Skip to content

NGINX (SSL Config)

The recommended way to run Faraday is using SSL via Nginx

If you use NGINX you need to generate swagger config to let it work over the domain

faraday-manage openapi-swagger --server https://your-fqdn-for-faraday.com

Nginx

New Faraday release 4.1.0 can generate a ngnix configuration for you

Installing Nginx

You can find a detailed guide on how to install nginx in the official Nginx documentation

Configure NGINX

After installing and configuring NGINX, Faraday's setup should be as follows:

1
2
Faraday Server on port 5985 using HTTP. You can find this configuration inside the file ~/.faraday/config/server.ini in section [faraday_server].
Web UI using https://example_domain:port/

Note: For both cases, NGINX on port 80 redirecting to HTTPS.

Generating Certificates

In order to generate self signed certificates, run the following command:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/faraday.key -out /etc/ssl/faraday.crt

Be sure to type the Common Name of this certificate. If you don't type a Common Name, then Faraday will not be launched.

For further information about certificates, follow this link.

Sample Configuration Files

Below you can find a sample config files for NGINX. You can use this same configuration by pasting it inside the folder /etc/nginx/sites-enabled/ or in conf.d and naming the file as you want. 

faraday-manage generate-nginx-config --fqdn faraday.mydomain.com --port 5985 --ws-port 9000 --ssl-certificate /etc/ssl/faraday.crt --ssl-key /etc/ssl/faraday.key

Generating Faraday nginx config for server: faraday.mydomain.com
Faraday
- Port: 5985
- Websocket Port: 9000
SSL: certificate [/etc/ssl/faraday.crt] - key [/etc/ssl/faraday.key ]
Confirm [Y/n]: y
NGINX Config
#####################################


# Expires map
map $sent_http_content_type $expires {
    default                    off;
    text/html                  max;
    text/css                   max;
    application/javascript     max;
    ~image/                    max;
}

server {
    server_name faraday.mydomain.com;
    listen 443 ssl http2;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header X-XSS-Protection "1; mode = block";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options nosniff;
    client_max_body_size 150M;

    ssl on;
    ssl_session_cache shared:SSL:50m;
    ssl_certificate           /etc/ssl/faraday.crt;
    ssl_certificate_key       /etc/ssl/faraday.key
    gzip on;
    gzip_types application/javascript text/css;
    expires $expires;

    location / {
        alias /opt/faraday/lib/python3.8/site-packages/faraday/server/www/;
    }

    location /_api/ {
        proxy_pass http://localhost:5985/_api/;
        proxy_redirect http:// $scheme://;
        proxy_read_timeout 300;
        proxy_cookie_path / "/; secure";

        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /websockets {
        proxy_http_version 1.1;
        proxy_pass http://localhost:9000/websockets;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

server {
    server_name faraday.mydomain.com;
    listen 80 ;

    # https redirect
    if ($host = faraday.mydomain.com) {
        return 301 https://$host$request_uri;
    }

    return 404;
}

Now you can access to https://faraday.mydomain.com