NGINX
Nginx as Reverse Proxy
Any reverse proxy can be used, including on-system solutions like nginx
and haproxy
, or network based ones like F5, etc. This document focuses on nginx
for it’s ease of configuration and broad adoption.
Install nginx
There are plenty of instructions on how to setup nginx
on Ubuntu 18.04, but this simple set of instructions should suffice:
sudo apt-get update
sudo apt-get install -y nginx
sudo systemctl enable nginx
sudo systemctl start nginx
Configuring nginx
as proxy
Getting an SSL/TLS certificate is not covered here. It is presumed that the reverse proxy will have TLS certs in place, but there are numbers paths to get this done. If looking for a cert provider, check out Let’s Encrypt. These instructions will assume the added configuration is in an SSL/TLS stanza of configuration.
Proxy Upstream Definition
Create a new file (as root
via sudo
most likely) called /etc/nginx/conf.d/upstream.conf
. For example:
sudo vi /etc/nginx/conf.d/upstream.conf
And in this file populate it with the following:
upstream qfab {
server unix:/tmp/qfab.socket fail_timeout=1 max_fails=1;
}
upstream eth {
server 127.0.0.1:8545 fail_timeout=1 max_fails=1;
}
proxy_next_upstream error;
These values should look familiar as they are the API and socket endpoints defined in the elvmasterd
TOML and the qfab
JSON. The /tmp/qfab.socket
socket needs to be readable by the nginx
process, which is usually owned by the www-data
user. Making the socket group or world readable is safe.
Proxy Definitions
The specific file used here is the most common way to set this up. If Virtual Hosts are use, or more complex configuration is done, adapt these instructions accordingly.
Edit the file (as root
via sudo
most likely) called /etc/nginx/sites-enabled/default
. For example:
sudo vi /etc/nginx/sites-enabled/default
And in this file find the server
stanza that defines the host using SSL. For example, it would look like so:
server {
listen 192.168.100.200:443 ssl;
server_name superfake.example.com;
Inside this stanza, add the following lines:
proxy_read_timeout 300s;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
location / {
proxy_pass http://qfab;
client_max_body_size 2G;
}
location /eth {
proxy_pass http://eth;
}
location /eth/ {
proxy_pass http://eth;
}
It is also a good idea to do a HTTP 301 redirect in the stanza defining HTTP/port 90 access tot he same host. For example, this would configure the redirect:
server {
listen 192.168.100.200:80;
server_name superfake.example.com;
return 301 https://superfake.example.com$request_uri;
}