-
Notifications
You must be signed in to change notification settings - Fork 306
Running Solid behind a reverse proxy
If you want to run multiple services on a single port 443 of a machine, you will need a reverse proxy (such as NGINX) to route on HTTP level between different back-end services.
One of Solid's authentication mechanisms is WebID-TLS: the client sends its client certificate during the TLS handshake. However, by default, this requires the client to set up a TLS connection directly with the Solid server: if the TLS handshake is performed by an intermediary, the Solid server cannot see the client certificate.
When running Solid on a different port than the reverse proxy, we can bypass that proxy.
The drawbacks are uglier URLs (such as https://example.org:1234/), and possibly firewall problems (if only ports 80 and 443 are allowed).
Example of a config:
https://gist.github.com/melvincarvalho/17c2675978576ed37f83c88fbc0a9327
Advanced usage:
https://www.haproxy.com/blog/using-haproxy-as-an-api-gateway-part-1/
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPreserveHost on
ProxyPass / https://localhost:8444/
ProxyPassReverse / https://localhost:8444/
see: https://github.com/linkeddata/gold/issues/88
see: https://gitter.im/linkeddata/chat?at=5a54c72fb48e8c3566bba507
- Replace
solid.example.orgby your own domain name.
# Nginx configuration
## Redirects all HTTP traffic to the HTTPS host
server {
## In case of conflict, either remove "default_server" from the listen line below,
## or delete the /etc/nginx/sites-enabled/default file.
listen 0.0.0.0:80;
listen [::]:80;
server_name solid.example.org;
server_tokens off; ## Don't show the nginx version number, a security best practice
return 301 https://$http_host$request_uri;
access_log /var/log/nginx/solid_access.log;
error_log /var/log/nginx/solid_error.log;
}
server {
listen *:443 ssl;
listen [::]:443 ssl;
server_name solid.example.org;
server_tokens off;
access_log /var/log/nginx/solid_ssl_access.log;
error_log /var/log/nginx/solid_ssl_error.log;
## [Optional] Enable HTTP Strict Transport Security
## HSTS is a feature improving protection against MITM attacks
## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
location / {
proxy_pass https://localhost:8443;
gzip off;
proxy_redirect off;
## Some requests take more than 30 seconds.
proxy_read_timeout 300;
proxy_connect_timeout 300;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}