Configure the Muse® Proxy Service with NGINX Front-end

Configure the Muse Proxy service with NGINX front-end

NGINX is an HTTP and reverse proxy server that can be placed in front of web applications to achieve custom workflows and provide solutions where multiple web applications cannot co-exist with similar specifications.

Specifically the NGINX server can be configured as front-end for Muse Proxy when Muse Proxy cannot be configured to use the standard ports – 80 for HTTP and 443 for HTTPS access. Because there are other applications needing the standard ports as well. Only for this situation, when multiple web applications are hosted on the same server it is recommended to use NGINX, otherwise if Muse Proxy is the only hosted service, it must be accessed directly, without a front-end reverse proxy solution.

Hosting multiple web applications with NGINX as front-end reverse proxy requires assigning a dedicated fully qualified domain name (FQDN) for each application.

In this article we are describing the necessary configurations for NGINX and Muse Proxy only. It is assumed that NGINX and Muse Proxy are already installed, this article does not cover their installations.

Further assumptions:

  1. To exemplify, we consider the Muse Proxy assigned FQDN to be proxy.mydomain.com. And the server IP – 192.168.1.100. The server OS is a Linux distribution (Debian, Ubuntu, RedHat, CentOS, etc).
  2. Muse Proxy is configured with its default ports – 9797 for HTTP and 9443 for HTTPS
  3. The wildcard DNS record is enabled for the Muse Proxy assigned FQDN – *.proxy.mydomain.com.
  4. A wildcard SSL certificate is available, thus the certificate and the private key exist on the server. The certificate must contain as SAN entries both *.proxy.mydomain.com and proxy.mydomain.com.

Configure the Muse Proxy service with NGINX front-end

In the NGINX configuration file for the Muse Proxy FQDN (e.g. /etc/nginx/sites-available/proxy.mydomain.com) define the backend service:
upstream backend_proxy {
        server 192.168.1.100:9797;
}

For each port (80 and 443) contexts make sure the server_name has both values, e.g. *.proxy.mydomain.com and proxy.mydomain.com. Sample entries:

server {
        listen 80;
        listen [::]:80;
        server_name *.proxy.mydomain.com proxy.mydomain.com;
        location / {
                include proxy_params;
                proxy_pass http://backend_proxy;
                proxy_buffer_size 128k;
                proxy_buffers 4 256k;
                proxy_busy_buffers_size 256k;
        }
}
server {
        server_name *.proxy.mydomain.com proxy.mydomain.com;
        listen 443 ssl;
        ssl_certificate /etc/ssl/proxy.mydomain.com/fullchain.pem;
        ssl_certificate_key /etc/ssl/proxy.mydomain.com/privkey.pem;
        location / {
                include proxy_params;
                proxy_pass http://backend_proxy;
                proxy_buffer_size 128k;
                proxy_buffers 4 256k;
                proxy_busy_buffers_size 256k;
        }
}

The content of /etc/nginx/proxy_params refered in the above samples:

proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

Increase the timeout value for NGINX in /etc/nginx/nginx.conf, e.g.:

proxy_read_timeout 600s;

The NGINX service must be reloaded to pick up the configuration changes.

Configurations for Muse Proxy

Some configurations are needed for Muse Proxy as well, in its main configuration file ${MUSE_HOME}/proxy/MuseProxy.xml:
Define the external ports of NGINX as follows:

<PORT enabled="true" external="80">9797</PORT>
<SSL_PORT enabled="true" external="443">9443</SSL_PORT>

Specify the allowed IPs (of the machine itself) that allowed to provide the X-FORWARDED-FOR header value:

<ALLOW_X_FORWARDED_FOR>192.168.1.100</ALLOW_X_FORWARDED_FOR>

Make sure the FQDN value is configured in the SERVER_NAMES field, e.g.:

<SERVER_NAMES>proxy.mydomain.com</SERVER_NAMES>