Nginx is a high performance load balancer, web server and reverse proxy. You can configure Nginx to accept and reverse proxy requests to FireDaemon Fusion. nginx can also be run directly under FireDaemon Pro.


Why would you want to do this? FireDaemon Fusion is an application server built using Pion and Boost. In order to secure web and application servers it's considered best practice to place an upstream reverse proxy between the client and the application server. This provides a level of abstraction and control over traffic entering your network before hitting your backend servers. Further, it allows you to access multiple servers via a single URL.


In the configuration example below, a single nginx server has been deployed behind the firewall to forward requests to a FireDaemon Fusion "master node". The master node facilitates centralised management of other servers running FireDaemon Fusion. Additionally, the Nginx Reverse Proxy might encrypt traffic to/from the client using a publicly signed TLS certificate. The Fusion Master and Slaves nodes might be configured to use an internal CA or self-signed TLS certificates.

The Nginx configuration is quite straight forward. In a virtual server setup the following configuration. This configuration below is specific to FireDaemon Pro 4 and FireDaemon Fusion 6. If you are looking for more guidance on configuring Nginx TLS please check out Mozilla's Server Side TLS Configurator, Scott Helme's TLS Cheat Sheet and Michael Lustfield's guide.


FireDaemon Fusion 6 nginx TLS and Proxy Pass Configuration

# nginx reverse proxy virtual server setup for FireDaemon Fusion 6.5.25 or later
# Adjust hostnames, ports, paths and other configuration parameters as you see fit
#
# You would access Fusion via reverse proxy by pointing your browser at
# https://firedaemon.com/fusion

server {
    server_name firedaemon.com;

    # This SSL config should give you an A or A+ on Qualys SSL Server Test
    # https://www.ssllabs.com/ssltest/
    listen      443 ssl http2 default_server;
    listen      [::]:443 ssl http2 ipv6only=on;

    charset utf-8;

    # Mitigate a bug in Nginx where it doesn't adhere to RFC7230
    # https://trac.nginx.org/nginx/ticket/2184
    ignore_invalid_headers off;  

    # Mitigate BREACH vulnerability and CRIME attack
    gzip off;

    # Cert generated via https://www.sslforfree.com
    # Remember chained key is server key followed by intermediate and root
    ssl_certificate                 /etc/nginx/ssl/firedaemon_com_chained.crt;
    ssl_certificate_key             /etc/nginx/ssl/firedaemon_com.key;
    ssl_protocols                   TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers       on;
    ssl_session_cache               shared:SSL:10m;
    ssl_session_timeout             10m;
    ssl_session_tickets             off;
    # nginx will use the default DHE parameters provided by OpenSSL
    # This forces nginx to use a 4096-bit key
    # Generated with openssl dhparam -out dhparam.pem 4096
    # Generates a safe probable prime that passes the Muller-Rabin test
    # Assists in mitigating Logjam. Not relevant if ECDH ciphers are used exclusively
    ssl_dhparam                     /etc/nginx/ssl/dhparam.pem;
    # Cipher suite is subject to change and will end up being
    # a tradeoff between security and compatibility.
    ssl_ciphers                     "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    # Specify the curve to use in ECDH key exchange to NIST P-521
    ssl_ecdh_curve                  secp384r1;

    # Enable OSCP Stapling
    ssl_stapling                    on;
    ssl_stapling_verify             on;
    ssl_trusted_certificate         /etc/nginx/ssl/firedaemon_com_chained.crt;
    resolver                        8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout                10s;

    # Enable Strict Transport Security to avoid protocol downgrade attacks and cookie hijacking
    add_header                      Strict-Transport-Security "max-age=15552000; includeSubdomains";
    # Avoid clickjacking
    add_header                      X-Frame-Options DENY;
    # Stop MIME content sniffing
    add_header                      X-Content-Type-Options nosniff;

    # Configuration locations below are FireDaemon Fusion specific
    location /fusion/504.html {
        internal;
        alias                      html/50x.html;
        add_header                 Cache-Control no-cache always;
    }

    location /fusion/ {
        proxy_pass                 https://fusion.firedaemon.dmz:20604/;
        error_page                 504 /fusion/504.html;

        # proxy_buffering             on;
        # proxy_buffer_size           1k;
        # proxy_buffers               24 4k;
        # proxy_busy_buffers_size     8k;
        # proxy_temp_file_write_size  32k;

        proxy_connect_timeout       7s;
        proxy_http_version          1.1;
        proxy_set_header            Connection        "";
        proxy_set_header            X-Forwarded-Proto $scheme;
        proxy_set_header            X-Real-IP         $remote_addr;
        proxy_set_header            X-Forwarded-Host  $host:$server_port;
        proxy_set_header            X-Forwarded-For   $proxy_add_x_forwarded_for;

        proxy_set_header           com.firedaemon.fusion-vstem /fusion;
    }

    # Uncomment these lines if you want to serve the default nginx landing page
    # location / {
    #        root   html;
    #        index  index.html index.htm;
    #}
}

# Redirect to HTTPS
server {
        server_name     firedaemon.com;

        listen          80 default_server;
        listen          [::]:80;
        access_log      off;
        error_log       off;

        return          301 https://$server_name$request_uri;
}
Generic

Below is a simple Caddy configuration that achieves the same goal.

https://localhost:8088 {
    tls self_signed

    # tls {
    # alpn http/1.1
    # }

    log access.log
    proxy /fusion/ https://localhost:20600/ {
        without /fusion
        header_upstream Connection ""
        transparent
        header_upstream com.firedaemon.fusion-vstem /fusion
        insecure_skip_verify
    }
}
Generic