Details about how Nginx work with SSL on Google compute engine
Question
I have successfully deployed my spring boot app to Compute Engine on ubuntu 18.04, it is behind Nginx proxy but currently Nginx is listening to 80 port, which is http. I need to set up secure connection. I have question about few details, im new to this, all i've done so far is write spring boot/react js apps on windows, in IDE.
- Is it necessary to buy a domain for my compute engine or I can just make SSL for the external ip of compute engine? On compute engine only the back end rest api is deployed, the front end is on Netlify and it's already working. I don't need a good sounding domain name for back end because user won't see it, only front end app will use the external ip of my compute engine to fetch data from back end.
- I have seen guides that set up SSL in the setting of Nginx, why is that? Isn't the request first coming to the compute engine's external ip and only after that to Nginx? Isn't it the job of compute engine to do secure connection by sending public key&certificate to front end and only then relay the request to Nginx? Or does compute engine simply relay the https request that comes to it to Nginx right away, without securing it/doing any key&certificate sending?
You can give some advice if you have any, i'm just trying to make a secure connection to my back end spring boot app which is behind Nginx on google compute engine, which currently works only with HTTP but not HTTPs.
1 answers
solution1
0 ACCPTED 2020-05-21 13:49:03
1 . Technically you're able to have SSL certificate for public IP, but it's rarely used. More details you can find in RFC 5280 and in this question .
Keep in mind that if your IP address changes your SSL certificate become useless .
I've checked a few SSL providers and found that you should be the owner of the IP to obtain such SSL certificate :
accordingly to the article Using an IP Address in an SSL Certificate posted by geocerts :
If you decide that you really need an IP in your cert there are specific stipulations, conditions, and limitations to consider. The biggest hurdle for most folks is that the IP address must be specifically assigned to your company or organization (not your ISP or hosting provider) as verified by an IP WHOIS lookup.
accordingly to the article Issuing SSL certificate for an IP address by LeaderSSL :
Quite frequent question: is it possible to issue an SSL certificate for an IP address (and not for a domain name)? Yes, it is possible. However, there are several requirements:
- Only OV SSL certificates can be issued;
- The company must own IP address (validation based on WHOIS information of IP-addresses).
same in the article WHAT IS AN IP ADDRESS SSL CERTIFICATE? :
An IP address SSL certificate secures connections directly with the IP address submitted. Whereas typically an SSL certificate is issued to a Fully Qualified Domain Name (FQDN), some organisations may need to secure an IP address.
Only public IP addresses may be used and you must be the owner of the IP address according to the records at RIPE .
As result, practically, it's almost not possible in case of GCE VM instance and it's easier to proceed with domain certificate.
2 . In GCE all the connections to the external IP of VM instance passed through directly to the VM instance. GCE isn't able to secure connections on it's own. You should configure SSL certificate on VM instance. More details you can find in the documentation VPC network overview and IP Addresses .
In addition, you're able to use Google-managed SSL certificates or own SSL certificates on external HTTP(S) load balancers .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.