Preparing the initial installation
nevisProxy is packaged with a set of configuration templates. When running nevisProxy for the first time, a handover procedure installs these configuration templates and performs further validation and configuration steps.
Additionally, as a secure reverse proxy, nevisProxy needs a server certificate to be able to identify itself when communicating with its clients using TLS. This server certificate may be
- generated locally by using the nevisKeybox, or
- acquired by sending a locally generated certificate request to a CA for signing and installing the returned certificate.
When installing nevisProxy for the first time, the following additional steps are required:
- Create initial configuration:
nevisproxy inst create <name of the instance>
There are several instance paramaters which might be specified to customize the configuration generated by the templates. Use the "nevisproxy inst create help" command to get a list of all available variables.
- Option 1: To generate a self-signed server certificate (for testing purposes or to be used until you receive the final key material) use the built-in nevisProxy command.
nevisproxy <name of the instance> cert create
If you do not specify an instance in the above command, nevisProxy calls the "default" instance.
- Option 2 (recommended): Use the nevis-Keybox to generate an RSA key pair and a certificate request and install the signed certificate or create an RSA key pair, CA and node certificate locally. For further information about usage scenarios and configuration tasks related to certificate administration, refer to the chapterIntegrationof thenevisKeybox Reference Guide.
The key material needs to be configured with the TLS nodes of your connectors within the navajo.xml file. The SSLCertificateKeyFile attribute defines the server's private key and certificate while the SSLCertificateFile attribute defines the trust store containing the CA certificate chain which had issued your server's certificate. See the table TLS configuration about the available parameters for your TLS settings.
- Start the server and connect to the preconfigured test location using the OpenSSL tool (locally) or a browser (using URL https://www.company.com/test/):
nevisproxy start
/opt/nevisproxy/bin/openssl s_client -connect www.company.com:443
....
GET /test/ HTTP/1.1
Host: www.company.com
- Perform server and cache scaling as documented in the chapter Scaling.