How to add an Nginx reverse proxy in front of asperanoded

Description

Nginx can be configured to act as a reverse proxy for Node API communication (asperanoded).

A reverse proxy can be advantageous in that it often provides additional protection (such as against DOS attacks) and resource handling for requests.

A reverse proxy such as that offered by Nginx offers these features, and is relatively simply to setup.

Instructions

The following instructions are for Linux systems that have Nginx installed, and assume you have valid certificates for your transfer server system.

1. Set the asperanoded port to 9091

Since the asperanoded port on your transfer server won't be directly exposed to the outside world, it is recommended to use HTTP for traffic from the proxy to your transfer server. Use the following commands to disable HTTPS, enable HTTP, set the HTTP port and only accept asperanoded traffic from local HTTP traffic:

# asconfigurator -x "set_server_data;enable_https,false"
# asconfigurator -x "set_server_data;enable_http,true"
# asconfigurator -x "set_server_data;http_port,9091"
# asconfigurator -x "set_server_data;listen,127.0.0.1:9091

2. Open your Nginx conf file in a text editor:

  • /etc/nginx/nginx.conf

Ensure that the include directive below is included in the http section (it’s usually near the bottom). If it is not present, add it:

http {

include /etc/nginx/conf.d/*.conf;
}

3. Create a file named aspera_node_proxy.conf at the following location:

  • /etc/nginx/conf.d/aspera_node_proxy.conf

In this file, paste the following content:

server {
listen 9092;
server_name your_server_name.com;

ssl_certificate /path/to/server_cert.pem;
ssl_certificate_key /path/to/server_key.pem;

ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;

access_log /var/log/nginx/node-api.access.log;

location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

proxy_pass http://127.0.0.1:9091;
proxy_read_timeout 20;
proxy_connect_timeout 15;

proxy_redirect http://127.0.0.1:9091 https://your_server_name.com;
}
}

Replace the following with values specific to your setup:

  • /path/to/server_cert.pem - The location of your server’s signed certificate (including any intermediate certificates -- see this article for more information)
  • /path/to/server_key.pem - The location of your server’s private key
  • your.servername.com - Your server’s domain name

4. Restart Nginx

# service nginx restart

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk