Skip to content

NGINX (SSL Config)

The recommended way to run Faraday is using SSL via Nginx

Nginx

New Faraday release 3.14 can generate a ngnix configuration for you

Installing Nginx

You can find a detailed guide on how to install nginx in the official Nginx documentation

Configure NGINX

After installing and configuring NGINX, Faraday's setup should be as follows:

1
2
Faraday Server on port 5985 using HTTP. You can find this configuration inside the file ~/.faraday/config/server.ini in section [faraday_server].
Web UI using https://example_domain:port/

Note: For both cases, NGINX on port 80 redirecting to HTTPS.

Generating Certificates

In order to generate self signed certificates, run the following command:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/faraday.key -out /etc/ssl/faraday.crt

Be sure to type the Common Name of this certificate. If you don't type a Common Name, then Faraday will not be launched.

For further information about certificates, follow this link.

Sample Configuration Files

Below you can find a sample config files for NGINX. You can use this same configuration by pasting it inside the folder /etc/nginx/sites-enabled/ and naming the file as you want.

faraday-manage generate-nginx-config --fqdn faraday.mydomain.com --port 5985 --ws-port 9000 --ssl-certificate /etc/ssl/faraday.crt --ssl-key /etc/ssl/faraday.key
Generating Faraday nginx config for server: faraday.mydomain.com
Faraday
- Port: 5985
- Websocket Port: 9000
SSL: certificate [/etc/ssl/faraday.crt] - key [/etc/ssl/faraday.key ]
Confirm [Y/n]: y
NGINX Config
#####################################


# Expires map
map $sent_http_content_type $expires {
    default                    off;
    text/html                  max;
    text/css                   max;
    application/javascript     max;
    ~image/                    max;
}

server {
    server_name faraday.mydomain.com;
    listen 443 ssl http2;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header X-XSS-Protection "1; mode = block";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options nosniff;
    client_max_body_size 150M;

    ssl on;
    ssl_session_cache shared:SSL:50m;
    ssl_certificate           /etc/ssl/faraday.crt;
    ssl_certificate_key       /etc/ssl/faraday.key
    gzip on;
    gzip_types application/javascript text/css;
    expires $expires;

    location / {
        alias /opt/faraday/lib/python3.8/site-packages/faraday/server/www/;
    }

    location /_api/ {
        proxy_pass http://localhost:5985/_api/;
        proxy_redirect http:// $scheme://;
        proxy_read_timeout 300;
        proxy_cookie_path / "/; secure";

        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /websockets {
        proxy_http_version 1.1;
        proxy_pass http://localhost:9000/websockets;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

server {
    server_name faraday.mydomain.com;
    listen 80 ;

    # https redirect
    if ($host = faraday.mydomain.com) {
        return 301 https://$host$request_uri;
    }

    return 404;
}

Now you can access to https://faraday.mydomain.com