This article describes configuring Anaconda Repository behind the Nginx web proxy/server, with SSL enabled. Running Anaconda Repository in this mode offloads the SSL processing and overhead to Nginx, making the web server management more familiar to most Linux sysadmins.
These directions make the following assumptions:
- RHEL/CentOS 7.x
- Anaconda Repository is running on TCP port 8080 (default)
- Nginx is available/installable via yum
1. Configure AE4 per the docs
2. Install Nginx:
Install EPEL yum repos if necessary:
sudo yum install -y epel-release
Install Nginx:
sudo yum install -y nginx
3. Configure Nginx to listen on 443 (SSL) and proxy to AE4 on port 8080
Edit /etc/nginx/nginx.conf
and add the following section to the bottom of the file:
server {
listen 443;
server_name repo.dev.anaconda.com;
ssl_certificate /etc/nginx/server.crt; # SSL server cert + intermediate cert
ssl_certificate_key /etc/nginx/server.key; # SSL key
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8080;
proxy_read_timeout 90;
proxy_redirect http://localhost:8080 https://repo.dev.anaconda.com;
}
}
4. Configure Nginx to redirect port 80 to SSL (optional)
Edit /etc/nginx/nginx.conf
and replace the default server section with the following:
server {
listen 80;
return 301 https://$host$request_uri;
}
5. Restart Nginx to enable the configuration:
sudo systemctl restart nginx