Working with HTTP and SSL becomes easy and affordable to anyone thanks to Let’s Encrypt. This page describes how to use NGINX as a reverse SSL proxy in front of OpenNMS entangled with Let’s Encrypt.
Before you begin:
We have an OpenNMS Horizon web application which listens on 8980. The NGINX proxy is installed on a separate machine with a public facing IP and an assigned public domain name.
This example is made with an NGINX installed on Ubuntu LTS. Configuration files are created in the folder /etc/nginx/sites-available. Any file linked into /etc/nginx/sites-enabled is loaded automatically on NGINX startup. This can be different and depends on your distribution.
Let’s Encrypt is installed on your NGINX proxy and the certificate setup and renewal can be achieved by running the certbot command.
Creating a reverse proxy site
Step 1: Add a site configuration in /etc/nginx/sites-available/horizon-proxy.conf
upstream onms_server {
server 172.23.42.11:8980;
}
server {
listen 80;
server_name mynms.acme.com;
# maintain the .well-known directory alias for lets encrypt renewals
location /.well-known {
alias /var/www/mynms.acme.com/.well-known;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Enable Web Socket for Browser notification in Horizon 24+
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass http://onms_server;
proxy_read_timeout 90;
proxy_redirect http://onms_server;
}
}
Step 2: Create a .well-know directory to allow certificate updates
Create a directory /var/www/mynms.acme.com/.well-known which allows dealing with the Let’s Encrypt handshake for obtaining and renewing your certificates.
Step 3: Link the configuration file and restart NGINX
cd /etc/nginx
ln -s sites-available/horizon-proxy.conf sites-enabled/horizon-proxy.conf
systemctl restart nginx
Step 4: Verify proxy connection and log in to your web app on mynms.acme.com/opennms.
Step 5: Install Let’s encrypt certificate
certbot --nginx -d mynms.acme.com
You will be asked if you want to force redirects to HTTPS.
Certbot will change your nginx configuration file to the following:
upstream onms_server {
server 172.23.42.11:8980;
}
server {
server_name mynms.acme.com;
# maintain the .well-known directory alias for lets encrypt renewals
location /.well-known {
alias /var/www/mynms.acme.com/.well-known;
}
location / {
add_header Front-End-Https on;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Enable Web Socket for Browser notification in Horizon 24+
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_pass http://onms_server;
proxy_read_timeout 90;
proxy_redirect http://onms_server https://mynms.acme.com;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mynms.acme.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mynms.acme.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = mynms.acme.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name mynms.acme.com;
return 404; # managed by Certbot
}
Step 6: Configure OpenNMS web app to serve https instead of http
Create a custom properties file opennms.properties.d/jetty-https.properties with the following content:
opennms.web.base-url = https://%x%c/
Step 7: Restart OpenNMS and restart nginx.
Test your setup, you should now be redirected to https://mynms.acme.com/opennms/login.jsp when you connect to http://mynms.acme.com