zrok/docs/guides/self-hosting/linux/nginx.mdx

---
sidebar_position: 50
sidebar_label: NGINX TLS
---

# NGINX Reverse Proxy for zrok

## Walkthrough Video

<iframe width="100%" height="315" src="https://www.youtube.com/embed/870A5dke_u4?start=1080" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>

## Before You Begin

I'll assume you have a running `zrok` controller and frontend and wish to front both with NGINX providing server TLS. Go back to [Self-Hosting Guide](/guides/self-hosting/linux/index.mdx) if you still need to spin those up.

## Choose a Reverse Proxy Address

I'll use `https://api.zrok.quigley.com:443` in this example, and assume you already set up wildcard DNS like `*.zrok.quigley.com`. This lets us elect `api.zrok.quigley.com` as the controller DNS name, and forward any other incoming requests to the zrok public frontend.

## Obtain a Wildcard Server Certificate

You must complete a DNS challenge to obtain a wildcard certificate from Let's Encrypt. I'll assume you know how to create the necessary TXT record in the DNS zone you're using with zrok.

1. Install certbot: https://eff-certbot.readthedocs.io/en/stable/install.html
2. Run certbot with the manual plugin: https://certbot.eff.org/docs/using.html#manual

    ```bash
    # install cert for *.zrok.quigley.com in /etc/letsencrypt
    sudo certbot certonly --manual
    ````

## [Install NGINX](https://www.nginx.com/resources/wiki/start/topics/tutorials/install/)

## Configure NGINX

```
server {
    listen              443 ssl;
    server_name         api.zrok.quigley.com;
    ssl_certificate     /etc/letsencrypt/live/zrok.quigley.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/zrok.quigley.com/privkey.pem;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    location / {
      proxy_pass      http://127.0.0.1:18080;
      error_log       /var/log/nginx/zrok-controller.log;
    }

}

map $http_upgrade $connection_upgrade {
    default      keep-alive;
    'websocket'  upgrade;
    ''           close;
}

server {
    listen              443 ssl;
    server_name         *.zrok.quigley.com;
    ssl_certificate     /etc/letsencrypt/live/zrok.quigley.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/zrok.quigley.com/privkey.pem;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    location / {
      proxy_pass       http://127.0.0.1:8080;
      proxy_set_header Host $host;
      error_log        /var/log/nginx/zrok-frontend.log;
      proxy_busy_buffers_size   512k;
      proxy_buffers    4 512k;
      proxy_buffer_size   256k;

      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
    }
}
```

## Restart NGINX

Load the new configuration by restarting NGINX. Check the logs to make sure it's happy.

> Started A high performance web server and a reverse proxy server.

## Check the Firewall

If you followed the non-TLS quickstart then you may have opened 8080,108080/tcp in your firewall. You can go ahead and replace those exceptions with 443/tcp because only NGINX needs to be reachable for zrok to function.

## Update the zrok Frontend

List available frontends to obtain the token identifier of the frontend named "public". You may need to set `ZROK_ADMIN_TOKEN` or `ZROK_API_ENDPOINT` before running `zrok admin`.

```bash
$ zrok admin list frontends

 TOKEN         ZID        PUBLIC NAME  URL TEMPLATE                              CREATED AT                         UPDATED AT                    
 2NiDTRYUww18  7DsLh9DXG  public       http://{token}.zrok.quigley.com:8080  2023-01-19 05:29:20.793 +0000 UTC  2023-01-19 06:17:25 +0000 UTC 
```

Update the URL template to use NGINX.

```bash
$ zrok admin update frontend 2NiDTRYUww18 --url-template https://{token}.zrok.quigley.com:443
[   0.028]    INFO main.(*adminUpdateFrontendCommand).run: updated global frontend '2NiDTRYUww18'
```
add a container to cross-build on libc 2.28 2023-02-15 23:41:46 +01:00			`---`
			`sidebar_position: 50`
simplify docker share guides 2024-04-23 20:33:41 +02:00			`sidebar_label: NGINX TLS`
add a container to cross-build on libc 2.28 2023-02-15 23:41:46 +01:00			`---`

simplify docker share guides 2024-04-23 20:33:41 +02:00			`# NGINX Reverse Proxy for zrok`
add Nginx guide 2023-01-19 16:26:28 +01:00
embed self-hosting walkthrough video in guide 2023-02-09 14:29:43 +01:00			`## Walkthrough Video`

fix video width 2023-02-09 14:32:52 +01:00			`<iframe width="100%" height="315" src="https://www.youtube.com/embed/870A5dke_u4?start=1080" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>`
embed self-hosting walkthrough video in guide 2023-02-09 14:29:43 +01:00
			`## Before You Begin`

organize nginx guide in linux category 2024-05-03 16:33:13 +02:00			I'll assume you have a running `zrok` controller and frontend and wish to front both with NGINX providing server TLS. Go back to [Self-Hosting Guide](/guides/self-hosting/linux/index.mdx) if you still need to spin those up.
add Nginx guide 2023-01-19 16:26:28 +01:00
			`## Choose a Reverse Proxy Address`

			I'll use `https://api.zrok.quigley.com:443` in this example, and assume you already set up wildcard DNS like `*.zrok.quigley.com`. This lets us elect `api.zrok.quigley.com` as the controller DNS name, and forward any other incoming requests to the zrok public frontend.

