Installing HTTP Gateway behind a reverse proxy
You can install HTTP Gateway behind a reverse proxy.
Nginx Configuration Example
The Nginx configuration example in this section has been successfully used with the current version of HTTP Gateway.
In this example:
- Nginx is installed on the same server as the HTTP Gateway server.
- To avoid double-encryption, the Nginx to HTTP Gateway connection is over HTTP, not HTTPS connection. Nginx settings require that the client connect over HTTPS.
- Nginx terminates the TLS connection with the client.
- HTTP Gateway listens on port 5080 using HTTP, while Nginx listens on port 6443 using HTTPs.
To use the example, replace the IP addresses and hostnames:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
map $remote_addr $proxy_forwarded_elem {
# IPv4 addresses can be sent as-is
~^[0-9.]+$ "for=$remote_addr";
# IPv6 addresses need to be bracketed and quoted
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
# Unix domain socket names cannot be represented in RFC 7239 syntax
default "for=unknown";
}
map $http_forwarded $proxy_add_forwarded {
# If the incoming Forwarded header is syntactically valid, append to it
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
# Otherwise, replace it
default "$proxy_forwarded_elem";
}
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format upstream_time '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" $ssl_protocol $ssl_cipher '
'rt=$request_time uct=$upstream_connect_time uht=$upstream_header_time urt=$upstream_response_time';
access_log /var/log/nginx/access.log main;
keepalive_timeout 240;
gzip off;
upstream http_gateway_backend {
# HTTP Gateway listens on port 5080
server 127.0.0.1:5080;
}
server {
access_log /var/log/nginx/http-gateway-access.log upstream_time;
error_log /var/log/nginx/http-gateway-error.log debug;
# The reverse proxy listens on port 6443
listen 6443 ssl so_keepalive=on;
server_name http-gateway.example.com;
ssl_certificate /opt/aspera/common/apache/conf/server.crt;
ssl_certificate_key /opt/aspera/common/apache/conf/server.key;
client_max_body_size 0;
proxy_read_timeout 600s;
location /aspera/http-gwy/ {
proxy_buffering off;
proxy_request_buffering off;
proxy_pass http://http_gateway_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Forwarded "$proxy_add_forwarded;proto=$scheme";
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
}Note: When behind a reverse proxy, HTTP Gateway adds additional fields (
x_real_ip,
x_forwarded_for, x_forwarded_for,
x_forwarded_for, forwarded) to the client_connection
section of the ascp transfer tags to provide external applications with transfer
parameters and context.For more information on tags, see HTTP Gateway Transfer Tags.