Jump to content

How to enable TLS 1.3 in CWP Nginx reverse proxy


Recommended Posts

In this tutorial we’ll Build NGINX from source and enable TLS 1.3 in Linux server. TLS 1.3 is secure and fast TLS protocol till now it have its own benefits like security and performance, the website using TLS 1.3 loads faster and is more secure.

Transportation Layer Security (TLS) 1.3 protocol provides unparalleled privacy and performance compared to previous versions of TLS and non-secure HTTP. Performance has a major impact on user experience. TLS 1.3 represents a pivotal turning point for HTTPS performance. Modern mobile networks will routinely add over 100ms of latency to each request. TLS 1.3 makes page load times significantly faster for mobile devices, improving the user experience for your visitors.

To build Nginx from source we need to remove any nginx installed from other sources like from official repository or from 3rdpart repository.

Step 1 :

First backup current nginx dir which contains configurations and vhosts :

cp -r /etc/nginx /etc/nginx.bak


Step 2 :

Remove Nginx :

yum remove nginx*


Step 3 :

Downloading dependencies and openssl :

Install deps from yum /centos7/8/el7/8 :

yum install -y perl perl-devel perl-ExtUtils-Embed libxslt libxslt-devel libxml2 libxml2-devel gd gd-devel GeoIP GeoIP-devel perl-IPC-Cmd


PCRE download :

cd /usr/local/src
rm -rf pcre*
wget https://github.com/mysterydata/md-disk/raw/main/pcre-8.45.zip
unzip pcre-8.45.zip


ZLIB download :

cd /usr/local/src
rm -rf zlib*
wget https://github.com/madler/zlib/releases/download/v1.2.13/zlib-1.2.13.tar.gz -O zlib.tar.gz
tar zxvf zlib.tar.gz
rm -rf zlib.tar.gz
mv zlib-* zlib


Download openssl 3.0 :

cd /usr/local/src
rm -rf openssl*
wget https://www.openssl.org/source/openssl-3.0.12.tar.gz -O openssl.tar.gz
tar -xf openssl.tar.gz
rm -rf openssl.tar.gz
mv openssl-* openssl


Step 3 :

Building Nginx from source :

cd /usr/local/src
rm -rf nginx*
wget http://nginx.org/download/nginx-1.24.0.tar.gz
tar zxvf nginx-1.24.0.tar.gz
cd nginx-1.24.0
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --user=nginx --group=nginx --build=CentOS --builddir=nginx-custom --with-select_module --with-poll_module --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --with-compat --with-pcre=/usr/local/src/pcre-8.45 --with-pcre-jit --with-zlib=/usr/local/src/zlib --with-openssl=/usr/local/src/openssl  --with-openssl-opt=no-nextprotoneg --with-debug  
make && make install


Step 4 :

Now copy the config from the backup done before :

cat /etc/nginx.bak/nginx.conf > /etc/nginx/nginx.conf


Step 5 :

Creating systemed service file for nginx and disable nginx to install via yum package manager :

now create the systemed service file for nginx :

nano /usr/lib/systemd/system/nginx.service


and paste this to it and save :

[Unit]
Description=nginx - high performance web server
Documentation=https://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -c /etc/nginx/nginx.conf
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID

[Install]
WantedBy=multi-user.target


Disable nginx in yum/dnf package manager for not to override your compiled nginx [important] :

Centos 7/el7 :

cat /etc/yum.conf |grep "^exclude="|grep nginx 1> /dev/null 2> /dev/null || echo 'exclude=nginx*' >> /etc/yum.conf 


Centos 8/el8 :

cat /etc/dnf/dnf.conf |grep "^exclude="|grep nginx 1> /dev/null 2> /dev/null || echo 'exclude=nginx*' >> /etc/dnf/dnf.conf 


Step 6 :

Enabling TLSv1.3 in nginx :

Now we’ll add TLS 1.3 entry in all nginx vhost and in nginx.conf

sed -i 's/TLSv1.2;/TLSv1.2 TLSv1.3;/g' /etc/nginx/nginx.conf /etc/nginx/conf.d/*.conf /etc/nginx/conf.d/vhosts/*.conf /usr/local/cwpsrv/htdocs/resources/conf/web_servers/main/nginx/conf/nginx.conf
systemctl restart nginx
systemctl enable nginx


** in CWP you need to do some extra steps which is mentioned below in Step

If you’re not using CWP then you’re done configuring TLS 1.3

Step 7 :

Ensure you create proper template for nginx in CWP else on every webserver build or ssl renew TLS 1.3 will be disabled

you need to copy the existing templates (tpl and stpl) and edit the stpl file and replace this line with new one :

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;


with

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;


that is only TLSv1.3 is need to be added before Semicolons ;

for example if you’re using default template for website you need to copy default templates to custom name example default-tls13.tpl and default-tls13.stpl ensure you’re using this template as a default for all domains and sub domain else tls 1.3 will not work by going to CWP.admin >> Webserver settings >> WEbservers Main conf choose Nginx default Vhost template from drop down menu which you created via below commands (default-tls13/force-https-http2-tls13). If you’re using php-fpm + nginx do the same for Nginx default PHP-FPM template

to copy the template to custom name do this :

cd /usr/local/cwpsrv/htdocs/resources/conf/web_servers/vhosts/nginx
cp -r default.stpl default-tls13.stpl
cp -r default.tpl default-tls13.tpl
sed -i 's/TLSv1.2;/TLSv1.2 TLSv1.3;/g' default-tls13.tpl default-tls13.stpl


** you can replace the “default” with the template name like for http2 “force-https-http2” template eg :

cd /usr/local/cwpsrv/htdocs/resources/conf/web_servers/vhosts/nginx
cp -r force-https-http2.stpl force-https-http2-tls13.stpl
cp -r force-https-http2.tpl force-https-http2-tls13.tpl
sed -i 's/TLSv1.2;/TLSv1.2 TLSv1.3;/g' force-https-http2-tls13.tpl force-https-http2-tls13.stpl


*** if you’re using nginx + fpm go to “/usr/local/cwpsrv/htdocs/resources/conf/web_servers/vhosts/nginx/php-fpm” dir and do the same for it too as above.

After running the above command lock this files if you don’t change nginx main config and Hostname of the server :

chattr +i /etc/nginx/conf.d/hostname-ssl.conf /etc/nginx/nginx.conf


If you want to change nginx main conf or change the server hostname just unlock this files and then rebuild webserver config or vhost :

chattr -i /etc/nginx/conf.d/hostname-ssl.conf /etc/nginx/nginx.conf


***after edit and webserver rebuild or vhost rebuild just lock the files again.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...