			`## Obtain a Wildcard Server Certificate`

			`You must complete a DNS challenge to obtain a wildcard certificate from Let's Encrypt. I'll assume you know how to create the necessary TXT record in the DNS zone you're using with zrok.`

			`1. Install certbot: https://eff-certbot.readthedocs.io/en/stable/install.html`
			`2. Run certbot with the manual plugin: https://certbot.eff.org/docs/using.html#manual`

			```bash
			`# install cert for *.zrok.quigley.com in /etc/letsencrypt`
			`sudo certbot certonly --manual`
			````

simplify docker share guides 2024-04-23 20:33:41 +02:00			`## [Install NGINX](https://www.nginx.com/resources/wiki/start/topics/tutorials/install/)`
add Nginx guide 2023-01-19 16:26:28 +01:00
simplify docker share guides 2024-04-23 20:33:41 +02:00			`## Configure NGINX`
add Nginx guide 2023-01-19 16:26:28 +01:00
			```
			`server {`
			`listen 443 ssl;`
			`server_name api.zrok.quigley.com;`
			`ssl_certificate /etc/letsencrypt/live/zrok.quigley.com/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/zrok.quigley.com/privkey.pem;`
			`ssl_protocols TLSv1 TLSv1.1 TLSv1.2;`
			`ssl_ciphers HIGH:!aNULL:!MD5;`

			`location / {`
			`proxy_pass http://127.0.0.1:18080;`
			`error_log /var/log/nginx/zrok-controller.log;`
			`}`

			`}`

Update nginx_tls_guide.md with websocket support Adds websocket support to the nginx proxy config. Signed-off-by: Beau Collins <beau@collins.pub> 2023-11-05 01:53:41 +01:00			`map $http_upgrade $connection_upgrade {`
			`default keep-alive;`
			`'websocket' upgrade;`
			`'' close;`
			`}`

add Nginx guide 2023-01-19 16:26:28 +01:00			`server {`
			`listen 443 ssl;`
			`server_name *.zrok.quigley.com;`
			`ssl_certificate /etc/letsencrypt/live/zrok.quigley.com/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/zrok.quigley.com/privkey.pem;`
			`ssl_protocols TLSv1 TLSv1.1 TLSv1.2;`
			`ssl_ciphers HIGH:!aNULL:!MD5;`

			`location / {`
			`proxy_pass http://127.0.0.1:8080;`
			`proxy_set_header Host $host;`
			`error_log /var/log/nginx/zrok-frontend.log;`
			`proxy_busy_buffers_size 512k;`
			`proxy_buffers 4 512k;`
			`proxy_buffer_size 256k;`

Update nginx_tls_guide.md with websocket support Adds websocket support to the nginx proxy config. Signed-off-by: Beau Collins <beau@collins.pub> 2023-11-05 01:53:41 +01:00			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`
add Nginx guide 2023-01-19 16:26:28 +01:00			`}`
			`}`
			```

simplify docker share guides 2024-04-23 20:33:41 +02:00			`## Restart NGINX`
add Nginx guide 2023-01-19 16:26:28 +01:00
simplify docker share guides 2024-04-23 20:33:41 +02:00			`Load the new configuration by restarting NGINX. Check the logs to make sure it's happy.`
add Nginx guide 2023-01-19 16:26:28 +01:00
			`> Started A high performance web server and a reverse proxy server.`

			`## Check the Firewall`

simplify docker share guides 2024-04-23 20:33:41 +02:00			`If you followed the non-TLS quickstart then you may have opened 8080,108080/tcp in your firewall. You can go ahead and replace those exceptions with 443/tcp because only NGINX needs to be reachable for zrok to function.`
add Nginx guide 2023-01-19 16:26:28 +01:00
			`## Update the zrok Frontend`

			List available frontends to obtain the token identifier of the frontend named "public". You may need to set `ZROK_ADMIN_TOKEN` or `ZROK_API_ENDPOINT` before running `zrok admin`.

			```bash
			`$ zrok admin list frontends`

			`TOKEN ZID PUBLIC NAME URL TEMPLATE CREATED AT UPDATED AT`
			`2NiDTRYUww18 7DsLh9DXG public http://{token}.zrok.quigley.com:8080 2023-01-19 05:29:20.793 +0000 UTC 2023-01-19 06:17:25 +0000 UTC`
			```

simplify docker share guides 2024-04-23 20:33:41 +02:00			`Update the URL template to use NGINX.`
add Nginx guide 2023-01-19 16:26:28 +01:00
			```bash
			`$ zrok admin update frontend 2NiDTRYUww18 --url-template https://{token}.zrok.quigley.com:443`
			`[ 0.028] INFO main.(*adminUpdateFrontendCommand).run: updated global frontend '2NiDTRYUww18'`
			```