These are examples for configurations of Nginx as a proxy in front of JATOS. It is not necessary to run JATOS with a proxy but it’s common. They support WebSockets for JATOS’ group studies.
The following two configs are the content of /etc/nginx/nginx.conf. Change them to your needs. You probably want to change your servers address (www.example.com in the example) and the path to the SSL certificate and its key. Those proxy_set_header X-Forwarded-* and proxy_set_header X-Real-IP are necessary to tell JATOS the real requester’s IP address - please leave them unchanged.
As an additional security measurement you can uncomment the location /jatos and config your local network. This will restrict the access to JATOS’ GUI (every URL starting with /jatos) to the local network.
A JATOS server that handles sensitive or private data should always use encryption (HTTPS).
With HTTPS
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
sendfile on;
keepalive_timeout 65;
client_max_body_size 500M;
include /etc/nginx/mime.types;
default_type application/octet-stream;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
upstream jatos-backend {
server 127.0.0.1:9000;
}
# needed for websockets
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# redirect http to https
server {
listen 80;
server_name www.example.com;
rewrite ^ https://www.example.com$request_uri? permanent;
}
server {
listen 443;
ssl on;
# http://www.selfsignedcertificate.com/ is useful for development testing
ssl_certificate /etc/ssl/certs/localhost.crt;
ssl_certificate_key /etc/ssl/private/localhost.key;
# From https://bettercrypto.org/static/applied-crypto-hardening.pdf
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
keepalive_timeout 70;
server_name www.example.com;
# websocket location (JATOS' group and batch channel and the test page)
location ~ "/(jatos/testWebSocket|publix/[\d]+/(group/join|batch/open))" {
proxy_pass http://jatos-backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_connect_timeout 7d; # keep open for 7 days even without any transmission
proxy_send_timeout 7d;
proxy_read_timeout 7d;
}
# restrict access to JATOS' GUI to local network
#location /jatos {
# allow 192.168.1.0/24;
# deny all;
#}
# all other traffic
location / {
proxy_pass http://jatos-backend;
}
}
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
include /etc/nginx/conf.d/*.conf;
#include /etc/nginx/sites-enabled/*;
}
Simple without encryption
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
sendfile on;
keepalive_timeout 65;
client_max_body_size 500M;
include /etc/nginx/mime.types;
default_type application/octet-stream;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto http;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
upstream jatos-backend {
server 127.0.0.1:9000;
}
# needed for websockets
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
keepalive_timeout 70;
server_name www.example.com;
# websocket location (JATOS' group and batch channel and the test page)
location ~ "^/(jatos/testWebSocket|publix/[\d]+/(group/join|batch/open))" {
proxy_pass http://jatos-backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_connect_timeout 7d; # keep open for 7 days even without any transmission
proxy_send_timeout 7d;
proxy_read_timeout 7d;
}
# restrict access to JATOS' GUI to local network
#location /jatos {
# allow 192.168.1.0/24;
# deny all;
#}
# all other traffic
location / {
proxy_pass http://jatos-backend;
}
}
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
include /etc/nginx/conf.d/*.conf;
#include /etc/nginx/sites-enabled/*;
}