Proxy iDempiere Through Nginx

From iDempiere en
Jump to navigation Jump to search


As a security measure you must not expose directly iDempiere to the www.

A recommended set up to expose iDempiere is through nginx server.

Set up for iDempiere: - Install idempiere as idempiere user (not root) - That compels you to use a port different than 80 (i.e. 8080) - You could also use localhost as the IP address for this machine

This is the configuration file on demo.globalqss.com

server {
    server_name demo.globalqss.com;
    listen 80;
    return 301 https://$server_name$request_uri;
}
server {
    server_name  demo.globalqss.com ;
    listen 443 ssl http2;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/demo.globalqss.com/fullchain.pem ;
    ssl_certificate_key /etc/letsencrypt/live/demo.globalqss.com/privkey.pem ;
    ssl_dhparam  /etc/letsencrypt/live/demo.globalqss.com/dhparam.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:5m;
    ssl_session_timeout 1h;
    add_header Strict-Transport-Security "max-age=15768000" always;
    add_header X-Frame-Options "SAMEORIGIN";
    # exposing the whole iDempiere with / is NOT RECOMMENDED, just for test sites
    # location / {
    #     proxy_set_header X-Forwarded-Host $host;
    #     proxy_set_header X-Forwarded-Server $host;
    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #     proxy_set_header X-Real-IP $remote_addr;
    #     proxy_set_header Host $http_host;
    #     proxy_pass http://localhost:8080/;
    #     proxy_http_version 1.1;
    # }
    # Proxy the /webui for the zk interface
    # you can do the same as below for ADInterface, wstore or other services if required
    location /webui {
        proxy_pass        http://localhost:8080/webui;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  Host $http_host;
    }
    # Proxy the Atmosphere server push with no buffering and read timeout
    location /webui/zkau/comet {
        proxy_pass      http://localhost:8080/webui/zkau/comet;
        proxy_http_version 1.1;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  Host $http_host;
        proxy_buffering   off;
        proxy_read_timeout   300;
    }
    # Proxy the websocket server push, just needed if you're using this approach
    # location /webui/serverpush {
    #     proxy_pass http://localhost:8080/webui/serverpush;
    #     proxy_http_version 1.1;
    #     proxy_set_header Upgrade $http_upgrade;
    #     proxy_set_header Connection "Upgrade";
    # }
    client_max_body_size 20M;
}

If you want to expose the whole site (not recommended), then uncomment the lines configuring the location /

Or you can selectively expose specific services, like location /wstore or location /ADInterface/services

Of course in your installation you need to change the demo.globalqss.com hostname for your own hostname, and install properly a certificate (like letsencrypt in the example), and generate a dhparam.pem (althought that's not required, just an extra security recommendation).