# Install Reverse Proxy
The Psono usually requires a reverse proxy, to glue the webclient and the server together. This section will explain how to install one of those reverse proxies.
# Preamble
This whole guide is based on Ubuntu 22.04 LTS. Other Ubuntu and Debian based systems should be similar if not even identical.
We assume that you want to use:
- https://psono.example.com to host your webclient
- https://psono.example.com/server will host your server
- https://psono.example.com/portal will host your admin portal
- you have a valid certificate in /etc/ssl/ with fullchain.pem and privkey.pem
- An A-Record for psono.example.com exists, pointing to your server's ip address
- The Psono server runs on port 10100
- The webclient runs on port 10101 or has been unpacked into /var/www/html
- The admin portal runs on port 10102 or has been unpacked into /var/www/html/portal
# Reverse Proxy with Nginx
Install Nginx
sudo apt-get install nginx
Create nginx config
Create
psono.example.com.conf
in/etc/nginx/sites-available
with the following content:server { listen 80; server_name psono.example.com; return 301 https://$host$request_uri; } server { listen 443 ssl http2; server_name psono.example.com; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; ssl_session_timeout 1d; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; # Comment this in if you know what you are doing # add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header Referrer-Policy same-origin; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; # If you have the fileserver too, then you have to add your fileserver URL e.g. https://fs01.example.com as connect-src too: add_header Content-Security-Policy "default-src 'none'; manifest-src 'self'; connect-src 'self' https://static.psono.com https://api.pwnedpasswords.com https://storage.googleapis.com https://*.digitaloceanspaces.com https://*.blob.core.windows.net https://*.s3.amazonaws.com; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'self'; child-src 'self'"; ssl_certificate /etc/ssl/fullchain.pem; ssl_certificate_key /etc/ssl/privkey.pem; client_max_body_size 256m; gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_min_length 256; gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon; root /var/www/html; location /server { rewrite ^/server/(.*) /$1 break; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; add_header Last-Modified $date_gmt; add_header Pragma "no-cache"; add_header Cache-Control "private, max-age=0, no-cache, no-store"; if_modified_since off; expires off; etag off; proxy_pass http://localhost:10100; } location ~* ^/portal.*\.(?:ico|css|js|gif|jpe?g|png|eot|woff|woff2|ttf|svg|otf)$ { expires 30d; add_header Pragma public; add_header Cache-Control "public"; # Remove the leading # from the following lines if you have the admin portal running in a docker container # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # # proxy_pass http://localhost:10102; # proxy_redirect http://localhost:10102 https://psono.example.com; } location ~* \.(?:ico|css|js|gif|jpe?g|png|eot|woff|woff2|ttf|svg|otf)$ { expires 30d; add_header Pragma public; add_header Cache-Control "public"; # Remove the leading # from following lines if you have the webclient running in a docker container # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # # proxy_pass http://localhost:10101; # proxy_redirect http://localhost:10101 https://psono.example.com; } # Remove the leading # from following lines if you have the admin portal running in a docker container # location /portal { # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # # proxy_read_timeout 90; # # proxy_pass http://localhost:10102; # } # Remove the leading # from following lines if you have the admin portal NOT running in a docker container # location /portal { # index index.html index.htm; # try_files $uri /portal/index.html; # forward all requests to index.html # } # Remove the leading # from following lines if you have the webclient running in a docker container # location / { # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # # proxy_pass http://localhost:10101; # proxy_read_timeout 90; # # proxy_redirect http://localhost:10101 https://psono.example.com; # } }
Enable nginx config
ln -s /etc/nginx/sites-available/psono.example.com.conf /etc/nginx/sites-enabled/
Test nginx config
sudo nginx -t
Restart nginx
sudo service nginx restart
You should now be able to open https://psono.example.com in your browser and see the Psono webclient. If you open https://psono.example.com/server/info/ you should see the following:
{"info":"{\"version\": \"....}
If you have installed the admin portal too, then https://psono.example.com/portal/ should show you the admin portal login screen.