Technical Articles
How To use NGINX Reverse Proxy for your SAP HANA Express apps (hosting mode = ports)
1. When? Why is this article useful ?
So you have deployed an SAP HANA Express SPS04 or later VM with XSA application runtime to your own infrastructure.
You have deployed multiple backend services for a complex app, with XSOdata or REST endpoints but your links are binded to different ports on hxehost machine.
You can redirect a new subdomain for you app from the public internet but they will be hard to remember and they are not nice to be seen in the browser url.
Or maybe the authentication provided by mtar app with xsuua is not suited for your api and you just want to use your custom security logic and you want to publish multiple backend apis and front-end apps with a single SSL certificate + with a caching layer.
2. Pre-requirements
- Custom domain
- DNS server access for routing your CNAME (subdomain)
- SAP HANA Express VM with apps hosted on different ports
- a NGINX VM (i used the NGINX OVA appliance from Bitnami)
- a self signed (or better) SSL certificate (free SSL certificate here)
3. How to config NGINX
In my case the server plain traffic was defined on port 80 and for secure on port 443 in the file named `bitnami.conf` found on path : `/opt/bitnami/nginx/conf/bitnami/bitnami.conf` but try to find your base configuration (or vhost conf) and edit/paste the following configurations.
Of course references for `your-domain.com` and PORT_APIx
must be replaced with you own.
Also you need to add the IP of your hxehost machine to `/etc/hosts` file of the nginx vm :
add to `/etc/hosts` :
192.168.x.x hxehost
The example configuration code file for NGINX :
Thanks Steffan Henke for feedback about securing the configuration to latest standards & defaults !
# HTTP server
server {
listen 80;
return 301 https://$host$request_uri;
}
# HTTPS server
server {
listen 443 ssl;
server_name rsi.travel-devel.ro;
ssl_certificate /opt/bitnami/nginx/conf/server_certificate_your_domain.crt;
ssl_certificate_key /opt/bitnami/nginx/conf/server_your_domain_private.key;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256";
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
location /api1 {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://hxehost:PORT_API1/;
}
location /api2 {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://hxehost:PORT_API2/;
}
}
4. Conclusions
Benefits :
- you can use your SSL certificate easy for multiple hxehosts applications
- you can avoid the use of approuter to be able to route ui requests to backend requests
- you can set simple basic authorization on NGINX for your apis
- you can activate response caching on NGINX
- you can avoid Cross-Origin Resource Sharing (CORS) problems easy for public websites
I used as base tutorial for NGINX :
- https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
- https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins