Security/DNSSEC-TLS-nginx

From MozillaWiki
Jump to: navigation, search

This page details how to set up a server running a modified version of nginx that uses a self-signed certificate with the DNSSEC TLS extension to authenticate https sessions. It's probably safest to do this in a virtual machine. However, for the brave, simply skip the VM-specific steps.

  1. Set up a linux VM and enable a host-only network adapter so you can talk to it as well as a NAT'd adapter so it can talk to the internet (outside the scope of this article)
  2. In that VM, do the following:
  3. Install and set up bind9:
    1. 'apt-get install bind' or bind9 or something
    2. Set up keys and zone files (see here, except using dnssec-keygen and dnssec-signzone instead of zonesigner). This will involve getting your DS set signed by your zone's parent.
    3. Make a self-signed certificate
    4. Make a TLSA record using cert2tlsa.sh (and put this in your zone file)
    5. Sign the zones
    6. Start the dns server
  4. Get sources:
    1. ldns-1.6.10.tar.gz
    2. nginx-1.0.5.tar.gz
    3. openssl-1.0.0d.tar.gz
  5. Get patches:
    1. nginx-1.0.5-dnssectls.patch
    2. openssl-1.0.0d-dnssectls.patch
  6. Install a local copy of ldns:
    1. Untar the archive and cd to the directory
    2. Run './configure --disable-gost --prefix=$HOME/local'
    3. Run 'make', 'make install'
    4. (If you prefer, simply build it without installing and link against the static libs when necessary.)
  7. Make a dnssec chain:
    1. Use generate.c
    2. Or `dig +sigchase +trusted-key=[root key file] [domain name] TYPE65468 > output`, edit out the non-dns information in that file, and then run `./convert < output > dnssecchain` using convert.c
  8. Unpack and patch a local copy of openssl:
    1. Untar the archive and cd to the directory
    2. Apply the patch
    3. You don't actually have to config/compile/install (nginx just does what it needs with this openssl directory)
  9. Build nginx:
    1. Untar the archive and cd to the directory
    2. Apply the patch
    3. Run './configure --with-openssl=$HOME/openssl-1.0.0d --with-http_ssl_module --without-http_rewrite_module --prefix=`pwd`', 'make'
  10. 'mkdir logs' to make nginx happy
  11. Make sure you don't have other webservers running on the machine (Ubuntu seems to have one by default)
  12. Put the paths to the appropriate certificate files in conf/nginx.conf (i.e. the certificate indicated by the TLSA record)
  13. Put the path to the appropriate dnssec chain file in conf/nginx.conf (created using generate.c, above)
  14. Start nginx: 'sudo ./obj/nginx'
Retrieved from "https://wiki.mozilla.org/index.php?title=Security/DNSSEC-TLS-nginx&oldid=342525"