Reverse proxy and https redirect with NGINX

Install and configure NGINX as reverse proxy with https redirect.

Install NGINX

While NGINX is available on most Linux distributions through its package management, it needs to be compiled from scratch on Solaris. To do so additional packages are required.

NGINX can be downloaded from the official NGINX website.

For Linux packages and how to implement NGINX into the OS repository, see the offical NGINX website.

Install NGINX on Solaris 11

First, install all packages which are necessary to compile NGINX:

pkg install gcc-45 system/header make pcre

Download NGINX and compile (as a sample, NGINX 1.10.1 was used):

tar xvfz nginx-1.10.1.tar.gz && cd nginx-1.10.1 
./configure --prefix=/opt/nginx --with-cpu-opt="amd64" --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-cc=/usr/bin/gcc --error-log-path=/var/log/nginx-error.log --http-log-path=/var/log/nginx-access.log --pid-path=/var/run/nginx 
make && make install

Integrate NGINX within Service Management Facility (SMF)

Place the Start-Stop script in /lib/svc/method/svc-nginx.

#!/bin/sh
NGINX_CMD="/opt/nginx/sbin/nginx"
NGINX_CONF="/opt/nginx/conf/nginx.conf"
RETVAL=0
start() {
   echo "Starting Nginx Web Server: \c"
   $NGINX_CMD -c $NGINX_CONF &
   RETVAL=$?
   [ $RETVAL -eq 0 ] && echo "ok" || echo "failed"
   return $RETVAL
}
stop() {
   echo "Stopping Nginx Web Server: \c"
   NGINX_PID=`ps -ef |grep $NGINX_CMD |grep -v grep |awk '{print $2}'`
   kill $NGINX_PID
   RETVAL=$?
   [ $RETVAL -eq 0 ] && echo "ok" || echo "failed"
   return $RETVAL
}
case "$1" in
   start)
      start
      ;;
   stop)
      stop
      ;;
   restart)
      stop
      start
      ;;
   *)
      echo "Usage: $0 {start|stop|restart}"
      exit 1
esac
exit $RETVAL
Copy

Place the SMF Manifest in /var/svc/manifest/network/nginx.xml

<?xml version="1.0"?> 
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> 
<service_bundle type='manifest' name='nginx'> 
  <service name='network/nginx' type='service' version='1'>
    <create_default_instance enabled='false' /> 
    <single_instance />
    <exec_method type='method' name='start' exec='/lib/svc/method/svc-nginx start' timeout_seconds='60'/>
    <exec_method type='method' name='stop' exec='/lib/svc/method/svc-nginx stop' timeout_seconds='60' />
    <exec_method type='method' name='restart' exec='/lib/svc/method/svc-nginx restart' timeout_seconds='60' /> 
    <stability value='Stable' /> 
    <template> 
      <common_name>
        <loctext xml:lang='C'> Nginx 1.10.1 </loctext> 
      </common_name>
      <documentation> 
        <manpage title='nginx' section='8' manpath='/usr/share/man' /> 
      </documentation>
    </template>
  </service>
</service_bundle>

If you install a different version, also adapt the manifest.

Set proper file permissions:

chown root:bin /lib/svc/method/svc-nginx
chmod 555 /lib/svc/method/svc-nginx
chmod 444 /var/svc/manifest/network/nginx.xml
chown root:sys /var/svc/manifest/network/nginx.xml
svccfg -v import /var/svc/manifest/network/nginx.xml

Activate NGINGX:

svcadm enable nginx

Configure NGINX

Below is a sample configuration which redirects all traffic to https and acts as a reverse proxy for censhare 5 Web and others. (/opt/nginx/conf/nginx.conf)

#user nobody;
worker_processes 5;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

# redirect all http requests to https
server {
        listen <your public IP>:80;
        server_name _;
        rewrite ^ https://$host$request_uri? permanent;
}

server {
	client_max_body_size 512M;
        listen <your public IP>:443 ssl;
        server_name <your fqdn>;
		ssl_certificate <your chained certificate>;
        ssl_certificate_key <your certificate key>;
		ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
		ssl_ciphers  HIGH:!aNULL:!MD5:!DSS:!RC4;
        ssl_prefer_server_ciphers on;

	# v4 WebClient
	location / {
        proxy_http_version 1.1;
        proxy_pass https://localhost:8443;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # web socket forwarding
        proxy_read_timeout 24h;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }

	# v5 WebClient
	location /censhare5/client/ {
        proxy_http_version 1.1;
        proxy_pass https://localhost:9443;
		proxy_redirect default;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # web socket forwarding
        proxy_read_timeout 24h;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
        
	# TempDownload Link
   	location /tempDownload/ {
        proxy_http_version 1.1;
        proxy_pass https://localhost:9443;
		proxy_redirect default;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # web socket forwarding
        proxy_read_timeout 24h;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }

	# REST
	location /ws/ {
        proxy_http_version 1.1;
        proxy_pass https://localhost:9443;
        proxy_redirect default;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # web socket forwarding
        proxy_read_timeout 24h;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
        
	# censhare SOAP
   	location /censhare-webservice/ {
        proxy_http_version 1.1;
        proxy_pass https://localhost:7443;
		proxy_redirect default;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # web socket forwarding
        proxy_read_timeout 24h;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
   }
}

Refer to the NGINX documentation for configuring https.

NGINX config snippet

censhare v5 Web with redirect (no branding)

	# v5 WebClient
		rewrite ^/$ /censhare5/client/ redirect;
		location /censhare5/client/ {
		proxy_http_version 1.1;
		proxy_pass https://localhost:9443;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

		# web socket forwarding
		proxy_read_timeout 24h;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		}

Offline DB

Add this snippet to your existing server directive. The Offline-DB will be accessible on https://<fqdn>/offline-db then.

	# offline-db
		location /offline-db/ {
			root /opt/corpus/work/;
			index index.html index-all_issues.html;
		}

In case an additional server directive is needed for the Offline DB, you might also need to create a symbolic link to the default NGINX document root. Which directory should be the default document root can be obtained from the configuration examples of the NGINX installation or from the NGINX error logfile.