Proxy iDempiere Through Nginx

From iDempiere en

As a security measure you must not expose directly iDempiere to the www.

A recommended set up to expose iDempiere is through nginx server.

Set up for iDempiere: - Install idempiere as idempiere user (not root) - That compels you to use a port different than 80 (i.e. 8080) - You could also use localhost as the IP address for this machine

This is the configuration file on

server {
    listen 80;
    return 301 https://$server_name$request_uri;
server {
    server_name ;
    listen 443 ssl http2;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/ ;
    ssl_certificate_key /etc/letsencrypt/live/ ;
    ssl_dhparam  /etc/letsencrypt/live/;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:5m;
    ssl_session_timeout 1h;
    add_header Strict-Transport-Security "max-age=15768000" always;
    add_header X-Frame-Options "SAMEORIGIN";
    # exposing the whole iDempiere with / is NOT RECOMMENDED, just for test sites
    # location / {
    #     proxy_set_header X-Forwarded-Host $host;
    #     proxy_set_header X-Forwarded-Server $host;
    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #     proxy_set_header X-Real-IP $remote_addr;
    #     proxy_set_header Host $http_host;
    #     proxy_pass http://localhost:8080/;
    #     proxy_http_version 1.1;
    # }
    # Proxy the /webui for the zk interface
    # you can do the same as below for ADInterface, wstore or other services if required
    location /webui {
        proxy_pass        http://localhost:8080/webui;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  Host $http_host;
        proxy_set_header  X-Forwarded-Proto $scheme;
    # Proxy the Atmosphere server push with no buffering and read timeout
    location /webui/zkau/comet {
        proxy_pass      http://localhost:8080/webui/zkau/comet;
        proxy_http_version 1.1;
        proxy_set_header  X-Real-IP $remote_addr;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header  Host $http_host;
        proxy_set_header  X-Forwarded-Proto $scheme;
        proxy_buffering   off;
        proxy_read_timeout   300;
    # Proxy the websocket server push, just needed if you're using this approach
    # location /webui/serverpush {
    #     proxy_pass http://localhost:8080/webui/serverpush;
    #     proxy_http_version 1.1;
    #     proxy_set_header Upgrade $http_upgrade;
    #     proxy_set_header Connection "Upgrade";
    # }
    client_max_body_size 20M;

If you want to expose the whole site (not recommended), then uncomment the lines configuring the location /

Or you can selectively expose specific services, like location /wstore or location /ADInterface/services

Of course in your installation you need to change the hostname for your own hostname, and install properly a certificate (like letsencrypt in the example), and generate a dhparam.pem (althought that's not required, just an extra security recommendation).

See also this forum thread for an example of proxy through apache

Cookies help us deliver our services. By using our services, you agree to our use of cookies.