The second post of our series about protecting SSL private keys shows how to set up HashiCorp Vault to store the passwords that protect private keys, and to configure NGINX to retrieve the passwords. We also discuss using a hardware security module for even greater security.
We describe three progressively more secure ways to protect SSL private keys when configuring NGINX to handle HTTPS traffic: allowing read access only to the root user, encrypting keys with separately stored passwords, and distributing passwords from a central repository.
The $ssl_preread_protocol variable introduced in NGINX 1.15.2 allows you to distinguish between SSL/TLS and other protocols when forwarding traffic using a TCP proxy. This is useful if you want to avoid firewall restrictions by running (for example) SSL/TLS and SSH services on the same port.
Top 5 2017 blog posts: NGINX Plus Release 12, microservices, load balancing, security, and the NGINX Application Platform.
Alexey Ivanov, Site Reliability Engineer at Dropbox, goes into depth on optimizing NGINX web servers for high throughput and low latency.
Learn how to use the Let’s Encrypt client to generate RSA certificates and automatically configure NGINX to use the newly issued certificates.