Guides

Securing View with NGINX

Suggest Edits

Overview

This guide details how to secure View applications behind an NGINX proxy server using HTTPS. This configuration provides secure communication, proper routing, and optimal performance.

Configuration

The following NGINX configuration secures View with HTTPS and routes traffic to the appropriate service endpoints:

server {  
  listen 443 ssl;  
  server_name {{SERVER_NAME}};
  # Maximum upload size
  client_max_body_size 500M;

  # SSL Certificate Configuration
  ssl_certificate {{SSL_CERT_PATH}};
  ssl_certificate_key {{SSL_KEY_PATH}};
  include {{SSL_OPTIONS_PATH}};
  ssl_dhparam {{SSL_DHPARAM_PATH}};

# API Routing - Direct /v1.0/* endpoints to the API service
location ~* ^/v1\.0/ {
    proxy_pass http://{{API_HOST}}:{{API_PORT}};
    
    # Request headers
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    
    # Connection settings
    proxy_http_version 1.1;
    chunked_transfer_encoding off;
    proxy_buffering off;
    proxy_cache off;
    
    # WebSocket support
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
}

# Frontend Routing - Direct all other traffic to the frontend service
location / {
    proxy_pass http://{{FRONTEND_HOST}}:{{FRONTEND_PORT}};
    
    # Request headers
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
    
    # Connection settings
    proxy_http_version 1.1;
    chunked_transfer_encoding off;
    proxy_buffering off;
    proxy_cache off;
    
    # WebSocket support
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    
    # Set timeout values
    proxy_connect_timeout 60s;
    proxy_send_timeout 60s;
    proxy_read_timeout 60s;
	}

  # Security headers
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  add_header X-Content-Type-Options nosniff;
  add_header X-Frame-Options SAMEORIGIN;
  add_header X-XSS-Protection "1; mode=block";
}

Configuration variable definitions:

{{SERVER_NAME}} - Your View server's domain name (e.g., view.example.com)

{{SSL_CERT_PATH}} - Path to SSL certificate file

{{SSL_KEY_PATH}} - Path to SSL private key file

{{SSL_OPTIONS_PATH}} - Path to SSL options file

{{SSL_DHPARAM_PATH}} - Path to Diffie-Hellman parameters file

{{API_HOST}} - Hostname or IP address of the API service

{{API_PORT}} - Port number of the API service (default: 8000)

{{FRONTEND_HOST}} - Hostname or IP address of the frontend service

{{FRONTEND_PORT}} - Port number of the frontend service (default: 9000)

Key Components

SSL/TLS Configuration

  • SSL Certificates: Uses your chosen certificate provider
  • Security: Includes recommended SSL options and Diffie-Hellman parameters

Traffic Routing

  • API Service: Routes all /v1.0/ traffic to the API service (default port 8000)
  • Frontend Service: Routes all other traffic to the frontend service (default port 9000)

Connection Settings

  • WebSocket Support: Properly configured for real-time applications
  • Proxy Settings: Optimized for performance with appropriate headers
  • Upload Limit: Configured to handle files up to 500MB

Security Headers

  • HSTS: Enforces HTTPS connections
  • Content Security: Includes protection against common attacks

Implementation Steps

  1. Install NGINX:

    sudo apt update
sudo apt install nginx

  2. Install SSL Certificate:

    • If using Let's Encrypt: 
      sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d {{SERVER_NAME}}
    • If using other certificate providers, follow their instructions

  3. Prepare Configuration Variables:
    Replace the placeholders in the configuration with your actual values:

    VariableDescriptionExample Value
    {{SERVER_NAME}}Your View server's domain nameview.example.com
    {{SSL_CERT_PATH}}Path to SSL certificate file/etc/ssl/certs/view.crt
    {{SSL_KEY_PATH}}Path to SSL private key file/etc/ssl/private/view.key
    {{SSL_OPTIONS_PATH}}Path to SSL options file/etc/nginx/ssl-options.conf
    {{SSL_DHPARAM_PATH}}Path to Diffie-Hellman parameters file/etc/ssl/dhparam.pem
    {{API_HOST}}Hostname or IP address of the API service127.0.0.1
    {{API_PORT}}Port number of the API service8000
    {{FRONTEND_HOST}}Hostname or IP address of the frontend service127.0.0.1
    {{FRONTEND_PORT}}Port number of the frontend service9000

  4. Apply Configuration:

    • Save the configuration to /etc/nginx/sites-available/view
    • Create a symbolic link: sudo ln -s /etc/nginx/sites-available/view /etc/nginx/sites-enabled/

  5. Test & Reload NGINX:

    sudo nginx -t
sudo systemctl reload nginx

Monitoring & Maintenance

  • Certificate Renewal: If using Let's Encrypt, certificates expire after 90 days
    • Set up automatic renewal: sudo certbot renew --dry-run
  • Log Monitoring: Check /var/log/nginx/error.log for issues
  • Performance Tuning: Adjust buffer sizes and timeouts as needed based on load

Troubleshooting

  • Connection Issues: Verify firewall settings allow traffic on port 443
  • Certificate Problems: Check certificate validity and paths
  • Routing Errors: Confirm backend services are running on expected ports

For additional support, contact the View support team at [email protected].

Updated 9 days ago