Configure NGINX Web Server Configure Apache Web Server

Step 3: Configure the Web Server

Update your web server software's configuration to use the HTTPS certificate and corresponding fake PEM private key that you created in the previous step. Remember to backup your existing certificates and keys before you start. This will finish setting up your Linux web server software for SSL/TLS offload with AWS CloudHSM.

Complete the steps from one of the following sections.

Topics

Configure NGINX Web Server
Configure Apache Web Server

Configure NGINX Web Server

Use this section to configure NGINX on supported platforms.

To update the web server configuration for NGINX

Connect to your client instance.
Run the following command to create the required directories for the web server certificate and the fake PEM private key.
```
sudo mkdir -p /etc/pki/nginx/private
```
Run the following command to copy your web server certificate to the required location. Replace <web_server.crt> with the name of your web server certificate.
```
sudo cp <web_server.crt> /etc/pki/nginx/server.crt
```
Run the following command to copy your fake PEM private key to the required location. Replace <web_server_fake_PEM.key> with the name of the file that contains your fake PEM private key.
```
sudo cp <web_server_fake_PEM.key> /etc/pki/nginx/private/server.key
```
Run the following command to change the file ownership so that the user named nginx can read them.
```
sudo chown nginx /etc/pki/nginx/server.crt /etc/pki/nginx/private/server.key
```
Run the following command to back up the /etc/nginx/nginx.conf file.
```
sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup
```

Use a text editor to edit the /etc/nginx/nginx.conf file. At the top of the file, add the following lines:

Amazon Linux


ssl_engine cloudhsm;
env n3fips_password;

Then uncomment the TLS section of the file so that it looks like the following:


# Settings for a TLS enabled server.

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/pki/nginx/server.crt";
        ssl_certificate_key "/etc/pki/nginx/private/server.key";
        # It is *strongly* recommended to generate unique DH parameters
        # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
        #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_protocols TLSv1.2;
        ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
        ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

Amazon Linux 2


ssl_engine cloudhsm;
env n3fips_password;

Then uncomment the TLS section of the file so that it looks like the following:


# Settings for a TLS enabled server.

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/pki/nginx/server.crt";
        ssl_certificate_key "/etc/pki/nginx/private/server.key";
        # It is *strongly* recommended to generate unique DH parameters
        # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
        #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_protocols TLSv1.2;
        ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
        ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

CentOS 7


ssl_engine cloudhsm;
env n3fips_password;

Then uncomment the TLS section of the file so that it looks like the following:


# Settings for a TLS enabled server.

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/pki/nginx/server.crt";
        ssl_certificate_key "/etc/pki/nginx/private/server.key";
        # It is *strongly* recommended to generate unique DH parameters
        # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
        #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_protocols TLSv1.2;
        ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
        ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

CentOS 8


ssl_engine cloudhsm;
env CLOUDHSM_PIN;

Then uncomment the TLS section of the file and edit the ssl_protocols and ssl_ciphers to include only the protocols and ciphers specified in the following example:


# Settings for a TLS enabled server.

server {
       listen       443 ssl http2;
       listen       [::]:443 ssl http2;
       server_name  _;
       root         /usr/share/nginx/html;

       ssl_certificate "/etc/pki/nginx/server.crt";
       ssl_certificate_key "/etc/pki/nginx/private/server.key";
       ssl_dhparam /etc/ssl/certs/dhparam.pem;

       ssl_session_cache shared:SSL:1m;
       ssl_session_timeout  10m;
       ssl_protocols TLSv1.2 TLSv1.3;

       ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256";


       # Load configuration files for the default server block.
       include /etc/nginx/default.d/*.conf;

       error_page 404 /404.html;
           location = /40x.html {
       }

       error_page 500 502 503 504 /50x.html;
           location = /50x.html {
       }
   }

Note

Each cluster can support a maximum of 1000 NGINX worker processes across all NGINX web servers.
Client SDK 5 supports only TLS version 1.2 and 1.3 with a select set of cipher suites. Future releases may add support for more protocols and ciphers.

