Skip to content

Overview

Concepts and Principles

Development

Overview

IDEs

API Explorer

Releases

Release Notes

TORO Integrate

Coder Studio

Coder Cloud

Bug Reports

Search

Running TORO Integrate with NGINX and TLS

TORO Integrate can be configured to run connections over HTTPS with little effort. However, if you wish, you can alternatively secure your instance using NGINX.

This guide will help you set up TORO Integrate behind a proxy server. NGINX in this setup will act as a reverse proxy for TORO Integrate. The topology below summarizes the set-up of the servers:

TORO Integrate deployed over NGINX topology

In this arrangement, the NGINX server handles all SSL connections from the users. It only decrypts the requests so that it could pass them to the TORO Integrate server. Integrate's responses are then sent back to the NGINX server for encryption. The NGINX server then returns the encrypted responses to the client's browser. As you may notice, in a setup such as this, TORO Integrate does not participate in the encryption or decryption process.

In this guide, we will go through the steps you need to take in order to run TORO Integrate behind NGINX in the Procedures section. The process is discussed with an example and since we're laying out instructions from a particular context, depending on the variables in your own set-up, you may have to substitute certain values.

This guide assumes that you are familiar with configuring NGINX

To learn more about NGINX, please visit their guide here.

Assumptions

  • The NGINX server is running at IP Address 10.0.0.2
  • The TORO Integrate instance is running at IP Address 10.0.0.3:8080
  • The domain assigned to the instance will be integrate.example.com

Procedures

  1. In your NGINX server, go to the /etc/nginx/conf.d/certs/ directory and create two folders called ssl_crt and ssl_key. Copy your SSL certificate and key in these folders respectively.

    1
    2
    3
    4
    5
    /etc/nginx/conf.d/certs/
    ├── ssl_crt
    │   └── <your-ssl-certicate-here>
    ├── ssl_key
    │   └── <your-ssl-key-here>
    
  2. Create the sites-available and sites-enabled folders inside the /etc/nginx/conf.d directory. We're going to store the NGINX configuration inside the sites-available folder. Then later, we're going to create a symbolic link to the sites-enabled directory for NGINX to load our configuration.

    1
    2
    3
    /etc/nginx/conf.d
    ├── sites-available
    ├── sites-enabled
    
  3. Edit the file named /etc/nginx/nginx.conf and include all .conf files in the /etc/nginx/conf.d/sites-enabled. By doing this, NGINX will be prompted to load all *.conf files inside the sites-enabled folder upon start or restart of its process.

    Your nginx.conf should look roughly like this (see line 20):

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    user              nginx;
    worker_processes  auto;
    error_log         /var/log/nginx/error.log error;
    pid               /var/run/nginx.pid;
    events {
        worker_connections  1024;
    }
    http {
        include                 /etc/nginx/mime.types;
        default_type            application/octet-stream;
        server_tokens           off;
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';
        access_log              /var/log/nginx/access.log  main;
        sendfile                on;
        tcp_nopush              on;
    
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/conf.d/sites-enabled/*.conf;
    }
    
  4. Create the configuration file for integrate.example.com. In our case, we named the configuration file integrate.example.com.conf. It should reside in the folder /etc/nginx/conf.d/sites-available. Below is its content:

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    upstream integrate {
        server 10.0.0.3:8080 fail_timeout=0;
    }
    
    server {
        listen 80;
        server_name integrate.example.com;
        access_log /var/log/nginx/integrate.example.com_access.log;
        error_log /var/log/nginx/integrate.example.com_error.log;
    
        location / {
            return 301 https://$server_name$request_uri;
    
            proxy_pass http://integrate;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Port 80;
            proxy_set_header Host $host;
            proxy_redirect off;
            proxy_connect_timeout 240;
            proxy_send_timeout 240;
            proxy_read_timeout 240;
        }
    
    }
    server {
        listen 443;
        server_name integrate.example.com;
        access_log /var/log/nginx/integrate.example.com_ssl_access.log;
        error_log /var/log/nginx/integrate.example.com_ssl_error.log;
        ssl on;
        ssl_certificate <your-ssl-certicate-here>;
        ssl_certificate_key <your-ssl-key-here>;
        location / {
            proxy_pass http://integrate;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Port 443;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_redirect off;
            proxy_connect_timeout 240;
            proxy_send_timeout 240;
            proxy_read_timeout 240;
        }
    }
    

    HTTP block configuration is optional

    The HTTP block in the NGINX configuration is not necessary but provided as a guide in case you'll need to access the HTTP endpoint proxied by NGINX.

  5. Create a symbolic link from the sites-available to the sites-enabled folder.

    1
    ln -s /etc/nginx/conf.d/sites-available/integrate.example.com.conf /etc/nginx/conf.d/sites-enabled/integrate.example.com.conf
    

    Test the NGINX configuration.

    1
    nginx -t
    

    If NGINX has confirmed that all configurations are okay, you can now reload NGINX.

    1
    nginx -s reload
    
  6. Configure your DNS. Ensure that your DNS entry points to the IP address of your NGINX instance and not TORO Integrate's IP address.

Viola! TORO Integrate requests will now pass through the proxy server and will be served using secure connections.

Testing

To test, try accessing your TORO Integrate instance via the domain you assigned to it. In our case, that's https://integrate.example.com.