Web proxy configuration for the ITA web client or Tenant Portal

If you want to make the ITA web client or Tenant Portal available to your colleagues or customers directly from the Internet, ensure you have a proxy configuration in the DMZ.

However, here are some recommendations on what you should set up and how to do this.

This is not a complete newbie guide to setting up a proxy server. You should already have a working knowledge about scripting, web proxy and DMZ configuration, or find it easy to acquire this knowledge.

#!/bin/sh

##############################################################################
# This file provides an example of how to set up Nginx on a systemd based OS like CentOS.
##############################################################################

# The address ITA is already listening to.
export ITA_ADDRESS=192.168.56.200

# The address Ngnix should be set up to listen on. This should be a domain. www.example.com
export NGINX_ADDRESS=www.example.com

echo "The ITA server(s) is/are expected to listen on ITA_ADDRESS=$ITA_ADDRESS"
echo "The nginx server will be configured to listen on NGINX_ADDRESS=$NGINX_ADDRESS"

# Create self-signed cert (to demo https in Nginx)
export PATH_TO_PRIVATE_KEY_FILE="/etc/nginx/$NGINX_ADDRESS.key"
export PATH_TO_CERTIFICATE_FILE="/etc/nginx/$NGINX_ADDRESS.crt"
openssl req -x509 -nodes -sha256 -days 4383 -subj /CN=$NGINX_ADDRESS -newkey rsa:2048 -keyout $PATH_TO_PRIVATE_KEY_FILE -out $PATH_TO_CERTIFICATE_FILE

# For production the self-signed cert should be replaced by a signed certificate
chown nginx:nginx $PATH_TO_PRIVATE_KEY_FILE
chown nginx:nginx $PATH_TO_CERTIFICATE_FILE
echo "Created selfsigned private key ($PATH_TO_PRIVATE_KEY_FILE) and certificate ($PATH_TO_CERTIFICATE_FILE) and made nginx owner of these files"

# Replace main config file of nginx
cat > /etc/nginx/nginx.conf <<EOF
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;

error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
worker_connections 1024;
}

http {
log_format main '\$remote_addr - \$remote_user [\$time_local] "\$request" '
'\$status \$body_bytes_sent "\$http_referer" '
'"\$http_user_agent" "\$http_x_forwarded_for"';

access_log /var/log/nginx/access.log main;

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

include /etc/nginx/mime.types;
default_type application/octet-stream;

# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;

# Redirect browsers from http to https
server {

listen 80;
rewrite ^(.*) https://$host$1 permanent;

}

# Set up the proxy to ITA:
server {
listen 443 ssl;
server_name $NGINX_ADDRESS;
ssl_certificate $PATH_TO_CERTIFICATE_FILE;
ssl_certificate_key $PATH_TO_PRIVATE_KEY_FILE;

#First handle requests to the actual application path /web
location /web/ {
proxy_pass http://$ITA_ADDRESS;
}

#Handle root requests, and forward to /web (The order matters. The location /web needs to be specified before location /)
location / {
proxy_pass http://$ITA_ADDRESS/web/;
}
}
}
EOF
# Make the Nginx user own the config file (nginx user is specified in /etc/nginx/nginx.conf)
chown nginx:nginx /etc/nginx/nginx.conf
echo "Replaced nginx main config file /etc/nginx/nginx.conf and made nginx owner of the file"

# Make sure Nginx starts on boot.
# More info on systemd: https://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and...
systemctl enable nginx
echo "nginx registered as service that starts on boot (not yet started in current session)"

# Start nginx in the current session ('systemctl enable nginx' above just makes sure nginx will be started on future boots).
systemctl start nginx
echo "Started nginx in the current session, note interesting paths:"
echo "- for errors see /var/log/nginx/error.log"
echo "- for config see /etc/nginx/nginx.conf"
echo ""
echo "Serving the Tenant Portal at: $NGINX_ADDRESS"

# Other notes:
# - keep an eye on security warnings and patch OS and Nginx as needed
# - proactively keep an eye on suspicious / unusual behavior
# - setup logging
# systemctl start|stop|restart|reload|reload-or-restart|status|is-active|is-enabled|is-failed nginx
#
# if service does not support reload (of config), then use reload-or-restart
#
# List current services:
# systemctl list-units
#
# Default global nginx config file at: /etc/nginx/nginx.conf
# Defines error log locations, e.g.:
# - /var/log/nginx/error.log
# - /var/log/nginx/access.log
#
# PID is written to: /var/run/nginx.pid
# List nginx processes: ps -ax | grep nginx