Skip to main content

Does anyone have any documentation they can share on using a reverse proxy with a Touch App Server?

Dear @ctaylor56,

Please find below F1 documentation guide which will help you to setup reverse proxy ,

Hope this helps. 


I would like to add a couple more nginx options to the defaults provided by the F1 documentation for future explorers.

 

### If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the 
### scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
'' $scheme;
}

### If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
### server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
default $http_x_forwarded_port;
'' $server_port;
}

### If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
### Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
default upgrade;
'' close;
}

### Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
default off;
https on;
}

### Common NGINX defaults
listen 443 ssl http2;
server_name ifs.domain.name;
access_log /var/logs/nginx/ifs.log;
error_log /var/logs/nginx/ifs_error.log info;

### Set common proxy options
## Disable buffering (Send to the client as soon as the data is received from IFS)
proxy_buffering off;
proxy_redirect off;
## Set the timeouts depending on the usage of the IFS Applications.
## The values should be correlated with the timeouts in the Middleware Server configuration_{instance}.xml file
proxy_connect_timeout 60s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;

### Set proxy headers for IFS
proxy_set_header X-Real-IP $remote_addr;
## If not using ngx_http_realip_module change '$http_x_forwarded_for,$realip_remote_addr' to $proxy_add_x_forwarded_for
proxy_set_header X-Forwarded-For '$proxy_add_x_forwarded_for,$realip_remote_addr';
## If $scheme does not work, try "$proxy_x_forwarded_proto"
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
## Websockets
proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions;
proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key;
proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version;
## Mitigate httpproxy attack
proxy_set_header Proxy "";

### Set common security headers
add_header Strict-Transport-Security max-age=15768000;
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header X-Frame-Options deny;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Permissions-Policy "geolocation=(self), midi=(self), sync-xhr=(self), microphone=(self), camera=(self), magnetometer=(self), gyroscope=(self), fullscreen=(self), payment=(self)";
## WARNING: be very careful enabling the Content Security Policy... it will most likely break your IFS site
add_header Content-Security-Policy-Report-Only "default-src 'none'; base-uri 'self'; font-src 'self' data:; media-src 'self' data: blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; worker-src * blob:; frame-src 'self'; connect-src 'self' https: wss:; object-src 'self'; frame-ancestors 'self'; form-action 'self'; manifest-src 'self'; script-src-elem 'self' 'unsafe-inline'";

### Parameters for SSL/TLS configuration (disable anything below TLSv2)
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers on;
## Ciphers should be same as the ciphers on Middleware Server configuration_{instance}.xml file
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA
## Location of Public certificate
ssl_certificate /etc/letsencrypt/live/ifs.domain.name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ifs.domain.name/privkey.pem;
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
## If you have lot's of 500 errors, you can increase this to 8000
ssl_buffer_size 4000;

### If you run long queries, have complex quick reports, consider increasing this to 1800s (30 minutes)
send_timeout 600s;

### Set the maximum allowed size of the client request body.
### This should be set depending on the requests to the IFS Applications (eg: document upload or integrations body size)
### If your uploads are small, you can decrease this to 25m
client_max_body_size 100m;

### Use gzip to compress common file types
gzip on;
gzip_vary on;
gzip_min_length 1000;
gzip_proxied any;
gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
gzip_disable "MSIE 1-6]\.";

### Redirect traffic from Reverse Proxy to IFS
location / {
## Please change the following line to point to your IFS instance syntax IP:PORT
## If your IFS instance is using/requiring https, you must change http:// to https://
proxy_pass http:///INTERNAL-IFS-IP-ADDRESS]::INTERNAL-IFS-PORT]/;
proxy_set_header X-Forwarded-For $remote_addr;
## Disable the verification of the proxied HTTPS server certificate (eg: MWS certificate).
## You can either use this NGINX flag, or add the custom certificate to the "ssl_trusted_certificate" file to avoid using this flag
## Note: this might violate the corporate securtiy policy of the customer.
proxy_ssl_verify off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
}

 


Reply