cancel
Showing results for 
Search instead for 
Did you mean: 
vsolodkyi
Sisense Team Member
Sisense Team Member

Reverse Proxy with Nginx + SSL configuration

Nginx Reverse proxy configuration

Step 1. Nginx reverse proxy server set up

In this example, we are using nginx, we can install it on the same device as Sisense. To install it run

  1. Install nginx for Ubuntu/Debian-like systems:

sudo apt install nginx

  1. For RHEL systems such a CentOS, use below:

sudo yum install nginx

  1. Start nginx:

sudo /etc/init.d/nginx start OR

sudo systemctl start nginx

Step 2. Nginx server configuration

  1. Open the browser and go to the IP address of the server. If it's up, you will see the Nginx welcome page– this means nginx is now running on the default port 80.

jcordell_0-1672416696743.png

 

  1. Edit /etc/nginx/sites-enabled/default and add the next configuration under the root server config.

Define correct Sisense public IP, and port in the "server {}" section:

 

location /analytics {

         rewrite  /analytics/(.*) /$1 break;

         proxy_pass         http://<sisense-ip>:30845;

         proxy_http_version     1.1;

         proxy_set_header       X-Forwarded-Proto $scheme;

         proxy_set_header   Upgrade $http_upgrade;

         proxy_set_header   Connection "upgrade";

         proxy_set_header   X-Real-IP  $remote_addr;

         proxy_set_header   X-Forwarded-For $remote_addr;

         proxy_set_header       X-Forwarded-Proto $scheme;

         proxy_set_header   Host $host;

         proxy_connect_timeout  36000;

         proxy_send_timeout     36000;

         proxy_read_timeout     36000;

         send_timeout           36000;

   }

  1. Before you apply the settings, check that there is no syntax issue by running sudo nginx -t 
  2. Reload nginx with sudo /etc/init.d/nginx reload or sudo systemctl reload nginx

With this configuration, Sisense will be accessed with http://<ip-or-domain-of-nginx-server>/analytics. Also if the https is configured for this nginx server, Sisense would be accessible with https://<ip-or-domain-of-nginx-server>/analytics.

If on the proxy level, the HTTPS is enabled, please ensure the application_dns_name has the https prefix to ensure all traffic is used, so something like: application_dns_name: https://company.sisense.com

Step 3. Sisense configuration

  1. Go to the Admin tab
  2. Click on System Management
  3. Enter Configuration and choose Web Server
  4. In the Proxy URL enter "/analytics" or  "http://<ip-or-domain-of-nginx-server>/analytics" as we configured in Nginx. With "/analytics" you will be able to use multiple domains for this instance. 
  5. Save it and test with a browser by entering http://<ip-or-domain-of-nginx-server>/analytics
    1. Alternatively, if you have DNS configured on your local machine (/etc/hosts/)

      And now we can configure SSL with our Nginx server, please validate that Nginx is working properly first before moving on.

SSL configuration for Nginx

Step 1. Obtain self signed SSL certificates

You can use a command like this

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt.

For an explanation of what the above command does please refer to

Setup SSL on Sisense (Linux version) - Link placeholder

Step 2. Configure Nginx to use SSL

  1. Сreate a new file named self-signed.conf.

sudo vi/etc/nginx/snippets/self-signed.conf

In self-signed.conf we want to add some variables that will hold the location of our certificate and key files that we generated in Step 1. Like this

ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;

ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

Save and close the file.

  1. Now we will create a snippet file to define SSL settings. Start by creating a file like this

sudo vi /etc/nginx/snippets/ssl-params.conf. 

In this file, we need to include some SSL settings as below.

ssl_protocols TLSv1.3;

ssl_prefer_server_ciphers on;

ssl_dhparam /etc/nginx/dhparam.pem; 

ssl_ciphers EECDH+AESGCM:EDH+AESGCM;

ssl_ecdh_curve secp384r1;

ssl_session_timeout  10m;

ssl_session_cache shared:SSL:10m;

ssl_session_tickets off;

ssl_stapling on;

ssl_stapling_verify on;

resolver 8.8.8.8 8.8.4.4 valid=300s;

resolver_timeout 5s;

# Disable strict transport security for now. You can uncomment the following

# line if you understand the implications.

#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

add_header X-Frame-Options DENY;

add_header X-Content-Type-Options nosniff;

add_header X-XSS-Protection "1; mode=block";

Save and close the file.

  1. In this step, we need to modify the Nginx configuration to use SSL. Open up your Nginx configuration file which is usually in a location like /etc/nginx/sites-available/<yourconfig>.

Before making changes to this file it is best to back it up first in case we break anything.

sudo cp /etc/nginx/sites-available/yourconfig /etc/nginx/sites-available/yourconfig.bak

And now we open up our current Nginx config file;

 vi /etc/nginx/sites-available/<yourconfig>

In the first server{} block, at the beginning, add the lines below. You might already have a location {} block so leave that there

server {

    listen 443 ssl;

    listen [::]:443 ssl;

    include snippets/self-signed.conf;

    include snippets/ssl-params.conf;

  server_name your_domain.com www.your_domain.com; //server_name can be anything

   location / {

                try_files $uri $uri/ =404;

        }

}

Lastly, we need to add another server{} block at the very bottom of the file, with the following parameters. This is a configuration that listens on port 80 and performs the redirect to HTTPS.

server {

    listen 80;

    listen [::]:80;

    server_name default.local www.default.local; //use same name 

    return 302 https://$server_name$request_uri;

}

Please note that you must add this server_name to your local desktop or laptop hosts file. In this example, I will go to my local laptop or desktop hosts file and add <ip address of nginx server> <space> <default.local>

Step 3. Adjust the firewall

The steps below assume you have a UFW firewall enabled. You need to review available profiles by running

sudo ufw app list

You can check the current setting by typing sudo ufw status:

 

Output

Status: active


To                         Action      From

--                         ------      ----

Nginx HTTP                 DENY      Anywhere

Nginx HTTP (v6)            DENY       Anywhere (v6)

We need to allow HTTPS traffic, so update permissions for the “Nginx Full” profile.

sudo ufw allow 'Nginx Full'

Check the update

sudo ufw status

Output

Status: active


To                         Action      From

--                         ------      ----

Nginx Full                 ALLOW       Anywhere

Nginx Full (v6)            ALLOW       Anywhere (v6)

This output above confirms the changes made to your firewall were successful. So you are ready to enable the changes in Nginx.

Step 4. Enable to changes in Nginx

First, check that there are no syntax errors in the files. Run sudo nginx -t

The output will most likely look like

Output

nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/ssl/certs/nginx-selfsigned.crt"

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

nginx: configuration file /etc/nginx/nginx.conf test is successful

You can disregard the ssl_stapling warning, this particular setting generates a warning since your self-signed certificate can’t use SSL stapling. This is expected and your server can still encrypt connections correctly.

If your output matches the out example above, that confirms your configuration file has no errors. If this is true, then you can safely restart Nginx to implement the changes: sudo systemctl restart nginx

Step 5. Test the encryption

Open up a browser and navigate to https://<server_name>, use the name you set up in Step 2C.

Version history
Last update:
‎12-30-2022 08:20 AM
Updated by:
Contributors
Community Toolbox

Recommended quick links to assist you in optimizing your community experience:

Need additional support?:

Community Support Request