Red Hat 7


ssl_engine cloudhsm;
env n3fips_password;

Then uncomment the TLS section of the file so that it looks like the following:


# Settings for a TLS enabled server.

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/pki/nginx/server.crt";
        ssl_certificate_key "/etc/pki/nginx/private/server.key";
        # It is *strongly* recommended to generate unique DH parameters
        # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
        #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_protocols TLSv1.2;
        ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
        ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

Red Hat 8


ssl_engine cloudhsm;
env CLOUDHSM_PIN;

Then uncomment the TLS section of the file and edit the ssl_protocols and ssl_ciphers to include only the protocols and ciphers specified in the following example:


# Settings for a TLS enabled server.

server {
       listen       443 ssl http2;
       listen       [::]:443 ssl http2;
       server_name  _;
       root         /usr/share/nginx/html;

       ssl_certificate "/etc/pki/nginx/server.crt";
       ssl_certificate_key "/etc/pki/nginx/private/server.key";
       ssl_dhparam /etc/ssl/certs/dhparam.pem;

       ssl_session_cache shared:SSL:1m;
       ssl_session_timeout  10m;
       ssl_protocols TLSv1.2 TLSv1.3;

       ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256";


       # Load configuration files for the default server block.
       include /etc/nginx/default.d/*.conf;

       error_page 404 /404.html;
           location = /40x.html {
       }

       error_page 500 502 503 504 /50x.html;
           location = /50x.html {
       }
   }

Note

Each cluster can support a maximum of 1000 NGINX worker processes across all NGINX web servers.
Client SDK 5 supports only TLS version 1.2 and 1.3 with a select set of cipher suites. Future releases may add support for more protocols and ciphers.

Ubuntu 16.04 LTS


ssl_engine cloudhsm;
env n3fips_password;

Then uncomment the TLS section of the file so that it looks like the following:


# Settings for a TLS enabled server.

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        ssl_certificate "/etc/pki/nginx/server.crt";
        ssl_certificate_key "/etc/pki/nginx/private/server.key";
        # It is *strongly* recommended to generate unique DH parameters
        # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
        #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_protocols TLSv1.2;
        ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
        ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

Ubuntu 18.04 LTS


ssl_engine cloudhsm;
env CLOUDHSM_PIN;

Then uncomment the TLS section of the file and edit the ssl_protocols and ssl_ciphers to include only the protocols and ciphers specified in the following example:


# Settings for a TLS enabled server.

server {
       listen       443 ssl http2;
       listen       [::]:443 ssl http2;
       server_name  _;
       root         /usr/share/nginx/html;

       ssl_certificate "/etc/pki/nginx/server.crt";
       ssl_certificate_key "/etc/pki/nginx/private/server.key";
       ssl_dhparam /etc/ssl/certs/dhparam.pem;

       ssl_session_cache shared:SSL:1m;
       ssl_session_timeout  10m;
       ssl_protocols TLSv1.2 TLSv1.3;

       ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256";

       # Load configuration files for the default server block.
       include /etc/nginx/default.d/*.conf;

       error_page 404 /404.html;
           location = /40x.html {
       }

       error_page 500 502 503 504 /50x.html;
           location = /50x.html {
       }
   }

Note

Each cluster can support a maximum of 1000 NGINX worker processes across all NGINX web servers.
Client SDK 5 supports only TLS version 1.2 and 1.3 with a select set of cipher suites. Future releases may add support for more protocols and ciphers.

Save the file. This requires Linux root permissions.

Back up the systemd configuration file, and then set the EnvironmentFile path.
Amazon Linux

No action required.

Amazon Linux 2
Back up the nginx.service file.

$ sudo cp /lib/systemd/system/nginx.service /lib/systemd/system/nginx.service.backup

Open the /lib/systemd/system/nginx.service file in a text editor, and then under the [Service] section, add the following path:

EnvironmentFile=/etc/sysconfig/nginx
CentOS 7

No action required.

CentOS 8
Back up the nginx.service file.

$ sudo cp /lib/systemd/system/nginx.service /lib/systemd/system/nginx.service.backup

Open the /lib/systemd/system/nginx.service file in a text editor, and then under the [Service] section, add the following path:

EnvironmentFile=/etc/sysconfig/nginx
Red Hat 7

No action required.

Red Hat 8
Back up the nginx.service file.

$ sudo cp /lib/systemd/system/nginx.service /lib/systemd/system/nginx.service.backup

Open the /lib/systemd/system/nginx.service file in a text editor, and then under the [Service] section, add the following path:

EnvironmentFile=/etc/sysconfig/nginx
Ubuntu 16.04
Back up the nginx.service file.

$ sudo cp /lib/systemd/system/nginx.service /lib/systemd/system/nginx.service.backup

Open the /lib/systemd/system/nginx.service file in a text editor, and then under the [Service] section, add the following path:

EnvironmentFile=/etc/sysconfig/nginx
Ubuntu 18.04
Back up the nginx.service file.

