Skip to content

Reverse Proxy Setup

In order to enable transport encryption for accessing Accurids, the deployment of Accurids within Docker can be fronted with a reverse proxy performing TLS termination. This guide details a minimal configuration of the nginx webserver for achieving this objective. The following information must be known for successfully setting up the reverse proxy.

What Example
Locally accessible IP of the Accurids host machine 127.0.0.1
Port where the Accurids instance is accessible 8080
Your SSL certificate file /etc/keys/cert.crt
Your SSL key /etc/keys/cert.key
URL where Accurids will be accessible, assigned to the host running nginx accurids.mycompany.com

Furthermore, a redirect of http requests to https is configured. Configuration of nginx for load balancing is also possible, but beyond the scope of this guide.

Modifications of nginx Config File

The following manual assumes, that nginx is already installed either via Docker or the package manager of your operating system. Accurids will be made accessible at standard http/https ports (80 and 443). In this example, the Accurids instance runs on the same machine and is accessible at port 8080.

The configuration can be done in the default nginx configuration file nginx.conf. Depending on the nginx distribution the location of this file is either /usr/local/nginx/conf, /etc/nginx, or /usr/local/etc/nginx. The following has to be added.

server {
    server_name accurids.mycompany.com;

    set $upstream 127.0.0.1:8080;

    location /subscriptions {
        proxy_pass http://$upstream;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
    }

    location / {
        proxy_pass_header Authorization;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Connection "";

        proxy_pass http://$upstream;
        proxy_http_version 1.1;
        proxy_buffering on;
        proxy_max_temp_file_size 8192m;
        client_max_body_size 0;
        proxy_connect_timeout 3600s;
        proxy_read_timeout 3600s;
        proxy_send_timeout 3600s;
        proxy_redirect off;
    }

    listen 443 ssl;
    ssl_certificate /etc/keys/cert.crt;
    ssl_certificate_key /etc/keys/cert.key;
}

server {
    if ($host = accurids.mycompany.com) {
        return 301 https://$host$request_uri;
    }

    server_name accurids.mycompany.com;
    listen 80;
    return 404;
}

Restart `nginx` to apply the changes.

Configure a BaseURL of the Accurids Installation (optional)

If you have followed the instructions above, Accurids will be accessible at the at the root of the configured domain. In some environments it might be desirable to make Accurids available under a subpath of an existing domain (e.g. example.com/accurids). This necessitates some changes to the configuration of both nginx and Accurids. This section describes the necessary adaptations for deploying Accurids under the subpath /accurids.

For nginx, the location blocks within the main server block must be changed as follows.

    location ~ ^/accurids/subscriptions {
        proxy_pass http://$upstream/subscriptions;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
    }

    location ~ ^/accurids/(?<req>.*) {
        proxy_pass_header Authorization;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Prefix "/accurids";
        proxy_set_header Connection "";

        proxy_pass http://$upstream/$req;
        proxy_http_version 1.1;
        proxy_buffering on;
        proxy_max_temp_file_size 8192m;
        client_max_body_size 0;
        proxy_connect_timeout 3600s;
        proxy_read_timeout 3600s;
        proxy_send_timeout 3600s;
        proxy_redirect off;
    }

Furthermore, the Accurids configuration variable accurids.root-url has to be set to /accurids. This instructs the frontend to request resources from the correct location.

If you are using the docker-compose setup outlined in Installation with Docker, add the list item accurids.root-url='/accurids' to the environment section of the accurids service.

Restart Accurids and nginx to apply the changes.