Skip to content

Configure nginx as HTTPS proxy - single domain

Caution

The KeepManagementURL setting in your notes.ini is the URL needed for the Domino REST API Domino task to talk to the Java side of Domino REST API. By default, this is set to http. If you have updated your security to https, you must update this URL. For more information, see Domino REST API task.

About this task

The information in this section guides you in configuring nginx as an HTTPS proxy - single domain.

Tip

Know more about Domino REST API and Proxy.

Configuring nginx as an HTTPS proxy - single domain

When the installation requires limiting to a single Domain, routing needs to be configured on a path basis. Again, Domino would run on port 81, but this version uses path settings instead of subdomains. When you prefer to use subdomains, check these instructions instead.

The path assignment looks like this:

  • /api: KEEP on port 8880
  • /admin: KEEP admin UI on port 8880
  • /keep: KEEP Homepage on port 8880
  • /openapi: OpenAPI spec files and UI on port 8880
  • /EWS: custom app on port 3000
  • /autodiscover: custom app on port 3000
  • /oab: custom app on port 3000
  • /.wellknown/jmap: custom app on port 3001
  • /jmap custom app on port 3001
  • /jmapupload custom app on port 3001
  • /jmapdownload custom app on port 3001
  • All the rest: Domino on port 81

This example is using Nginx and Let's Encrypt. We start with a Port 80 configuration and then let CertBot handle the SSL configuration thereafter.

Initial configuration

Depending on your platform, the following keep.conf in nginx's configuration directory, typical conf.d or sites-enabled:

server {
    server_name domino.projectkeep.rocks;

    listen [::]:80;
    listen 80;

    root /usr/share/nginx/html;

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }

     proxy_cache_bypass $http_upgrade;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection "upgrade";
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_set_header X-Forwarded-Host $host;
     proxy_set_header X-Forwarded-Port $server_port;

    # /api: KEEP on port 8880
    location /api {
        proxy_pass http://127.0.0.1:8880/api;
    }

    # /admin: KEEP admin UI on port 8880
    location /admin {
        proxy_pass http://127.0.0.1:8880/admin;
    }

    # /keep: KEEP Homepage on port 8880
    location /keep {
        proxy_pass http://127.0.0.1:8880/keep;
    }

    # /openapi: OpenAPI spec files and UI on port 8880
    location /openapi {
        proxy_pass http://127.0.0.1:8880/openapi;
    }

    # /EWS: ews app on port 3000
    location /EWS {
        proxy_pass http://127.0.0.1:3000/EWS;
    }

    # /autodiscover: ews app on port 3000
    location /autodiscover {
        proxy_pass http://127.0.0.1:3000/autodiscover;
    }

    # /oab: ews app on port 3000
    location /oab {
        proxy_pass http://127.0.0.1:3000/oab;
    }

    # /.wellknown/jmap: jmap app on port 3001
    location /.wellknown/jmap {
        proxy_pass http://127.0.0.1:3001/.wellknown/jmap;
    }

    # /jmap custom app on port 3001
    location /jmap {
        proxy_pass http://127.0.0.1:3001/jmap;
    }

    # /jmapupload jmap app on port 3001
    location /jmapupload {
        proxy_pass http://127.0.0.1:3001/jmapupload;
    }

    # /jmapdownload jmap app on port 3001
    location /jmapdownload {
        proxy_pass http://127.0.0.1:3001/jmapdownload;
    }

    # All the rest is Domino Port 81
    # Remember: index.html still gets served by nginx
    location / {
        proxy_pass http://127.0.0.1:81/;
    }

    location /metrics {
        auth_basic "You shall not pass to metrics";
        auth_basic_user_file /etc/nginx/.htpasswd;
        proxy_pass http://127.0.0.1:8890/metrics;
    }

}

Once deployed, use Certbot to activate SSL. Remember to adjust your host name.

Expected result

The resulting system layout looks as follows. Domino REST API can also be installed together with Domino directly on the server (or virtual machine), but the diagram still applies.

Proxy system diagram

As you can see, the flow is the same as multi-subdomain flow. The key is the nginx configuration.