Skip to main content

Proxy configuration for nginx

For production environments, we suggest to implement a reverse proxy in front of your Txture instance. At Txture we typically use and support nginx, however our customers also successfully used Apache and IIS (unsupported). Other potentially interesting options are Caddy and træfik (unsupported).

Regardless of whether your Txture instance is available via the internet or just internally, we recommend the usage of TLS. Below is a configuration example for nginx that uses strong TLS settings and still has wide compatibility with browsers. It consists of two configuration files and requires the following:

  • nginx 1.20 or newer
  • prepared Diffie-Hellman-parameters (shown in the next step)
  • OpenSSL

This article is focused on Linux deployments. With some changes to paths however, it should work for other platforms as well.

  1. Install nginx according to their documentation

  2. First, create the parameters file named (dhparam.pem) for the DH key exchange using OpenSSL:

openssl dhparam -out dhparam.pem 2048
  1. reate the /etc/nginx/nginx.conf as follows. This file is valid for the whole nginx instance (and hence for other applications proxied)
  • keep this in mind when changing parameters as other applications might need different values.
user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    access_log off;

    sendfile        on;

    keepalive_timeout  120;
    server_tokens off;

    # compression
    gzip  on;
    gzip_min_length 1000;
    gzip_comp_level 2;
    gzip_types application/json text/css application/javascript image/svg+xml;
    gzip_proxied any;

    # proxy buffering
    proxy_buffering on;
    proxy_max_temp_file_size 0;
    # for content
    proxy_buffers 4 8M;
    # for headers
    proxy_buffer_size 16k;

    client_max_body_size 100M;
    include /etc/nginx/conf.d/proxy.conf;
}
  1. In the general nginx.conf an include definers other configuration files to be included. In this case /etc/nginx/conf.d/proxy.conf is referred and must hence be filled with the following:
upstream target_service {
  server {{TARGET_SERVICE}};
}

server {
  server_name {{HOSTNAME}};
  listen 80;
  return 301 https://$host$request_uri;
}

server {
  server_name _;
  listen 443 ssl http2;

  ssl_early_data on;
  ssl_certificate {{CERTIFICATE_PATH}};
  ssl_certificate_key {{KEY_PATH}};
  ssl_dhparam {{DH_PARAM_PATH}};

  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256;
  ssl_prefer_server_ciphers on;

  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;

  ssl_session_tickets off;
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;
  resolver_timeout 5s;

  add_header Strict-Transport-Security max-age=15638400;

  location / {
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
      proxy_set_header        X-Forwarded-Host $http_host;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "Upgrade";
      proxy_pass              http://target_service;
      proxy_read_timeout      90;
      proxy_redirect          http:// https://;
  }
}

Note that several variables have been used in this example that have to be replaced with actual values before this example can be used.

NameDescriptionExample value
{{TARGET_SERVICE}}This value is the URL without scheme/protocol of the application server serving Txturelocalhost:8000/txture/
{{HOSTNAME}}The hostname is the hostname under which the machine running nginx is reachable. This will be part of the URL for your instancetxture.example.com
{{CERTIFICATE_PATH}}Path to the SSL certificate file/etc/secrets/ssl.crt
{{KEY_PATH}}Path to the corresponding private key/etc/secrets/key.pem
{{DH_PARAM_PATH}}Path to the DH exchange parameter generated in step 2./etc/secrets/dhparam.pem

Note the header parameters set in the nginx configuration: Upgrade and Connection have to be set for Websockets to be properly forwarded. Failure to do so might result in stack traces with the message

Handshake failed due to invalid Upgrade header: null error: org.springframework.web.socket.server.support.AbstractHandshakeHandler
in handleInvalidUpgradeHeader.