NGINX

OKA can be run behind a proxy such as NGINX (e.g., to setup TLS secure connections to OKA in HTTPS)

Warning

On OS such as RHEL, you might need to disable or properly configure SELinux to access OKA. Check the documentation: What is SELinux (Security-Enhanced Linux)?.

How to configure HTTP or HTTPS to serve OKA

Note

OKA already creates two preset example configuration files for NGINX that you can use ‘as is’:

  • HTTP: ${OKA_INSTALL_DIR}/current/config/proxy/oka.nginx.conf

  • HTTPS: ${OKA_INSTALL_DIR}/current/config/proxy/oka.nginx_ssl.conf

Copy the one that suits your needs (HTTP or HTTPS) to /etc/nginx/conf.d/, and adapt it to your configuration (e.g., certificates path…).

To create your own custom configuration, follow these steps:

  • For HTTPS: create self-signed certificates if you don’t have your own

    mkdir /etc/ssl/private
chmod 700 /etc/ssl/private
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

    While we are using OpenSSL, we should also create a strong Diffie-Hellman group, which is used in negotiating Perfect Forward Secrecy with clients. We can do this by typing: openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048.

    This may take a few minutes, but when it’s done you will have a strong DH group at /etc/ssl/certs/dhparam.pem that we can use in our configuration.

  • Configure NGINX

The standard file must be present with a content similar to:

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections  1024;
}


http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
}