Skip to main content
Version: Axidian CertiFlow 7.2

NGINX

To run the Axidian CertiFlow server components on Linux, configure the nginx web server as a reverse proxy server.

  1. Install nginx.
  2. Install a TLS/SSL certificate.
  3. Configure the web server configuration file.

Follow the instructions for the operating system of the workstation where you plan to install nginx.

Install nginx

Before you install nginx, set up the nginx packages repository. If the repository has not been set up automatically, add it manually.

  1. Install the packages required to connect to the Yum repository:

    sudo yum install yum-utils

  2. To connect to the Yum repository, create a file named /etc/yum.repos.d/nginx.repo with the following content.

    [nginx-stable]
    name=nginx stable repo
    baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
    gpgcheck=1
    enabled=1
    gpgkey=https://nginx.org/keys/nginx_signing.key
    module_hotfixes=true

    [nginx-mainline]
    name=nginx mainline repo
    baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
    gpgcheck=1
    enabled=0
    gpgkey=https://nginx.org/keys/nginx_signing.key
    module_hotfixes=true

  3. To install nginx, execute the following command.

    sudo yum install nginx

If prompted to verify the GPG key, ensure its fingerprint matches 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62.

For more information about nginx installation, see the NGINX website.

Install a TLS/SSL certificate

How to issue a TLS/SSL certificate

Install a TLS/SSL certificate on the web server.

  1. Copy the certificate and private key files to the catalogs specified in the nginx configuration file.

     sudo cp ./SSL.crt /etc/ssl/certs/
     sudo cp ./SSL.key /etc/ssl/private/

  2. Add the root CA certificate to the trusted certificates store on the workstation running nginx.

    sudo cp ./ca.crt /etc/pki/ca-trust/source/anchors/
    sudo update-ca-trust extract

  3. Make the certificate trusted across the domain. For example, distribute it through Group Policies.

  4. Grant the nginx system user read access to the certificate files.

Edit the nginx configuration file

Configure Nginx to accept web requests and proxy them to the Axidian CertiFlow service.

Nginx and its modules operate according to the settings defined in the main configuration file, nginx.conf. Depending on your operating system, this file is located in the /usr/local/nginx/conf, /etc/nginx, or /usr/local/etc/nginx catalog.

Recommended directives
ContextDirectiveDefault valueRecommended valueComment
httpproxy_buffer_size4k | 8k16kIncreases the proxy buffer size to handle necessary information in HTTP requests.
proxy_buffers8 4k | 8 8k4 16kIncreases the proxy buffer size to handle necessary information in HTTP requests.
types_hash_max_size10244096Increases the hash table size to store information due to the large number of proxied services.
client_max_body_size1m10mIncreases the allowed maximum size of files uploaded to the system.
serverlisten80443 sslChanges the listening port to HTTPS protocol; nginx is configured for HTTP by default.
listen3003 sslPort 3003 is specified for an additional server context when using the Axidian CertiFlow agent.
ssl_certificate/etc/ssl/private/SSL.crtFor HTTPS operation, specifies the path to the certificate chain file (SSL certificate, intermediate and root CA certificates).
ssl_certificate_key/etc/ssl/private/SSL.keyFor HTTPS operation, specifies the path to the SSL certificate's private key.
ssl_verify_clientoffoptional_no_caAdded for certificate-based authentication (used by client agents).
locationproxy_pass** One location context directs requests to a single address—the Axidian CertiFlow service. Therefore, there should be as many location contexts as there are Axidian CertiFlow services.

The proxy endpoint is specified in the format:
http://localhost:PORT/certiflow/SERVICENAME
http://localhost:PORT/AGENTSERVICENAME
Where PORT is the port on which the Axidian CertiFlow service is running, and SERVICENAME and AGENTSERVICENAME are the names of the running services.
include/etc/nginx/conf.d/proxy.confSome directives are described for each location. For a more compact configuration file, it is recommended to create a file with a commonly used set of directives and include it in each location instead of writing the entire set repeatedly.
proxy_http_version1.01.1Version 1.1 is recommended for keepalive connections and NTLM authentication.
proxy_cache_bypass$http_upgradeDefines conditions under which a response will not be taken from the cache.
proxy_set_headerUpgrade $http_upgradeSpecifies switching from HTTP/1.1 to WebSocket after establishing a connection.
Connection keep-aliveFor using keepalive connections.
Host $hostTo preserve the nginx server name in headers when passing them to Axidian CertiFlow services.
X-Real-IP $remote_addrBy default, operating in reverse proxy mode uses non-standard headers for the user's IP address, requiring this directive.
X-Forwarded-For $proxy_add_x_forwarded_forSimilar to X-Real-IP $remote_addr, defines the formation of a header for correct proxying. If the X-Forwarded-For field was not present in the original header, then $proxy_add_x_forwarded_for = $remote_addr.
proxy_set_headerX-Forwarded-Proto $schemeThe web server accepts requests via HTTPS and proxies them to HTTP Axidian CertiFlow services for correct protocol substitution.
fastcgi_buffers8 4k | 8k16 16kDefines the number and size of buffers for reading responses from a FastCGI server, per connection.
fastcgi_buffer_size4k | 8k32kDefines the buffer size for reading the first part of a response from a FastCGI server.
proxy_set_headerx-ssl-client-cert $ssl_client_escaped_certPasses the client certificate when proxying. Used by client agents for certificate-based authentication.

