NetworkManager dnsmasq - NGINX + Localhost

Jan 1, 2021

This post serves as an overview of my configs for using domains with my local NGINX instance with SSL/HTTPS.

Forward DNS requests to localhost

Create a dnsmasq conf:

/etc/NetworkManager/dnsmasq.d/lh.conf

address=/lh/127.0.0.1

Accessing domain.lh will be forwarded to localhost for NGINX to handle.

Setup a Trusted SSL Certificate

I use a self-signed cert so that my localhost pages get a nice Connection secure padlock.

Create /etc/nginx/ssl

OpenSSL Config

lh.cnf

[req]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt = no

[req_distinguished_name]
C = CA
ST = Ontario
L = Ottawa
O = Localhost CA
OU = Development
CN = lh

[v3_ca]
subjectAltName = @alt_names

[alt_names]
DNS.1 = hugo.lh
DNS.2 = startpage.lh

This alt_names contains all the subdomains you’d like to use and be valid for this cert.

Root Certification Authority

I create a RootCA for signing my cert. This RootCA can later be added to the system so that Firefox automatically trusts the cert without having to accept it manually.

# Create the private key
$ sudo openssl genrsa -out /etc/nginx/ssl/rootCA.key 2048

# Create the PEM cert
$ sudo openssl req -x509 -new -nodes -key /etc/nginx/ssl/rootCA.key -sha256 -days 3650 -out /etc/nginx/ssl/rootCA.pem

SSL Certificates

# Create private key and CSR key
$ sudo openssl req -new -sha256 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/lh.key -out /etc/nginx/ssl/ lh.csr -config lh.cnf

# Create cert using rootCA
$ sudo openssl x509 -req -in /etc/nginx/ssl/lh.csr -CA /etc/nginx/ssl/rootCA.pem -CAkey /etc/nginx/ssl/rootCA.key -CAcreateserial -out /etc/nginx/ssl/lh.crt -sha256 -days 3650 -extfile lh.cnf -extensions v3_ca

Adding Trusted CA to System

On Arch Linux or Fedora, p11-kit can be used to add the RootCA system-wide.

$ sudo trust anchor --store /etc/nginx/ssl/rootCA.pem

NGINX

Create the initial NGINX config.

/etc/nginx/nginx.conf

worker_processes 1;

events
{
    worker_connections 1024;
}

http
{
    include mime.types;
    default_type application/octet-stream;

    sendfile on;
    keepalive_timeout 65;
}

SSL

Configure NGINX to use SSL and redirect http → https.

http
{
    ...

    ssl_certificate ssl/lh.crt;
    ssl_certificate_key ssl/lh.key;

    server
    {
        listen 80;
        server_name _;
        return 301 https://$host$request_uri;
    }
}

Proxy Config

Common proxy config to be included.

/etc/nginx/proxy.conf

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

Startpage

I use NGINX to host my Startpage locally at startpage.lh.

http
{
    ...

    server
    {
        listen 443 ssl;
        server_name startpage.lh;
        root /home/tryton-vanmeer/Code/Startpage/;
    }
}

Hugo

I use hugo.lh to access hugo’s server while developing hugo websites.

http
{
    ...

    server
    {
        listen 443 ssl;
        server_name hugo.lh;

        location /
        {
            proxy_pass http://localhost:1313;
            include proxy.conf;
        }

        location /livereload
        {
            proxy_pass http://localhost:1313;
            include proxy.conf;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "Upgrade";
        }
    }
}

And I run hugo as such: hugo serve --baseURL http://hugo.lh --appendPort=false --liveReloadPort=443 --buildDrafts