$ sudo cp /lib/systemd/system/nginx.service /lib/systemd/system/nginx.service.backup

Open the /lib/systemd/system/nginx.service file in a text editor, and then under the [Service] section, add the following path:

EnvironmentFile=/etc/sysconfig/nginx
Check if the /etc/sysconfig/nginx file exists, and then do one of the following:
- If the file exists, back up the file by running the following command:
```
$ sudo cp /etc/sysconfig/nginx /etc/sysconfig/nginx.backup
          
```
- If the file doesn't exist, open a text editor, and then create a file named nginx in the /etc/sysconfig/ folder.
  
  Tip
  
  There is no need to back up the newly created file.
Open the /etc/sysconfig/nginx file in a text editor, and then add the Cryptography User (CU) credentials:
Amazon Linux
```
export n3fips_password=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Save the file. This requires Linux root permissions.
Amazon Linux 2
```
export n3fips_password=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Save the file. This requires Linux root permissions.
CentOS 7
```
export n3fips_password=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Save the file. This requires Linux root permissions.
CentOS 8
```
export CLOUDHSM_PIN=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Save the file. This requires Linux root permissions.

Note

Client SDK 5 introduces the CLOUDHSM_PIN environment variable for storing the credentials of the CU. In Client SDK 3 you stored the CU credentials in the n3fips_password environment variable. Client SDK 5 supports both environment variables, but we recommend using CLOUDHSM_PIN.
Red Hat 7
```
export n3fips_password=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Save the file. This requires Linux root permissions.
Red Hat 8
```
export CLOUDHSM_PIN=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Save the file. This requires Linux root permissions.

Note

Client SDK 5 introduces the CLOUDHSM_PIN environment variable for storing the credentials of the CU. In Client SDK 3 you stored the CU credentials in the n3fips_password environment variable. Client SDK 5 supports both environment variables, but we recommend using CLOUDHSM_PIN.
Ubuntu 16.04 LTS
```
export n3fips_password=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Save the file. This requires Linux root permissions.
Ubuntu 18.04 LTS
```
export CLOUDHSM_PIN=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Save the file. This requires Linux root permissions.

Note

Client SDK 5 introduces the CLOUDHSM_PIN environment variable for storing the credentials of the CU. In Client SDK 3 you stored the CU credentials in the n3fips_password environment variable. Client SDK 5 supports both environment variables, but we recommend using CLOUDHSM_PIN.

Start the NGINX web server.

Amazon Linux


$ sudo service nginx start

Amazon Linux 2


$ sudo systemctl start nginx

CentOS 7

No action required.

CentOS 8


$ sudo systemctl start nginx

Red Hat 7

No action required.

Red Hat 8


$ sudo systemctl start nginx

Ubuntu 16.04


$ sudo systemctl start nginx

Ubuntu 18.04


$ sudo systemctl start nginx

(Optional) Configure your platform to start NGINX at start-up.

Amazon Linux


$ sudo chkconfig nginx on

Amazon Linux 2


$ sudo systemctl enable nginx

CentOS 7

No action required.

CentOS 8


$ sudo systemctl enable nginx

Red Hat 7

No action required.

Red Hat 8


$ sudo systemctl enable nginx

Ubuntu 16.04


$ sudo systemctl enable nginx

Ubuntu 18.04


$ sudo systemctl enable nginx

After you update your web server configuration, go to Step 4: Enable HTTPS Traffic and Verify the Certificate.

Configure Apache Web Server

Use this section to configure Apache on supported platforms.

To update the web server configuration for Apache

Connect to your Amazon EC2 client instance.

Define default locations for certificates and private keys for your platform.

Amazon Linux

In this file:


/etc/httpd/conf.d/ssl.conf

Ensure these values exist:


SSLCertificateFile      /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile   /etc/pki/tls/private/localhost.key

Amazon Linux 2

In this file:


/etc/httpd/conf.d/ssl.conf

Ensure these values exist:


SSLCertificateFile      /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile   /etc/pki/tls/private/localhost.key

CentOS 7

In this file:


/etc/httpd/conf.d/ssl.conf

Ensure these values exist:


SSLCertificateFile      /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile   /etc/pki/tls/private/localhost.key

CentOS 8

In this file:


/etc/httpd/conf.d/ssl.conf

Ensure these values exist:


