Securing the Node Service behind a reverse proxy

Edit online

If you are going to expose asperanoded to the internet, use a reverse proxy (Nginx is provided in your installation). For example, if you want to use an HSTS instance with IBM Aspera on Cloud (AoC), as a user-managed tethered node, you must use a reverse proxy with it.

The asperanginx service can be used to reverse proxy:

Aspera Node API calls.
WebSocket transfers.
HSTS HTTP fallback.

Note: These instructions are designed for the Nginx package that is included with HSTS in /opt/aspera/nginx. The service name is asperanginx, and it is managed by systemd. If you choose to use a different version of Nginx, you must refer to the example file /opt/aspera/nginx/conf/nginx.conf.example.

When you configure Nginx support for your system, note:

Use the default Nginx configuration.
The configuration example file sets up Nginx to listen on port 443. That can be changed if port 443 is already used by some other service. However, port 443 must be used if the instance is going to be used as tethered node with AoC.
As a best practice, update all references to localhost to the fully qualified domain name that is used to access the server.
As a best practice, use certificates signed by an official certificate authority, rather than the self-signed certificates generated by the installation process (aspera_server_cert.pem, aspera_server_key.pem). Official CA certificates are required if the HSTS instance is going to be used as tethered node with AoC.
When a transfer_spec is generated for token based transfers, the wss_port passed in the transfer_spec corresponds to the wss_port configured in the aspera.conf. For the Nginx to reverse proxy WebSocket transfers, you can configure Nginx to listen on the wss_port. If you want to have asperanoded listen for traffic on a different port, make sure to configure the wss_listen_port.
For example, the nginx.conf would proxy to asperanoded listening on the configured wss_listen_port.
The nginx.conf file contains a limit_rate section that by default is configured only for the Node API, and limits to 30 requests per minute (1 request every 2 seconds). To allow more frequent access, increase to 10 requests per second. The configuration can be applied to the SSH server to limit the number of incoming SSH requests per second.

Configure the HTTPS port for asperanoded. By default it listens on port 9091 using HTTP.
For example,
```
# asconfigurator -x 'set_server_data;listen,"9092s,127.0.0.1:9091"'
```
This overrides any other port configurations and instructs asperanoded to listen on 9092 using HTTPS (thus the s suffix after 9092) and to allow inbound connections by using HTTP on port 9091, but only from the local machine, so it would be just for Nginx.
The entry in aspera.conf would then look like this:
```
<server>
    <listen>9092s,127.0.0.1:9091</listen>
</server>
```
Restart asperanoded to use the new configuration.
```
# systemctl restart asperanoded  
```
Copy the /opt/aspera/nginx/conf/nginx.conf.example file to /opt/aspera/nginx/conf/nginx.conf
Edit your nginx.conf file for your environment and system configuration.
For guidance, see the introductory discussion, and the comments in content that you added to this file from nginx.conf.example.
Start the asperanginx service.
```
# systemctl start asperanginx
```
You can use the usual systemctl commands to manage the service (start, stop, and other).
Test transfers through the Nginx port and verify that the local firewall does not expose the internal ports for the services that are fronted by Nginx.
Note: Your nginx.conf file is not altered by an HSTS upgrade. However, since new releases might introduce changes that reflects in an updated nginx.conf.example file, you need to review the example file for any changes, and update your nginx.conf file as needed.