nginx reverse proxy for R1Soft

nginx reverse proxy for r1softSometimes managing SSL on R1Soft can be a pain because you have to import the SSL certificate into the specific java format. This this post will be about how you can create a nginx reverse proxy for R1Soft.

The backup system R1Soft uses something called “Keytool” to manage certificates and keys.

This can be a pain in some cases to use whenever you have to load in certificate chains, etc.

So to keep it simple, let’s use nginx instead.

First of all, change your R1Soft webserver to run on port 8080 for http (or any other port you like), to make this work you’ll have to restart the CDP webserver (it will prompt you), this won’t interrupt any running policies or other tasks in the CDP Server itself, so you can do it any time.

We’re assuming that you have installed nginx already. If you’ve not done this already, then you can do this by running yum install nginx or apt-get install nginx

Let’s get to it

Create a new nginx config for R1Soft:

vim /etc/nginx/conf.d/r1soft.conf

And paste the following into it:


server {
listen 443 ssl;
server_name backup.domain.com;
ssl_certificate /etc/nginx/ssl/backup.domain.crt;
ssl_certificate_key /etc/nginx/ssl/backup.domain.key;
location / {
proxy_pass http://127.0.0.1:8080;
}
}

view raw

nginx.conf

hosted with ❤ by GitHub

Remember to change the server_name, ssl_certificate and ssl_certificate_key name as well as the proxy_pass and proxy_redirect names.

the proxy_redirect ensures you’re not redirected to port 8080 – Meaning you now can manage your certificates via nginx instead of R1Soft (makes your life much simpler!)

Update:

Regarding the proxy_pass going to http instead of https – please be aware that we’re terminating the SSL traffic in nginx instead of R1Soft, meaning data submitted between nginx and R1Soft isn’t encrypted – but this solution should only be used where you’ve firewalled R1Soft off from the public (so not allowing port 8080 in our example), and running it local on same box as nginx or on a private network (still you should use SSL even if you’re running on a private network 😉 )