.  My comments here are about the differences between what Jesse explained for the Ubuntu server and what you will encounter in configuring nginx on CentOS in particular CentOS 6.5.

A great resource to guide you through the process of installing Nginx on CentOS can be found here:

http://www.rackspace.com/knowledge_center/article/centos-installing-nginx-via-yum

By default the installation will not create site-available and site-enabled directories as it would in Ubuntu.  And they are not needed. A series of default SSL configure files will be created in the /etc/nginx/config.d directory including a ssl.conf template file and default.conf.   Make a copy of the ssl.conf file with the suggested renaming convention that Jesse explained and edit it in accordance to Jesse's instructions.  One thing to remember is that you need to rename the default.conf file in order for your new conf file to work.  If not, the default.conf file will override your new conf file settings.

After installing nginx you will need to create a request key for the SSL certficates

1. Create a directory for the SSL certificates, # sudo mkdir /etc/nginx/ssl

2. Switch to this directory # cd /etc/nginx/ssl

3. Create the request

# sudo openssl req -new -days 365 -sha256 -nodes -keyout example.com.key -out example.com.csr -newkey rsa:2048 

Notes: 
leave out -sha256 for a SHA-1 request.
the -keyout parameter is the filename is the name of the key file that will be created
the -out parameter is the name of the request that will be sent to the certificate authority
in response to this command, you will asked to provide the organizational information and address, etc.
if the certificate expiration is to be different than one year, change -days 365 to the desired number of days

4. Limit access to the key , # sudo chmod 400 portal2.phoragroup.com.key

5. Send the .csr file to the certificate provider for signing. They will send back a crt file.

6. Limit access to the signed certificate, # sudo chmod 400 example.com.crt

7. The certificate authority may send back multiple files. If so, then concatenate them:

# sudo cat example.com.crt  root1.crt > example.com.combined.crt

Notes:
The CRT file with your hostname.crt should be first. If there is more than one root or intermediate certificates, not sure of the order of those (try it and see).


After concatenating the keys to create the combined file, make sure you have a carriage return between the beginning and ending of each certificate. If you do not do this you will get an ERROR.

# sudo vi example.com.combined.crt 


The process is relatively easy even for a Linux newbie like myself.  We are planning to add nginx as our reverse proxy for all our installations of Domino.  One advantage of having nginx as reverse proxy is that by having Domino connect using http instead of https for the reverse proxy, there is less loading on the Domino server and the system as a whole can handle more https connections.
 
The installation process of the SSL certificate follows the standard convention used by most solutions rather than the specific approach required by Domino.  Therefore, there is much more documentation available.

Additional articles I suggest one read is:
 
http://www.nginxtips.com/hardening-nginx-ssl-tsl-configuration/

Please note, that if you have Network Solutions, they still do not have SHA-2 certificates available yet.  Can't believe that.

To learn more on how to install CentOS and Domino, Devin Olson has a series of great videos and pdfs on Youtube. 

http://www.youtube.com/watch?v=geBE13qqz7w


If you want to chat with the ICS Linux, sign up for the ICS Linux Chat on Skype that was started by our friend Bill Malchisky. 

Comments

techtalk87 said…
Hello,

Thanks for posting this. Could you elaborate on the nginx configuration for using it as a reverse proxy for domino. We are getting errors such as too many open files, request header or cookie too large. This is even after increasing the file number limit on our linux server.

Thank you in advance.

Popular posts from this blog

The iPhora Journey - Part 8 - Flow-based Programming

After my last post in this series -- way back in September 2022, several things happened that prevented any further installments. First came CollabSphere 2022 and then CollabSphere 2023, and organizing international conferences can easily consume all of one's spare time. Throughout this same time period, our product development efforts continued at full speed and are just now coming to fruition, which means it is finally time to continue our blog series. So let's get started... As developers, most of us create applications through the conscious act of programming, either procedural, as many of us old-timers grew up with, or object-oriented, which we grudgingly had to admit was better. This is true whether we are using Java, LotusScript, C++ or Rust on Domino. (By the way, does anyone remember Pascal? When I was in school, I remember being told it was the language of the future, but for some reason it didn't seem to survive past the MTV era).  But in the last decade, there a

Creating Twitter Bootstrap Widgets - Part II - Let's Assemble

Creating Twitter Bootstrap Widgets - Part I - Anatomy of a Widget Creating Twitter Bootstrap Widgets - Part II - Let's Assemble Creating Twitter Bootstrap Widgets - Part IIIA - Using Dojo To Bring It Together This is two part of my five part series "Creating Twitter Bootstrap Widgets".   As I mentioned in part one of this series, Twitter Bootstrap widgets are built from a collection standard HTML elements, styled, and programmed to function as a single unit. The goal of this series is to teach you how to create a Bootstrap widget that utilizes the Bootstrap CSS and Dojo. The use of Dojo with Bootstrap is very limited with the exception of Kevin Armstrong who did an incredible job with his Dojo Bootstrap, http://dojobootstrap.com. Our example is a combo box that we are building to replace the standard Bootstrap combo box. In part one, we built a widget that looks like a combo box but did not have a drop down menu associated with it to allow the user to make a select

The iPhora Journey - Part 3 - Creating an Integrated UI Framework

The iPhora Journey - Part 1 - Reimagining Domino The iPhora Journey - Part 2 - Domino, the Little Engine that Could The iPhora Journey - Part 3 - Creating an Integrated UI Framework There are many ways to create the user interface (UI) for a web application. The HTML page could be created on the server and then pushed out. It could be static with the data generated on the page by the server with JavaScript, providing a more dynamic experience, or the server could generate new HTML content to update portions of the web page. XPages or PHP are good examples of this. Another method is to have the web page partially generated by the server and have JavaScript build the rest of the HTML by pulling data from the server via an API. This is the approach used in the Single Page Application (SPA) model. In all cases, it is still dependent on the web server technology being using.  As mentioned previously in this blog, XPages is dependent on complete integration between form and document, which e