Securing the Node Service Behind a Proxy

If your HST Server must expose asperanoded to the internet, such as when setting it up as a IBM Aspera on Cloud (AoC) node, Aspera strongly recommends protecting it with a reverse proxy and keeping the SSL ciphers up-to-date (see https://cipherli.st/ for examples). (CIM-1694). Normally, asperanoded runs on port 9092, but nodes that are added to AoC must have asperanoded run on port 443, the standard HTTPS port for secure browser access. Configuring a reverse proxy in front of asperanoded provides additional protection (such as against DOS attacks) and resource handling for requests to the node's 443 port.

Set up Nginx

The following instructions describe how to set up Nginx as a reverse proxy and require that you have valid, CA-signed SSL certificates in .pem format for the server. Other reverse proxies might be supported on your server.

  1. Set up a system user with Node API credentials on your server.
    For instructions, see Node API Setup.
  2. Download and install Nginx.
  3. Configure the HTTPS port for asperanoded. 
    # asconfigurator -x "set_server_data;listen,127.0.0.1:9092;https_port,9092"
  4. Open the Nginx configuration file in a text editor.
    Open /etc/nginx/nginx.conf and ensure the following include directive is present in the http section. If it is not present, add it to the file:
    http {
…
include /etc/nginx/conf.d/*.conf;
}
  5. Create a file named aspera_node_proxy.conf and save it in the following location:
    /etc/nginx/conf.d/aspera_node_proxy.conf
  6. Paste the following content into aspera_node_proxy.conf: 
    #
# Aspera configuration - reverse proxy for asperanoded
#
server {
       listen 443;
       server_name your.servername.com;
       ssl_certificate /opt/aspera/etc/aspera_server_cert.pem;
       ssl_certificate_key /opt/aspera/etc/aspera_server_key.pem;

       ssl on;
       ssl_session_cache builtin:1000 shared:SSL:10m;
       ssl_protocols TLSv1.2;
       ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
       ssl_prefer_server_ciphers on;

       access_log          /var/log/nginx/node-api.access.log;

       location / {
           proxy_pass https://127.0.0.1:9092;
           proxy_read_timeout 60;
           proxy_redirect https://127.0.0.1:9092 https://your.servername.com;

           proxy_set_header Host               $host:$server_port;
           proxy_set_header X-Real-IP          $remote_addr;
           proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto  $scheme;
       }
}
    Note: Configure SSL ciphers as required. The preceding sample is not configured for backwards compatibility, and the recommended list of secure ciphers might change. Aspera recommends reviewing and staying current with the list provided in https://cipherli.st/.

    Replace your.servername.com with your server's domain name. The SSL certificate must include any intermediate certificates, as described in Installing SSL Certificates.

  7. Restart asperanoded.
    Run the following commands to restart asperanoded:
    # /etc/init.d/asperanoded restart
  8. Restart Nginx. 
    # service nginx restart