NGINX Proxy & HTTPS
Context
The following documentation provides a baseline for configuring NGINX to handle SSL termination and proxy requests to beVault in a Linux environment. It is not intended as a comprehensive approach to NGINX, proxying, or reverse proxying in general. Modify the configuration as necessary for your infrastructure.
Proxy and SSL termination can be implemented via other solution than NGINX, but requires the following setup:
Set up the SSL termination proxy (Nginx termination example)
Set up the proxying itself (Nginx proxying example)
Your SSL termination proxy should also automatically redirect non-secure connections to the secure port
This documentation assumes the following:
An existing NGINX deployment
An existing beVault deployment
A DNS hostname which uniquely identifies beVault deployment →
bevault.local(localhost if deployed on same server, private IP is ok too)
Prerequisites
In your DNS, create or configure separate, unique subdomains records for beVault UI and for the States component.
For example, given the root domain of example.net:
Proxy request to the subdomain
bevault.example.netto beVault UI listening onhttp://bevault.local:8080Proxy requests to the subdomain
states.example.netto the States component listening onhttp://bevault.local:5500
Configuration
The following location blocks provide a template for further customization in your unique environment:
upstream data_factory {
server bevault.local:8080;
}
upstream states {
server bevault.local:5500;
}
server {
listen 80;
server_name bevault.example.net;
rewrite ^ https://bevault.example.net$request_uri? permanent;
}
server {
listen 443 ssl;
server_name bevault.example.net;
ssl_certificate /etc/ssl/nginx/server.crt;
ssl_certificate_key /etc/ssl/nginx/server.key;
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
access_log /var/log/nginx/bevault_access.log;
error_log /var/log/nginx/bevault_error.log;
location / {
proxy_pass http://data_factory;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 80;
server_name states.example.net;
rewrite ^ https://states.example.net$request_uri? permanent;
}
server {
listen 443 ssl;
server_name states.example.net;
ssl_certificate /etc/ssl/nginx/server.crt;
ssl_certificate_key /etc/ssl/nginx/server.key;
ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
access_log /var/log/nginx/states_access.log;
error_log /var/log/nginx/states_error.log;
location / {
proxy_pass http://states;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}Go further
Harden your NGINX configuration :
Generate recognized certificates with Let’s encrypt and certbot :