Configure nginx as HTTPS proxy with subdomains
Caution
The Domino server task communicates with the REST API through the KeepManagementURL
. It has a default value of http://localhost:8889
. You can overwrite this setting in the notes.ini
by editing, or creating if missing, the entry KeepManagementURL
(case sensitive). Having configured a TLS certificate, you need to make sure the entry starts with https://
and uses the host name your TLS certificate has been issued for. localhost
, 127.0.0.1
or ::1
won't work. Configuring TLS doesn't change the port. So when you host, your TLS certificate is issued for, is domino.demo.com
and your old entry was missing or is the default of http://localhost:8880
, then your new value needs to be: https://domino.demo.com:8889
. For more information, see Domino REST API task and ports.
About this task
The provided information guides you in configuring nginx as an HTTPS proxy with subdomains.
Tip
Know more about Domino REST API and Proxy.
Configuring nginx as an HTTPS proxy with subdomains
A typical deployment using a proxy looks like this:
Domino's own http runs on Port 81 and HTTPS is handled by the nginx proxy. The proxy also handles the assignment of subdomains to the correct ports. We will use three domains:
- keep.someserver.keep - access to the API
- domino.someserver.keep - access to Domino
- quatto.someserver.keep - access to an application
Alternatively, the proxy can be configured to use a single Domain and use location routing to achieve the same result.
We start with a Port 80 configuration and then let CertBot handle the SSL configuration thereafter.
This example is using Nginx and Let's Encrypt.
server {
server_name domino.projectkeep.rocks projectkeep.rocks;
root /usr/share/nginx/html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
location / {
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_pass http://127.0.0.1:81;
}
listen [::]:80;
listen 80;
}
server {
server_name keep.projectkeep.rocks;
root /usr/share/nginx/html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
location / {
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_pass http://127.0.0.1:8880;
}
listen [::]:80;
listen 80;
}
server {
server_name jmap.projectkeep.rocks;
root /usr/share/nginx/html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
location / {
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_pass http://127.0.0.1:3001;
}
listen [::]:80;
listen 80;
}
server {
server_name ews.projectkeep.rocks mail.projectkeep.rocks autodiscover.projectkeep.rocks;
root /usr/share/nginx/html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
location / {
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_pass http://127.0.0.1:3000;
}
listen [::]:80;
listen 80;
}
Once deployed, use Certbot to activate SSL. Remember to adjust your host name.
Expected result
The resulting system layout looks as follows. Domino REST API can also be installed together with Domino directly on the server (or virtual machine), but the diagram is the same.
The flow is the same as single domain flow. The key is the nginx configuration.