Skip to main content

🌐 Use a reverse proxy

While it's possible to use the console directly visiting the associated url, it’s advisable to run OpenUEM's console behind a reverse proxy. For now, in this section you can find working configuration files for two popular reverse proxies, Caddy and NGINX.

In the following examples the console will be accessible under https://console.openuem.eu and the reverse proxy will send traffic to the console server that is located under https://lothlorien.openuem.eu:1323 and to the auth server which is located under https://lothlorien.openuem.eu:1324.

Also the following certificates and private keys are required:

  • The Certificate Authority certificate file ca.cer, so the reverse proxy can authenticate connections agains the console servers.
  • The proxy.cer file that contains a certificate generated by our OpenUEM CA that includes the DNS name used to get access to the console.
  • The proxy.key file that contains the private key associates with the proxy.cer certificate.
warning

Nginx Proxy Manager can't be used with OpenUEM as it doesn't support mTLS for log in with client certificates

Caddy configuration​

Here's a sample configuration for Caddy. You'll have to change the domain name for the console and the paths to your cerificates and private keys

The caddy user used to run the service must have permissions to read the certificates and private keys used

The following configuration assumes that you've set port 1340 for reverse proxy auth port and that you've a console server named lothlorien.openuem.eu in this example

console.openuem.eu {
    tls /path/to/proxy.cer /path/to/proxy.key
    reverse_proxy https://lothlorien.openuem.eu:1323 {
        header_up Host {upstream_hostport}
        transport http {
            tls
            tls_trust_pool file {
                pem_file /path/to/ca.cer
            }
        }
    }
}

console.openuem.eu:1340 {
    tls /path/to/proxy.cer /path/to/proxy.key {
        client_auth {
            mode require_and_verify
            trust_pool file {
                pem_file /path/to/ca.cer
            }
        }
    }
    reverse_proxy https://lothlorien.openuem.eu:1324 {
        header_up Host {upstream_hostport}
        header_up Client-Cert :{tls_client_certificate_der_base64}:
        transport http {
            tls
            tls_trust_pool file {
                pem_file /path/to/ca.cer
            }
        }
    }
}

NGINX configuration​

Here's a sample configuration for NGINX (not NGINX plus)

The following configuration assumes that you've set port 1340 for reverse proxy auth port and that you've a console server named lothlorien.openuem.eu in this example

worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
    server {
        listen              443 ssl;
        server_name         console.openuem.eu;

        ssl_certificate     proxy.cer;
        ssl_certificate_key proxy.key;


        location / {
            proxy_pass https://lothlorien.openuem.eu:1323;
        }
    }

    server {
        listen              1340 ssl;
        server_name         console.openuem.eu;

        ssl_certificate     proxy.cer;
        ssl_certificate_key proxy.key;
        ssl_client_certificate ca.cer;
        ssl_verify_client on;


        location / {
            proxy_pass https://lothlorien.openuem.eu:1324;
            proxy_set_header Client-Cert :$ssl_client_cert:;
        }
    }
}