Update MITREid Connect Preparative Procedures.md

Add NGINX config settings

Author: sckgh

cc-artifacts/MITREid Connect Preparative Procedures.md

@@ -18,7 +18,9 @@ NOTE: Refer to https://maven.apache.org/download.cgi for the latest version of M
 2. Extract the distribution using ```tar xzvf apache-ant-1.9.16-bin.tar.gz```
 3. Add the ```bin``` directory of the created directory ```apache-ant-1.9.16``` to the ```PATH``` environment variable by adding ```export PATH="<PATH_TO_EXTRACT>/ant-1.9.16/bin:<PATH_TO_EXTRACT>/apache-maven-3.8.7/bin:$PATH``` to ```~/bash.rc``` and executing ```source ~/.bashrc```
 4. Create environmental variable ANT_HOME to <PATH_TO_EXTRACT>/apache-ant-1.9.16/ by adding ```export ANT_HOME=<PATH_TO_EXTRACT>/apache-ant-1.9.16/``` to .bashrc
+
 ## Install Apache Tomcat
+
 1. Create a user group for Tomcat
 ```
 # groupadd tomcat
@@ -32,8 +34,80 @@ NOTE: Refer to https://maven.apache.org/download.cgi for the latest version of M
 # ant
 ```
 5. Follow instructions in RUNNING.txt
-## Install nginx reverse proxy
-1. install nginx with ```sudo apt-get install nginx```
+
+## Install nginx reverse proxy and certificates
+Gor testing purposes, self-signed certificates can be used, but it is suggested that Let's Encrypt is used for externally accessivle instances.
+
+1. Install nginx with ```sudo apt-get install nginx```
+2. Create an intial configuration file the definition for the tomcat server in nginx (note: in this instance, mitre-connect.corp.viden.com is used as an example. Subsitute with your domain)
+
+**/etc/nginx/available-sites/mitre-connect.corp.viden.com.conf**
+```
+server {
+      server_name mitre-connect.corp.viden.com www.mitre-connect.corp.viden.com;
+      }
+```
+ 3. Restart nginx using ```sudo systemctl reload nginx```
+ 4. Enable the ufw firewall and configure ton allow Nginx Full
+```
+sudo ufw allow 'Nginx Full'
+sudo ufw delete allow 'Nginx HTTP'
+```
+ 6. Create a certificate with OpenSSL ```sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt```
+ 7. Create a Diffie-Hellman group for Perfect Forward Secrecy ```sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048```
+ 8. Create a snippet for the certificates
+ **/etc/nginx/snippets/self-signed.conf**
+ ```
+ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
+ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
+ ```
+ 9. Create a snippet to enable encryption settings
+ **/etc/nginx/snippets/ssl-params.conf**
+ ```
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ecdh_curve secp384r1;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout 5s;
+# Disable preloading HSTS for now.  You can use the commented out header line that includes
+# the "preload" directive if you understand the implications.
+#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+
+ssl_dhparam /etc/ssl/certs/dhparam.pem;
+```
+10. Configure default file
+**/etc/nginx/available-sites/default**
+```
+server {
+    listen 8080 default_server;
+    listen [::]:8080 default_server;
+    server_name 10.0.40.101;
+    return 302 https://$server_name$request_uri;
+}
+
+server {
+
+    # SSL configuration
+
+    listen 443 ssl http2 default_server;
+    listen [::]:443 ssl http2 default_server;
+    include snippets/self-signed.conf;
+    include snippets/ssl-params.conf;
+    }
+```
+TODO: Copy in ubuntu from my local to /etc/nginx/sites-available
+ 11:wq
+ 12. Enable the ufw firewall and configure to allow Nginx Full
+ 13. Restart nginx using ```sudo systemctl reload nginx```  
+      
 ## Install MITREid Connect
 
 # Example Setup Script