Proxy iDempiere Through Nginx

From iDempiere en


As a security measure you must not expose directly iDempiere to the www.

A recommended set up to expose iDempiere is through nginx server.

Set up for iDempiere: - Install idempiere as idempiere user (not root) - That compels you to use a port different than 80 (i.e. 8080) - You could also use localhost as the IP address for this machine

This is the configuration file on demo.globalqss.com 

server {
    if ($host = demo.globalqss.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    server_name demo.globalqss.com;
    listen 80;
    return 301 https://$server_name$request_uri;
}
server {
    server_name  demo.globalqss.com ;
    listen 443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/demo.globalqss.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/demo.globalqss.com/privkey.pem; # managed by Certbot
    ssl_dhparam  /etc/letsencrypt/live/demo.globalqss.com/dhparam.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:5m;
    ssl_session_timeout 1h;
    add_header Strict-Transport-Security "max-age=15768000" always;
    add_header X-Frame-Options "SAMEORIGIN";   # https://geekflare.com/add-x-frame-options-nginx/
    access_log      /var/log/nginx/idempiere.access.log;
    error_log       /var/log/nginx/idempiere.error.log;
    proxy_buffer_size   128k;
    proxy_buffers   4 256k;
    server_tokens off;   # do not show version information on headers or page 404
    # WARNING!  exposing the whole iDempiere with / is NOT RECOMMENDED, just for test sites
    # location / {
	# proxy_set_header X-Forwarded-Host $host;
	# proxy_set_header X-Forwarded-Server $host;
	# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	# proxy_set_header X-Real-IP $remote_addr;
	# proxy_set_header Host $http_host;
	# proxy_pass http://localhost:8080/;
        # proxy_http_version 1.1;
    # }
    # Proxy the /webui for the zk interface
    # you can do the same as below for ADInterface, wstore or other services if required
    location /webui {
        proxy_pass        http://localhost:8080/webui;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  Host $http_host;
	proxy_set_header  X-Forwarded-Proto $scheme;
	# proxy_set_header X-Forwarded-Host $host;
	# proxy_set_header X-Forwarded-Server $host;
	proxy_http_version 1.1;
    }
    location /api/v1 {
        proxy_pass        http://localhost:8080/api/v1;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  Host $http_host;
	proxy_set_header  X-Forwarded-Proto $scheme;
	# proxy_set_header X-Forwarded-Host $host;
	# proxy_set_header X-Forwarded-Server $host;
	proxy_http_version 1.1;
        add_header Access-Control-Allow-Origin * always;
        add_header Access-Control-Allow-Methods "GET,POST,DELETE,PUT,PATCH,OPTIONS";
        add_header Access-Control-Allow-Headers "Content-Type,api_key,Authorization";
    }
    # Proxy the Atmosphere server push with no buffering and read timeout
    location /webui/zkau/comet {
        proxy_pass      http://localhost:8080/webui/zkau/comet;
        proxy_http_version 1.1;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  Host $http_host;
	proxy_set_header  X-Forwarded-Proto $scheme;
        proxy_buffering   off;
        proxy_read_timeout   300s;
    }
    # Proxy the websocket server push, just needed if you're using this approach
    location /webui/serverpush {
        proxy_pass http://localhost:8080/webui/serverpush;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }
    client_max_body_size 20M;
}

If you want to expose the whole site (not recommended), then uncomment the lines configuring the location /

Or you can selectively expose specific services, like location /wstore or location /ADInterface/services

Of course in your installation you need to change the demo.globalqss.com hostname for your own hostname, and install properly a certificate (like letsencrypt in the example), and generate a dhparam.pem (althought that's not required, just an extra security recommendation).


See also this forum thread for an example of proxy through apache

Retrieved from "https://wiki.idempiere.org/w-en/index.php?title=Proxy_iDempiere_Through_Nginx&oldid=23024"
Cookies help us deliver our services. By using our services, you agree to our use of cookies.
GNU-Lizenz für freie Dokumentation 1.3 oder höher
Powered by MediaWiki