Blog | G5 Cyber Security

Secure Server Communication with TLS

G5 Cyber Security

TL;DR

This guide shows you how to set up secure communication between two servers using Transport Layer Security (TLS). This means all data sent is encrypted, protecting it from eavesdropping. We’ll cover generating certificates, configuring your servers, and verifying the connection.

Setting Up Secure Server Communication with TLS

  1. Generate Certificates: You need a certificate authority (CA) to issue certificates for both servers. For testing, you can create a self-signed CA.
    • Create a root CA key: 
      openssl genrsa -out ca.key 2048
    • Create a root CA certificate: 
      openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.crt
    • Generate a server key for Server A: 
      openssl genrsa -out serverA.key 2048
    • Create a Certificate Signing Request (CSR) for Server A: 
      openssl req -new -key serverA.key -sha256 -out serverA.csr
    • Sign the CSR with your root CA to create Server A’s certificate: 
      openssl x509 -req -in serverA.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out serverA.crt -days 365 -sha256
    • Repeat the key and CSR generation for Server B (serverB.key, serverB.csr) and sign it to create Server B’s certificate (serverB.crt).
  2. Configure Server A: This example uses Nginx as a reverse proxy.
    • Edit your Nginx configuration file (e.g., /etc/nginx/nginx.conf or a site-specific config). 
      server {
  listen 443 ssl;
  server_name serverA.example.com;

  ssl_certificate /path/to/serverA.crt;
  ssl_certificate_key /path/to/serverA.key;

  # Trust the root CA certificate for Server B's verification.
  ssl_trusted_certificate /path/to/ca.crt;

  location / {
    proxy_pass https://serverB.example.com; 
  }
}
    • Restart Nginx: 
      sudo systemctl restart nginx
  3. Configure Server B: Similar to Server A, using Nginx.
    • Edit your Nginx configuration file. 
      server {
  listen 443 ssl;
  server_name serverB.example.com;

  ssl_certificate /path/to/serverB.crt;
  ssl_certificate_key /path/to/serverB.key;

  # Trust the root CA certificate for Server A's verification.
  ssl_trusted_certificate /path/to/ca.crt;

  location / {
    proxy_pass https://serverA.example.com; 
  }
}
    • Restart Nginx: 
      sudo systemctl restart nginx
  4. Verify the Connection:
    • From Server A, use curl to test the connection to Server B. 
      curl -v https://serverB.example.com

      Check the output for TLS handshake information and certificate verification details. Look for ‘verified’ in the output.

    • From Server B, use curl to test the connection to Server A. 
      curl -v https://serverA.example.com

      Again, verify TLS handshake and certificate verification.

  5. Important Considerations:
    • Firewall Rules: Ensure your firewalls allow traffic on port 443 between the servers.
    • DNS Records: Make sure DNS records for serverA.example.com and serverB.example.com point to their respective IP addresses.
    • Certificate Renewal: Self-signed certificates expire. Automate renewal or use a proper CA.
    • Mutual TLS (mTLS): For increased security, consider mTLS where both servers verify each other’s certificates before establishing a connection. This requires configuring both servers to request client certificates.
Exit mobile version