Using multiple location blocks in the configuration leads to repeating the same set of directives. To simplify the configuration process, extract the common set of directives into a separate file. Then, use the include directive within each location context to reference that file.

  1. Create a file for the reusable directives. You can place this file in CONF format in the /etc/nginx/conf.d/ catalog.

    Recommended proxy.conf file content for Axidian CertiFlow compatibility
    proxy_http_version 1.1;
    proxy_set_header   Upgrade $http_upgrade;
    proxy_set_header   Connection keep-alive;
    proxy_set_header   Host $host;
    proxy_cache_bypass $http_upgrade;
    proxy_set_header   X-Real-IP $remote_addr;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Proto $scheme;
    fastcgi_buffers 16 16k;
    fastcgi_buffer_size 32k;

  2. Configure the main nginx configuration file. The location context names must match the path to the proxied service.

    Nginx.conf example
    user nginx;
    worker_processes auto;
    error_log /var/log/nginx/error.log notice;
    events {    worker_connections 1024;    }

    http {
     proxy_buffer_size   64k;
     proxy_buffers   4 64k;
     types_hash_max_size     4096;
     add_header X-Frame-Options sameorigin always;
     add_header X-Content-Type-Options nosniff;

     log_format  main  '[$time_local] $remote_addr VIA $scheme --- $status --- $request \n $ssl_client_fingerprint';
     access_log  /var/log/nginx/access.log  main;
     sendfile                on;
     tcp_nopush              on;
     include                 /etc/nginx/mime.types;
     default_type            application/octet-stream;

     server {
         listen              443 ssl;
         server_name         $hostname;

         ssl_certificate     "/etc/ssl/certs/SSL.crt";
         ssl_certificate_key "/etc/ssl/private/SSL.key";

         location /certiflow/mc
         {   include /etc/nginx/conf.d/proxy.conf;   proxy_pass http://localhost:5001/certiflow/mc; }
         location /certiflow/ss
         {   include /etc/nginx/conf.d/proxy.conf;   proxy_pass http://localhost:5002/certiflow/ss; }
         location /certiflow/rss
         {   include /etc/nginx/conf.d/proxy.conf;   proxy_pass http://localhost:5003/certiflow/rss;    }
         location /certiflow/api
         {   include /etc/nginx/conf.d/proxy.conf;   proxy_pass http://localhost:5004/certiflow/api;    }
         location /certiflow/credprovapi
         {   include /etc/nginx/conf.d/proxy.conf;   proxy_pass http://localhost:5005/certiflow/credprovapi;    }
         location /certiflow/oidc
         {   include /etc/nginx/conf.d/proxy.conf;   proxy_pass http://localhost:5008/certiflow/oidc;   }
         location /certiflow/wizard
         {   proxy_pass http://localhost:5009;  }
         #location /api   
         #{  include /etc/nginx/conf.d/proxy.conf;   proxy_pass http://localhost:5010/api;  }
     }

     server {
         listen              3003 ssl;
         server_name         $hostname;

         ssl_certificate     "/etc/ssl/certs/SSL.crt";
         ssl_certificate_key "/etc/ssl/private/SSL.key";
         ssl_verify_client   optional_no_ca;
        
         location /agentregistrationapi 
         { include /etc/nginx/conf.d/proxy.conf;   proxy_pass http://localhost:5006/agentregistrationapi;  }
         location /agentserviceapi      
         { include /etc/nginx/conf.d/proxy.conf;   proxy_pass http://localhost:5007/agentserviceapi;
                                               proxy_set_header   x-ssl-client-cert $ssl_client_escaped_cert;  }
     }
    }

  3. To apply the changes in the configuration file, reload the configuration or restart nginx. To reload the configuration, execute the following command.

    sudo nginx -s reload