How To Configure Nginx with SSL as a Reverse Proxy for Mirth

How To Configure Nginx with SSL as a Reverse Proxy for Mirth

Introduction — Nginx with SSL package

In the case of secure websites, a web server may not perform SSL encryption itself, but instead offloads the task to a reverse proxy that may be equipped with SSL acceleration hardware.

Mirth Connect supports sending and receiving healthcare messages over the HTTP protocol. Our web servers use reverse-proxying functionality, shielding application frameworks of weaker HTTP capabilities. A SSL termination proxy is a proxy server that we use to handle incoming SSL connections, decrypting the SSL and passing on the unencrypted request to the Mirth HTTP listeners. The SSL termination proxies are used to support servers that do not support SSL, like Mirth Connect. Alternatively, one can use the commercial support version of Mirth.

OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping.

post image

Step One — Install Nginx

This part of the article assumes some familiarity with Linux commands, a working Mirth installation, and a Ubuntu installation. First get root privileges: $ su or $ sudo bash.

Update your package lists and install Nginx:

sudo apt-get update
sudo apt-get install nginx

Step One, Alternative Method — Compile OpenSSL and Nginx

First get dependency packages.

sudo apt-get update
sudo apt-get install make
sudo apt-get install gcc
sudo apt-get install libpcre3-dev
sudo apt-get install zlibc
sudo apt-get install zlib1g
sudo apt-get install zlib1g-dev

Next install from sources.

# Install OpenSSL.

wget https://www.openssl.org/source/openssl-1.1.0g.tar.gz
tar xzvf openssl-1.1.0g.tar.gz
cd openssl-1.1.0g/
./config
./configure
make
make install
ldconfig
cd ..

# Install Nginx.

wget https://nginx.org/download/nginx-1.12.2.tar.gz
tar xzvf nginx-1.12.2.tar.gz
cd nginx-1.12.2/
./configure --with-http_ssl_module --with-stream_ssl_module
make
make install

Step Two — Configure Nginx

You need to get both the private key and origin certificate in .pem format. If you have two separate files, then simply concatenate them.

cat /etc/ssl/private/certificate.crt /etc/ssl/private/certificate_chain.crt > /etc/ssl/private/certificate_nginx.pem

Next you will need to edit the default Nginx configuration file.

sudo vim /usr/local/nginx/conf/nginx.conf

Please notice that the following properties may vary for different installations.

1. Nginx server port
2. Mirth server port
3. Server name
4. access_log and optional error_log
5. SSL certificates
6. password protecting (auth_basic)
7. proxied server port and name
8. HTTP headers including an X-Real-IP header

For our configuration we have setup up password authentication with Nginx. The X-Real-IP header is a value used by the Mirth services.

       server {
                ###server port and name ###
                listen          0.0.0.0:18082;
                ssl             on;
                server_name     api.engagedmd.com;

                ### Disable access and error logging ###
                access_log off;

                ### SSL cert files ###
                ssl_certificate      /etc/ssl/private/certificate_nginx.pem;
                ssl_certificate_key  /etc/ssl/private/certificate.key;

                ### Add SSL specific settings here ###

                ssl_protocols        SSLv3 TLSv1;
                ssl_ciphers RC4:HIGH:!aNULL:!MD5;
                ssl_prefer_server_ciphers on;
                keepalive_timeout    60;
                ssl_session_cache    shared:SSL:10m;
                ssl_session_timeout  10m;

                ### We want full access to SSL via backend ###
                location / {
                                auth_basic "Restricted";
                                auth_basic_user_file /usr/local/nginx/conf/.htpasswd;

                                proxy_pass  http://127.0.0.1:18081;

                                ### force timeouts if one of backend is died ###
                                proxy_next_upstream error timeout invalid_header http_500 http_503;

                                ### Set headers ####
                                proxy_set_header        Accept-Encoding   "";
                                proxy_set_header        Host            $host;
                                proxy_set_header        X-Real-IP       $remote_addr;
                                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

                                proxy_set_header        X-Forwarded-Proto $scheme;
                                add_header              Front-End-Https   on;

                                ### By default we don't want to redirect it ####
                                proxy_redirect     off;
                        }
        }

Step Three — Start service

You might want to update the Mirth keystore. It will secure the Mirth Connect Administrator page.

openssl pkcs12 -export -in certificate.crt -inkey certificate.key -out pkcs.p12 -name mirthconnect
keytool -importkeystore -deststorepass 81uWxplDtB -destkeypass 81uWxplDtB -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass 81uWxplDtB -alias mirthconnect

You can run Nginx as service.

sudo wget https://raw.githubusercontent.com/JasonGiedymin/nginx-init-ubuntu/master/nginx -O /etc/init.d/nginx
sudo chmod +x /etc/init.d/nginx

Once you have started Nginx, you can securely access the Mirth Connect service (via SSL connection).

service nginx start
Post on