SSLCertificateFile      /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile   /etc/pki/tls/private/localhost.key

Red Hat 7

In this file:


/etc/httpd/conf.d/ssl.conf

Ensure these values exist:


SSLCertificateFile      /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile   /etc/pki/tls/private/localhost.key

Red Hat 8

In this file:


/etc/httpd/conf.d/ssl.conf

Ensure these values exist:


SSLCertificateFile      /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile   /etc/pki/tls/private/localhost.key

Ubuntu 16.04 LTS

In this file:


/etc/apache2/sites-available/default-ssl.conf

Add these values:


SSLCertificateFile      /etc/ssl/certs/localhost.crt
SSLCertificateKeyFile   /etc/ssl/private/localhost.key

Ubuntu 18.04 LTS

In this file:


/etc/apache2/sites-available/default-ssl.conf

Add these values:


SSLCertificateFile      /etc/ssl/certs/localhost.crt
SSLCertificateKeyFile   /etc/ssl/private/localhost.key

Copy your web server certificate to the required location for your platform.
Amazon Linux
```
$ sudo cp <web_server.crt> /etc/pki/tls/certs/localhost.crt
```
Replace <web_server.crt> with the name of your web server certificate.
Amazon Linux 2
```
$ sudo cp <web_server.crt> /etc/pki/tls/certs/localhost.crt
```
Replace <web_server.crt> with the name of your web server certificate.
CentOS 7
```
$ sudo cp <web_server.crt> /etc/pki/tls/certs/localhost.crt
```
Replace <web_server.crt> with the name of your web server certificate.
CentOS 8
```
$ sudo cp <web_server.crt> /etc/pki/tls/certs/localhost.crt
```
Replace <web_server.crt> with the name of your web server certificate.
Red Hat 7
```
$ sudo cp <web_server.crt> /etc/pki/tls/certs/localhost.crt
```
Replace <web_server.crt> with the name of your web server certificate.
Red Hat 8
```
$ sudo cp <web_server.crt> /etc/pki/tls/certs/localhost.crt
```
Replace <web_server.crt> with the name of your web server certificate.
Ubuntu 16.04 LTS
```
$ sudo cp <web_server.crt> /etc/pki/tls/certs/localhost.crt
```
Replace <web_server.crt> with the name of your web server certificate.
Ubuntu 18.04 LTS
```
$ sudo cp <web_server.crt> /etc/ssl/certs/localhost.crt
```
Replace <web_server.crt> with the name of your web server certificate.
Copy your fake PEM private key to the required location for your platform.
Amazon Linux
```
$ sudo cp <web_server_fake_PEM.key> /etc/pki/tls/private/localhost.key
```
Replace <web_server_fake_PEM.key> with the name of the file that contains your fake PEM private key.
Amazon Linux 2
```
$ sudo cp <web_server_fake_PEM.key> /etc/pki/tls/private/localhost.key
```
Replace <web_server_fake_PEM.key> with the name of the file that contains your fake PEM private key.
CentOS 7
```
$ sudo cp <web_server_fake_PEM.key> /etc/pki/tls/private/localhost.key
```
Replace <web_server_fake_PEM.key> with the name of the file that contains your fake PEM private key.
CentOS 8
```
$ sudo cp <web_server_fake_PEM.key> /etc/pki/tls/private/localhost.key
```
Replace <web_server_fake_PEM.key> with the name of the file that contains your fake PEM private key.
Red Hat 7
```
$ sudo cp <web_server_fake_PEM.key> /etc/pki/tls/private/localhost.key
```
Replace <web_server_fake_PEM.key> with the name of the file that contains your fake PEM private key.
Red Hat 8
```
$ sudo cp <web_server_fake_PEM.key> /etc/pki/tls/private/localhost.key
```
Replace <web_server_fake_PEM.key> with the name of the file that contains your fake PEM private key.
Ubuntu 16.04 LTS
```
$ sudo cp <web_server_fake_PEM.key> /etc/pki/tls/private/localhost.key
```
Replace <web_server_fake_PEM.key> with the name of the file that contains your fake PEM private key.
Ubuntu 18.04 LTS
```
$ sudo cp <web_server_fake_PEM.key> /etc/ssl/private/localhost.key
```
Replace <web_server_fake_PEM.key> with the name of the file that contains your fake PEM private key.

Change ownership of these files if required by your platform.

Amazon Linux


$ sudo chown apache /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key