NGINX

Nginx as Reverse Proxy

Any reverse proxy can be used, including on-system solutions like nginx and haproxy, or network based ones like F5, etc. This document focuses on nginx for it’s ease of configuration and broad adoption.

Install `nginx`

There are plenty of instructions on how to setup nginx on Ubuntu 18.04, but this simple set of instructions should suffice:

sudo apt-get update
sudo apt-get install -y nginx
sudo systemctl enable nginx
sudo systemctl start nginx

Configuring `nginx` as proxy

Getting an SSL/TLS certificate is not covered here. It is presumed that the reverse proxy will have TLS certs in place, but there are numbers paths to get this done. If looking for a cert provider, check out Let’s Encrypt. These instructions will assume the added configuration is in an SSL/TLS stanza of configuration.

Proxy Upstream Definition

Create a new file (as root via sudo most likely) called /etc/nginx/conf.d/upstream.conf. For example:

sudo vi /etc/nginx/conf.d/upstream.conf

And in this file populate it with the following:

upstream qfab {
    server unix:/tmp/qfab.socket fail_timeout=1 max_fails=1;
}

upstream eth {
    server 127.0.0.1:8545 fail_timeout=1 max_fails=1;
}

proxy_next_upstream error;

These values should look familiar as they are the API and socket endpoints defined in the elvmasterd TOML and the qfab JSON. The /tmp/qfab.socket socket needs to be readable by the nginx process, which is usually owned by the www-data user. Making the socket group or world readable is safe.

Proxy Definitions

The specific file used here is the most common way to set this up. If Virtual Hosts are use, or more complex configuration is done, adapt these instructions accordingly.

Edit the file (as root via sudo most likely) called /etc/nginx/sites-enabled/default. For example:

sudo vi /etc/nginx/sites-enabled/default

And in this file find the server stanza that defines the host using SSL. For example, it would look like so:

server {
    listen 192.168.100.200:443 ssl;
    server_name superfake.example.com;

Inside this stanza, add the following lines:

proxy_read_timeout      300s;
proxy_set_header        Host $host;
proxy_set_header        X-Real-IP $remote_addr;
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header        X-Forwarded-Proto $scheme;
proxy_buffering         off;

location / {
    proxy_pass              http://qfab;
    client_max_body_size    2G;
}

location /eth {
    proxy_pass              http://eth;
}

location /eth/ {
    proxy_pass              http://eth;
}

It is also a good idea to do a HTTP 301 redirect in the stanza defining HTTP/port 90 access tot he same host. For example, this would configure the redirect:

server {
    listen 192.168.100.200:80;
    server_name superfake.example.com;
    return 301 https://superfake.example.com$request_uri;
}