Nginx configuration example

This page provides a sample configuration for setting up Nginx as a reverse proxy to expose your Anapaya appliance management APIs to the CONSOLE.

Sample Nginx configuration

The configuration below demonstrates a setup with two appliances using path-based routing (/appliance1/* and /appliance2/*), basic authentication for the reverse proxy, and skips TLS verification for appliances (which use self-signed certificates).

# Upstream servers for appliances
upstream appliance1 {
    server 192.168.1.10:443;
}

upstream appliance2 {
    server 192.168.1.11:443;
}

server {
    listen 443 ssl http2;
    server_name console-proxy.example.com;

    # TLS certificate configuration
    # You can use Let's Encrypt with certbot or any other ACME client
    ssl_certificate /etc/nginx/ssl/console-proxy.example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/console-proxy.example.com.key;

    # Modern SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    # Basic authentication for all requests
    auth_basic "Anapaya Console Proxy";
    auth_basic_user_file /etc/nginx/.htpasswd;

    # Proxy settings for appliance 1
    location /appliance1/ {
        # Remove Authorization header from incoming request
        proxy_set_header Authorization "";

        # Set Authorization header for appliance 1
        # ${APP1_AUTH_BASE64} is a placeholder - replace with actual base64 encoded "username:password"
        proxy_set_header Authorization "Basic ${APP1_AUTH_BASE64}";

        # Standard proxy headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Strip /appliance1 prefix before forwarding
        rewrite ^/appliance1/(.*) /$1 break;

        # Forward to appliance 1
        proxy_pass https://appliance1;

        # Skip TLS verification for self-signed certificates
        proxy_ssl_verify off;

        # Proxy timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }

    # Proxy settings for appliance 2
    location /appliance2/ {
        # Remove Authorization header from incoming request
        proxy_set_header Authorization "";

        # Set Authorization header for appliance 2
        # ${APP2_AUTH_BASE64} is a placeholder - replace with actual base64 encoded "username:password"
        proxy_set_header Authorization "Basic ${APP2_AUTH_BASE64}";

        # Standard proxy headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Strip /appliance2 prefix before forwarding
        rewrite ^/appliance2/(.*) /$1 break;

        # Forward to appliance 2
        proxy_pass https://appliance2;

        # Skip TLS verification for self-signed certificates
        proxy_ssl_verify off;

        # Proxy timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    server_name console-proxy.example.com;
    return 301 https://$server_name$request_uri;
}

Handling appliance credentials

The idiomatic nginx approach is to hardcode the base64-encoded credentials directly in the configuration file or use configuration templating during deployment. Here are the recommended options:

Hardcode the credentials (simplest and most common):

Replace ${APP1_AUTH_BASE64} and ${APP2_AUTH_BASE64} directly in the configuration file:

# For appliance 1 with username:password = anapaya-console:password1
proxy_set_header Authorization "Basic YW5hcGF5YS1jb25zb2xlOnBhc3N3b3JkMQ==";

# For appliance 2 with username:password = anapaya-console:password2
proxy_set_header Authorization "Basic YW5hcGF5YS1jb25zb2xlOnBhc3N3b3JkMg==";

Generate base64-encoded credentials with:

echo -n "anapaya-console:password1" | base64

Use a configuration management tool (recommended for production):

Tools like Ansible, Terraform, or Puppet can template the configuration file with environment-specific values during deployment.

Creating the basic auth password file

To create the .htpasswd file for basic authentication:

# Install htpasswd utility (if not already installed)
# On Debian/Ubuntu:
sudo apt-get install apache2-utils
# On RHEL/CentOS:
sudo yum install httpd-tools

# Create password file with user "anapaya-console"
sudo htpasswd -c /etc/nginx/.htpasswd anapaya-console
# Enter password when prompted: startin-brock6malt2reserve6attract

TLS certificate management

Unlike Caddy, Nginx does not automatically obtain and renew TLS certificates. You need to use an ACME client like certbot or acme.sh to obtain certificates from Let's Encrypt.

Using certbot with DNS challenge

For servers not publicly accessible on port 80/443, use the DNS challenge:

# Install certbot and DNS plugin (example for Cloudflare)
sudo apt-get install certbot python3-certbot-dns-cloudflare

# Create Cloudflare credentials file
cat > /etc/letsencrypt/cloudflare.ini << EOF
dns_cloudflare_api_token = your-cloudflare-api-token
EOF
chmod 600 /etc/letsencrypt/cloudflare.ini

# Obtain certificate using DNS challenge
sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
  -d console-proxy.example.com

# Set up automatic renewal
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer

Update your Nginx configuration to use the certbot certificates:

ssl_certificate /etc/letsencrypt/live/console-proxy.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/console-proxy.example.com/privkey.pem;

Running in production

Install Nginx

On Debian/Ubuntu:

sudo apt-get update
sudo apt-get install nginx

On RHEL/CentOS:

sudo yum install nginx

Deploy the configuration

Place your configuration file in /etc/nginx/sites-available/console-proxy.conf

Create a symbolic link in /etc/nginx/sites-enabled/:

sudo ln -s /etc/nginx/sites-available/console-proxy.conf /etc/nginx/sites-enabled/

Test the configuration:
```
sudo nginx -t
```

Enable and start Nginx:

sudo systemctl enable nginx
sudo systemctl start nginx

Reload configuration

When making changes to the configuration:

# Test configuration first
sudo nginx -t

# Reload if test passes
sudo nginx -s reload

Useful links

Nginx documentation

Nginx documentation - Official Nginx documentation
Nginx beginner's guide - Getting started with Nginx
ngx_http_proxy_module - Reverse proxy configuration reference
ngx_http_auth_basic_module - Basic authentication setup
ngx_http_ssl_module - SSL/TLS configuration

Certificate management

Certbot - Official ACME client from EFF
Certbot DNS plugins - DNS challenge plugins for various providers
acme.sh - Alternative ACME client written in shell
Let's Encrypt documentation - Let's Encrypt ACME CA documentation

Installation and deployment

Nginx installation - Various installation methods
Nginx admin guide - Administration and deployment guide
systemd integration - Running Nginx with systemd

Additional modules and tools

Nginx modules - Built-in Nginx modules
OpenResty - Nginx with Lua scripting support
Nginx Proxy Manager - Web UI for managing Nginx proxy configurations
ModSecurity - Web application firewall module

Community resources

Nginx Forum - Community support and discussions
Nginx Reddit - Nginx community on Reddit
Nginx GitHub - Source code and issue tracker

Sample Nginx configuration​

Handling appliance credentials​

Creating the basic auth password file​

TLS certificate management​

Using certbot with DNS challenge​

Running in production​

Install Nginx​

Deploy the configuration​

Reload configuration​

Useful links​

Nginx documentation​

Certificate management​

Installation and deployment​

Additional modules and tools​

Community resources​