blob

Mein Haus, meine Straße, mein Blob

Jan 02, 2013

Use nginx as SSL reverse proxy for almir

almir is a bacula frontend, but its embedded web server does not (as of the time of writing) support SSL. So, in order to get at least a token amout of security, I decided to use nginx to add SSL capabilities. After instructing almir to only accept connection from localhost, I configured nginx as a reverse proxy with those features:

  • Redirection of http requests to https
  • Basic auth
  • Automatic rewriting of almir's absolute URLs for including JavaScript etc. to relative URLs, in order to avoid problems with XSS protection from modern browsers

The first item in that list is easy to do, as the following snippet from the config and the wiki page it is copied from show.

server {
    listen      80;
    server_name your.full-qualified-domain.name;
    return      301 https://$server_name$request_uri;
}

The next item is trivial as well, see snippet and wiki.

location / {
    # …
    auth_basic      'Your realm';
    auth_basic_user_file    /path/to/passwd;
    # …
}

Figuring out that last feature was a lot more annoying. After finding the cause of the problem – my browser's XSS protection – dealing with it was a matter of configuring nginx' HttpSubModule to substitute the absolute URLs used by almir with relative URLs.

location / {
    # …
    sub_filter  'http://your.full-qualified-domain.name/' '/';
    sub_filter_once off;
    # …
}

For your (and my future) reference, here's the complete config file.

server {
    listen 443;
    server_name your.full-qualified-domain.name;

    ssl         on;
    ssl_certitficate    /path/to/ssl/crt;
    ssl_certificate_key /path/to/ssl/key;

    location / {
        proxy_pass      http://localhost:2500;
        proxy_redirect      http:// https://;
        proxy_set_header    X-Real-IP $remote_addr;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto https;
        proxy_set_header    Host $http_host;

        sub_filter      'http://your.full-qualified-domain.name/' '/';
        sub_filter_once     off;

        auth_basic      "Your realm";
        auth_basic_user_file    /path/to/passwd;
    }
}

server {
    listen      80;
    server_name your.full-qualified-domain.name;
    return      301 https://$server_name$request_uri;
}
posted at 23:51  ·   ·  linux  nginx  ssl