Nginx Configuration

Setting up Nginx as a reverse proxy for HPC Dashboard with Let's Encrypt

Nginx Configuration

Under Development:

This section is currently being developed and may be expanded in future updates.

Overview

This guide will walk you through setting up Nginx as a reverse proxy for your HPC Dashboard, enabling HTTPS with Let's Encrypt, and optimizing performance.

Installing Nginx

For Debian/Ubuntu:

sudo apt update
sudo apt install nginx

For CentOS/RHEL:

sudo dnf install nginx

Basic Nginx Configuration

Here's a basic Nginx configuration to serve as a reverse proxy for your Node.js-based HPC Dashboard:

server {
    listen 80;
    server_name servername.com;
    return 301 https://servername.com$request_uri;
}

server {
    listen 443 ssl http2;
    index index.php index.html;
    server_name servername.com;
    client_max_body_size 64M;

    # SSL parameters
    ssl_certificate /etc/letsencrypt/live/servername.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/servername.com/privkey.pem;

    # Recommended SSL settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;

    # HSTS (optional but recommended)
    add_header Strict-Transport-Security "max-age=63072000" always;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header    Host $host;
        proxy_set_header    X-Real-IP $remote_addr;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto $scheme;
        proxy_http_version  1.1;
        proxy_set_header    Upgrade $http_upgrade;
        proxy_set_header    Connection "upgrade";
    }
}

Save this configuration to /etc/nginx/sites-available/hpc-dashboard.conf and create a symbolic link:

sudo ln -s /etc/nginx/sites-available/hpc-dashboard.conf /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Performance Optimization

Enable Gzip Compression

Add the following to your server block or in the http block of your Nginx configuration:

gzip on;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
  application/javascript
  application/json
  application/x-javascript
  text/css
  text/javascript
  text/plain
  text/xml;

Configure Caching

For static content, add caching headers:

location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
    expires 30d;
    add_header Cache-Control "public, no-transform";
}

Worker Processes and Connections

Edit /etc/nginx/nginx.conf:

worker_processes auto;
worker_rlimit_nofile 65535;

events {
    worker_connections 1024;
    multi_accept on;
    use epoll;
}

Setting Up Let's Encrypt with Certbot for Nginx

Let's Encrypt provides free, automated SSL/TLS certificates for your web server.

Installation

For Debian/Ubuntu:

sudo apt update
sudo apt install certbot python3-certbot-nginx

For CentOS/RHEL:

sudo dnf install epel-release
sudo dnf install certbot python3-certbot-nginx

Obtaining Certificates

The easiest way is to let Certbot automatically configure Nginx:

sudo certbot --nginx -d servername.com -d www.servername.com

This command will:

  1. Obtain certificates for the specified domains
  2. Automatically update your Nginx configuration
  3. Set up auto-renewal

Manual Certificate Issuance

If you prefer to manually configure Nginx:

sudo certbot certonly --webroot -w /var/www/html -d servername.com -d www.servername.com

Or, for a standalone server (temporarily stops your web server):

sudo certbot certonly --standalone -d servername.com -d www.servername.com

Certificate Renewal

Let's Encrypt certificates are valid for 90 days. Certbot installs a systemd timer or cron job that automatically renews certificates before they expire.

To manually test the renewal process:

sudo certbot renew --dry-run

Certificate Locations

Certificates are stored in:

  • /etc/letsencrypt/live/servername.com/fullchain.pem (certificate + chain)
  • /etc/letsencrypt/live/servername.com/privkey.pem (private key)
  • /etc/letsencrypt/live/servername.com/cert.pem (certificate only)
  • /etc/letsencrypt/live/servername.com/chain.pem (chain only)

Troubleshooting

Common Issues:

  1. 502 Bad Gateway: Check if your Node.js application is running

    curl -v http://localhost:3000

  2. 403 Forbidden: Check Nginx permissions

    sudo chmod 755 /var/www/html

  3. SSL Certificate not working: Verify certificate paths

    sudo ls -la /etc/letsencrypt/live/servername.com/

  4. WebSocket connection failing: Ensure the upgrade and connection headers are set

Nginx Logs

Check logs for detailed error information:

sudo tail -f /var/log/nginx/error.log
sudo tail -f /var/log/nginx/access.log

Production Readiness:

Before deploying to production, test your TLS/SSL configuration with a tool like SSL Labs: https://www.ssllabs.com/ssltest/

Firewall Configuration

Make sure ports 80 and 443 are open:

# For UFW (Ubuntu)
sudo ufw allow 'Nginx Full'

# For firewalld (CentOS/RHEL)
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload