Enable HTTPS using Nginx
This guide will help you to configure Nginx to act as HTTP(S) proxy for Opencast.
Opencast Configuration
Make sure to use https
as protocol for org.opencastproject.server.url
in etc/custom.properties
.
org.opencastproject.server.url=https://example.opencast.org
No other configuration is required. Do not enable TLS in Opencast. Listen to local connections only. Both are the default settings.
Minimal Set-up
Note that this guide does not give any security advice but is meant to provide a minimal working example which works well with Opencast.
The following configuration is an example for /etc/nginx/nginx.conf
. Note that depending on your distributions
packaging, often conf.d
or sites-enabled
directories are used. But since this is an Opencast only set-up (we do not
use the web server for anything else), we are just using the main configuration file.
Explanations for the configuration directives are provided inline. Please make sure to replace example.opencast.org
with your node's domain name.
The main goals of this set-up are:
- Always redirect to HTTPS
- Proxy to Opencast and take care of TLS
- Avoid caching
# Check your distribution's default nginx.conf to make sure the first
# configuration keys (up until the http section) make sense within your
# distribution's set-up.
# Defines user and group credentials used by worker processes. If group is
# omitted, a group whose name equals that of user is used.
user nginx;
# Configures logging to `/var/log/…`. Log level `error` is used by default.
error_log /var/log/nginx/error.log;
# Defines a file that will store the process ID of the main process. This needs
# to match the Systemd unit file.
pid /run/nginx.pid;
events {
# Sets the maximum number of simultaneous connections that can be opened by
# a worker process.
worker_connections 1024;
}
###
# What follows is the specific http(s) set-up for Opencast.
##
http {
# HTTP set-up
server {
listen 80;
listen [::]:80;
server_name _;
# Enforce HTTPS by redirecting requests
location / {
return 301 https://example.opencast.org$request_uri;
}
}
# HTTPS set-up
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.opencast.org;
# Path to the TLS certificate and private key. In almost all cases, you
# need to provide intermediate certificates as well to ensure browsers
# get the whole certificate chain.
ssl_certificate_key /path/to/example.opencast.org.key;
ssl_certificate /path/to/example.opencast.org.crt;
# Accept large ingests. There should be no limit since Opencast may get
# really large ingests.
client_max_body_size 0;
# Proxy configuration for Opencast
location / {
# Make sure to pass the real addresses as well as the fact that
# outwards we are using HTTPS to Opencast.
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Pass requests to this location. This expects Opencast to be
# running locally on port 8080 which should be the default set-up.
proxy_pass http://127.0.0.1:8080;
# Make sure to redirect location headers to HTTPS. This is just a
# precaution and shouldn't strictly be necessary but it did prevent
# some issues in the past and it does not cost much performance.
proxy_redirect http://$host https://$host;
# Make sure to serve cookies only via secure connections.
proxy_cookie_flags ~ secure httponly;
# When using Nginx <1.19.3 replace the above 'proxy_cookie_flags' line
# with the (uncommented) 'proxy_cookie_path' line below.
#proxy_cookie_path / "/; HTTPOnly; Secure";
# Depending on your integration, you may also want to allow cookies
# to be used on other sites. In that case, use this instead:
#proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=None";
# Do not buffer responses
proxy_buffering off;
# Do not buffer requests
proxy_request_buffering off;
}
}
}