File: reverse-proxy.md

package info (click to toggle)
belenios 3.0%2Bdfsg-2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 5,868 kB
  • sloc: ml: 32,112; javascript: 4,739; sh: 1,804; python: 574; makefile: 168; ansic: 17
file content (91 lines) | stat: -rw-r--r-- 2,794 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
 
# Setting up a secure reverse-proxy for Belenios

We give here instructions for setting up a secure reverse-proxy with
nginx and Let's Encrypt on a Debian 12 system. We assume the public
address will be https://vote.example.org; please adapt as needed.

## Basic setup of nginx + Let's Encrypt

As root:
```
apt install nginx-light nginx libnginx-mod-http-headers-more-filter certbot python3-certbot-nginx
cat > /etc/nginx/sites-available/vote.example.org <<EOF
server {
    server_name vote.example.org;
    root /var/www/html;
    listen 80;
    listen [::]:80;
}
EOF
cd /etc/nginx/sites-enabled
ln -s ../sites-available/vote.example.org .
systemctl restart nginx.service
certbot --nginx
```

## Configuring the reverse-proxy for Belenios

Add (and adapt) the following section to the relevant section of
`/etc/nginx/sites-available/vote.example.org`:
```
    location / {
        proxy_pass http://127.0.0.1:8001;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
    }
```

Run `systemctl restart nginx.service` (as root).

## Configuring Belenios for being behind a reverse-proxy

We suppose Belenios has been compiled and deployed using instructions
[here](../contrib/nspawn/README.md). The following are hints to be
applied to the `ocsigenserver.conf.in` file.

Make sure Belenios listens on `127.0.0.1` only:
```
    <port>127.0.0.1:8001</port>
```

Make Belenios aware of its public address:
```
    <host charset="utf-8" hostfilter="*" defaulthostname="vote.example.org">
      ...
      <eliom name="belenios">
        <public-url prefix="https://vote.example.org"/>
        ...
      </eliom>
    </host>
```

Make sure you restart Belenios after applying your changes:
```
systemctl restart belenios-container@main.service
```

## Hardening the reverse-proxy

Add the following lines to the relevant section of
`/etc/nginx/sites-available/vote.example.org`:
```
    more_clear_headers Server;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'; img-src 'self' data:;" always;
    add_header X-Frame-Options "DENY" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "no-referrer" always;
    proxy_cookie_flags ~ secure httponly samesite=strict;
```

Note that `samesite=strict` is incompatible with external voter
authentication. If you intend to authenticate voters with CAS or
OpenID Connect, you may use `samesite=none` instead.

Run `systemctl restart nginx.service` (as root).

## Checking that everything works

Go to https://vote.example.org and perform any tests you wish. In
particular, check that URLs generated by the system in sent e-mails
are correct.