Configure Nginx reverse proxy and server certificates

You must protect your Aspera on Cloud tethered transfer nodes with an Nginx reverse proxy.

This is step 5 in tethering a node

Before you begin step 5, be sure you have completed step 4: Configure your transfer server as a tethered node.

ssl certs firewall HTTPs proxy configure node nginx transfer user optional for HA cluster add node mark remote storage alee and aejd backup and restore
  1. Download and install Nginx.
  2. Set the HTTPS port to 9092.
    # /opt/aspera/bin/asconfigurator -x "set_server_data;https_port,9092"
  3. Open the Nginx configuration file in a text editor.

    Open /etc/nginx/nginx.conf and ensure the following include directive is present in the http section. If it is not present, add it to the file:

    http {
    ...
    include /etc/nginx/conf.d/*.conf;
    }
  4. Create a file named aspera_node_proxy.conf and save it in /etc/nginx/conf.d/.
  5. Paste the following content into aspera_node_proxy.conf:
    #
    # Aspera configuration - reverse proxy for asperanoded
    #
    server { 
      listen 443;
      server_name your.servername.com;
      ssl_certificate /opt/aspera/etc/aspera_server_cert.pem;
      ssl_certificate_key /opt/aspera/etc/aspera_server_key.pem;
    
      ssl on;
      ssl_session_cache builtin:1000 shared:SSL:10m;
      ssl_protocols TLSv1.2;
      ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
      ssl_prefer_server_ciphers on;
    
      access_log         /var/log/nginx/node-api.access.log;
    
      location / { 
        proxy_pass https://127.0.0.1:9092;
        proxy_read_timeout 60;
        proxy_redirect https://127.0.0.1:9092 https://your.servername.com;
        proxy_set_header Host                  $host:$server_port;
        proxy_set_header X-Real-IP             $remote_addr;
        proxy_set_header X-Forwarded-For       $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto     $scheme;
      }
    } 
    Note: Configure SSL ciphers as required. The preceding sample is not configured for backwards compatibility, and the recommended list of secure ciphers might change. Aspera recommends reviewing and staying current with the list provided in https://cipherli.st/.
  6. Restart the Aspera NodeD service (asperanoded).
    # systemctl restart asperanoded
  7. Restart Nginx.
    # systemctl restart nginx

Next step in tethering a node

You've completed the HTTPS proxy configuration for your tethered node. For step 6 in tethering the HSTS node to your AoC organization, go to Create the transfer user for your tethered node.