-
Notifications
You must be signed in to change notification settings - Fork 13
Install NGINX with DSA Server
NGINX is a light-weight web-server that serves multiple purposes, including proxy server, load balancer, microservices delivery platform.
There are a couple of use-cases when you may decide to install NGINX proxy web-server in front of the DSA Server.
- There are multiple applications hosted on the same server that use different domain names. However, they all use the same default HTTP(S) ports 80 and 443. NGINX can listen on the default ports and route requests to backend applications depending on the domain name.
- You want to have better control over SSL configuration using NGINX settings to override the capabilities of the DSA Server. This is required if you prefer to allow only specific ciphers and protocols versions.
This tutorial assumes that you already have your DSA Server installed in ''/opt/dsa/dglux-server''.
apt update
apt upgrade
apt-get install nginx
Open main NGINX configuration file nginx.conf and make it look like this
nano /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 1024;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
client_max_body_size 64M;
proxy_buffers 16 16k;
proxy_buffer_size 16k;
server_names_hash_bucket_size 128;
server_name_in_redirect on;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1.2; # Dropping SSLv3 and TLS < 1.2, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
The configuration below allows only HTTPS connection and does a 301 redirect if requested over HTTP.
nano /etc/nginx/sites-available/dglux.conf
map $http_upgrade $connection_upgrade {
default upgrade;
'' '';
}
upstream dglux {
server localhost:8443 max_fails=0 fail_timeout=30s;
keepalive 32;
}
server {
listen 80 default_server;
server_name your-domain.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl default_server;
server_name your-domain.com;
ssl_certificate /opt/dsa/dglux-server/certs/yourCert.pem;
ssl_certificate_key /opt/dsa/dglux-server/certs/yourCertKey.pem;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log warn;
charset utf-8;
location / {
proxy_pass https://dglux;
proxy_set_header X-Real-IP $remote_addr;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
location /ws {
proxy_pass https://dglux;
proxy_set_header X-Real-IP $remote_addr;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
location /.well-known {
root /var/www/ssl-verify;
}
location /editor {
rewrite ^/editor/(.*)$ /$1 last;
proxy_pass https://dglux;
proxy_set_header X-Real-IP $remote_addr;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}
}
ln -s /etc/nginx/sites-available/dglux.conf /etc/nginx/sites-enabled/dglux.conf
rm /etc/nginx/sites-enabled/default
nginx -t
The command should return OK.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
If you started it from its folder
/opt/dsa/dglux-server/bin/daemon.sh stop
or if you run it as a service
service dsa stop
nano /opt/dsa/dglux-server/server.json
Update port to 8080 and httpsPort to 8443. Save and close.
service nginx start
If you started it from its folder
/opt/dsa/dglux-server/bin/daemon.sh start
or if you run it as a service
service dsa start
Protocol
◌ Design
◌ Initializing Connection
◌ Node API
◌ Methods
◌ Broker
◌ Broker Discovery
◌ Configs
◌ Value Types
◌ Tokens
◌ Quality of Service
DSLink Manager
◌ dslink.json
◌ Startup Command
SDK Development
◌ Implementation Guide
DSA Server
◌ Installation
◌ Update Server
◌ Server Configuration
◌ CLI Tools
◌ DSA Permission Basics
◌ DSA Permission Model
◌ Permission List for the Root
◌ Authentication
◌ OpenID Connect
◌ Password Hasher
◌ DGLux Server SSL (HTTPS)
◌ Docker
◌ Audit
◌ Data Node
◌ Install NGINX with DSA Server
◌ Configure Ubuntu Linux to auto start DSA server
◌ Troubleshooting