Skip to main content

Installing Nginx Reverse Proxy on CentOS for Domino Our Experience

Over the past few weeks there has been a significant number of discussions about Domino and the lack of SHA-2 support.  Jesse Gallagher had an entire MWLUG 2014 session on this very topic.  When I ask Jesse to present on this topic, unbeknownst to me what a hot topic this would become and so timely.  First, IBM should have fixed these problems years ago.  For us this is a critical issue that if not addressed will kill the market for Domino.

Thanks to Jess efforts and contributions, there is a workaround that he presented and published recently in a series of blog articles on this very topic.  His solution is to configure nginx as a reverse proxy for Domino so that SHA-2 certificates can be used with Domino. nginx is not just a Linux solution but can also be a Windows solution since it is available for the Windows platform.

Jesse's article focused on setting up nginx reverse proxy on a Ubuntu server.  My comments here are about the differences between what Jesse explained for the Ubuntu server and what you will encounter in configuring nginx on CentOS in particular CentOS 6.5.

A great resource to guide you through the process of installing Nginx on CentOS can be found here:

By default the installation will not create site-available and site-enabled directories as it would in Ubuntu.  And they are not needed. A series of default SSL configure files will be created in the /etc/nginx/config.d directory including a ssl.conf template file and default.conf.   Make a copy of the ssl.conf file with the suggested renaming convention that Jesse explained and edit it in accordance to Jesse's instructions.  One thing to remember is that you need to rename the default.conf file in order for your new conf file to work.  If not, the default.conf file will override your new conf file settings.

After installing nginx you will need to create a request key for the SSL certficates

1. Create a directory for the SSL certificates, # sudo mkdir /etc/nginx/ssl

2. Switch to this directory # cd /etc/nginx/ssl

3. Create the request

# sudo openssl req -new -days 365 -sha256 -nodes -keyout -out -newkey rsa:2048 

leave out -sha256 for a SHA-1 request.
the -keyout parameter is the filename is the name of the key file that will be created
the -out parameter is the name of the request that will be sent to the certificate authority
in response to this command, you will asked to provide the organizational information and address, etc.
if the certificate expiration is to be different than one year, change -days 365 to the desired number of days

4. Limit access to the key , # sudo chmod 400

5. Send the .csr file to the certificate provider for signing. They will send back a crt file.

6. Limit access to the signed certificate, # sudo chmod 400

7. The certificate authority may send back multiple files. If so, then concatenate them:

# sudo cat  root1.crt >

The CRT file with your hostname.crt should be first. If there is more than one root or intermediate certificates, not sure of the order of those (try it and see).

After concatenating the keys to create the combined file, make sure you have a carriage return between the beginning and ending of each certificate. If you do not do this you will get an ERROR.

# sudo vi 

The process is relatively easy even for a Linux newbie like myself.  We are planning to add nginx as our reverse proxy for all our installations of Domino.  One advantage of having nginx as reverse proxy is that by having Domino connect using http instead of https for the reverse proxy, there is less loading on the Domino server and the system as a whole can handle more https connections.
The installation process of the SSL certificate follows the standard convention used by most solutions rather than the specific approach required by Domino.  Therefore, there is much more documentation available.

Additional articles I suggest one read is:

Please note, that if you have Network Solutions, they still do not have SHA-2 certificates available yet.  Can't believe that.

To learn more on how to install CentOS and Domino, Devin Olson has a series of great videos and pdfs on Youtube.

If you want to chat with the ICS Linux, sign up for the ICS Linux Chat on Skype that was started by our friend Bill Malchisky. 


techtalk87 said…

Thanks for posting this. Could you elaborate on the nginx configuration for using it as a reverse proxy for domino. We are getting errors such as too many open files, request header or cookie too large. This is even after increasing the file number limit on our linux server.

Thank you in advance.

Popular posts from this blog

Creating Twitter Bootstrap Widgets - Part II - Let's Assemble

Creating Twitter Bootstrap Widgets - Part I - Anatomy of a Widget Creating Twitter Bootstrap Widgets - Part II - Let's Assemble Creating Twitter Bootstrap Widgets - Part IIIA - Using Dojo To Bring It Together This is two part of my five part series "Creating Twitter Bootstrap Widgets".   As I mentioned in part one of this series, Twitter Bootstrap widgets are built from a collection standard HTML elements, styled, and programmed to function as a single unit. The goal of this series is to teach you how to create a Bootstrap widget that utilizes the Bootstrap CSS and Dojo. The use of Dojo with Bootstrap is very limited with the exception of Kevin Armstrong who did an incredible job with his Dojo Bootstrap, Our example is a combo box that we are building to replace the standard Bootstrap combo box. In part one, we built a widget that looks like a combo box but did not have a drop down menu associated with it to allow the user to make a select

The iPhora Journey - Part 8 - Flow-based Programming

After my last post in this series -- way back in September 2022, several things happened that prevented any further installments. First came CollabSphere 2022 and then CollabSphere 2023, and organizing international conferences can easily consume all of one's spare time. Throughout this same time period, our product development efforts continued at full speed and are just now coming to fruition, which means it is finally time to continue our blog series. So let's get started... As developers, most of us create applications through the conscious act of programming, either procedural, as many of us old-timers grew up with, or object-oriented, which we grudgingly had to admit was better. This is true whether we are using Java, LotusScript, C++ or Rust on Domino. (By the way, does anyone remember Pascal? When I was in school, I remember being told it was the language of the future, but for some reason it didn't seem to survive past the MTV era).  But in the last decade, there a

The iPhora Journey - Part 4 - JSON is King - The How

  The iPhora Journey - Part 1 - Reimagining Domino The iPhora Journey - Part 2 - Domino, the Little Engine that Could The iPhora Journey - Part 3 - Creating an Integrated UI Framework The iPhora Journey - Part 4 - JSON is King - The Why The iPhora Journey - Part 4 - JSON is King - The How As we mentioned yesterday, in reimagining Domino, we wanted Domino to be a modern web application server, one that utilized a JSON-based NoSQL database and be more secure compared to other JSON-based NoSQL platforms. A Domino document existing within a Domino database is the foundational data record used in iPhora, just as it is with traditional Domino applications. But instead of just storing data into individual fields, we wanted to store and process the JSON in a Domino document.  However, text fields (AKA summary fields) in Domino documents are limited to only 64 KBytes, and that is a serious limitation. 64 KBytes of JSON data does not even touch what the real world typically transfers back and fo