Edit me

These are examples for configurations of Nginx as a proxy in front of JATOS. It is not necessary to run JATOS with a proxy but it’s common. They support WebSockets for JATOS’ group studies.

The following two configs are the content of /etc/nginx/nginx.conf. Change them to your needs. You probably want to change your servers address (www.example.com in the example) and the path to the SSL certificate and its key. This proxy_set_header X-Forwarded-* is necessary to tell JATOS the original requester’s IP address - please leave it unchanged.

As an additional security measurement you can uncomment the location /jatos and config your local network. This will restrict the access to JATOS’ GUI (every URL starting with /jatos) to the local network.

A JATOS server that handles sensitive or private data should always use encryption (HTTPS).

With HTTPS

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {
        sendfile             on;
        tcp_nopush           on;
        tcp_nodelay          on;
        keepalive_timeout    65;
        client_max_body_size 500M;

        include      /etc/nginx/mime.types;
        default_type application/octet-stream;

        proxy_buffering    off;
        proxy_set_header   X-Forwarded-Proto https;
        proxy_set_header   X-Forwarded-Ssl on;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   Host $http_host;
        proxy_http_version 1.1;

        upstream jatos-backend {
                server 127.0.0.1:9000;
        }

        # needed for websockets
        map $http_upgrade $connection_upgrade {
                default upgrade;
                ''      close;
        }

        # redirect http to https
        server {
                listen      80;
                server_name www.example.com;
                rewrite     ^ https://www.example.com$request_uri? permanent;
        }

        server {
                listen        443 ssl;
                server_name   www.example.com;

                keepalive_timeout    70;

                ssl_certificate      /etc/ssl/certs/localhost.crt;
                ssl_certificate_key  /etc/ssl/private/localhost.key;

                ssl_protocols             TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
                ssl_prefer_server_ciphers on;

                # websocket location (JATOS' group and batch channel and the test page)
                location ~ "/(jatos/testWebSocket|publix/[\d]+/(group/join|batch/open))" {
                        proxy_pass              http://jatos-backend;
                        proxy_http_version      1.1;
                        proxy_set_header        Upgrade $http_upgrade;
                        proxy_set_header        Connection $connection_upgrade;
                        proxy_connect_timeout   7d; # keep open for 7 days even without any transmission
                        proxy_send_timeout      7d;
                        proxy_read_timeout      7d;
                }

                # restrict access to JATOS' GUI to local network
                #location /jatos {
                #       allow           192.168.1.0/24;
                #       deny            all;
                #       proxy_pass      http://jatos-backend;
                #}

                # all other traffic
                location / {
                        proxy_pass              http://jatos-backend;
                }
                
                # restrict access to JATOS' GUI to local network 192.168.1.*
                #location /jatos {
                #       allow                   192.168.1.0/24;
                #       deny                    all;
                #       proxy_pass              http://jatos-backend;
                #       proxy_connect_timeout   300;
                #       proxy_send_timeout      300;
                #       proxy_read_timeout      300;
                #       send_timeout            300;
                #}

                # all other traffic
                location / {
                        proxy_pass              http://jatos-backend;
                        proxy_connect_timeout   300;
                        proxy_send_timeout      300;
                        proxy_read_timeout      300;
                        send_timeout            300;
                }
        }

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        include /etc/nginx/conf.d/*.conf;
        #include /etc/nginx/sites-enabled/*;
}

With HTTPS and Docker

Have a look at github.com/robinsonkwame/jatos-https-docker-compose for a good example in how to do this (Thanks to Kwame Porter Robinson)

Simple without encryption

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
        worker_connections 768;
        # multi_accept on;
}

http {
        sendfile on;
        keepalive_timeout 65;
        client_max_body_size 500M;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        proxy_buffering    off;
        proxy_set_header   X-Forwarded-Proto http;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   Host $http_host;
        proxy_http_version 1.1;

        upstream jatos-backend {
                server 127.0.0.1:9000;
        }

        # needed for websockets
        map $http_upgrade $connection_upgrade {
                default upgrade;
                ''      close;
        }

        server {
                listen               80;

                keepalive_timeout    70;
                server_name          www.example.com;

                # websocket location (JATOS' group and batch channel and the test page)
                location ~ "^/(jatos/testWebSocket|publix/[\d]+/(group/join|batch/open))" {
                        proxy_pass              http://jatos-backend;
                        proxy_http_version      1.1;
                        proxy_set_header        Upgrade $http_upgrade;
                        proxy_set_header        Connection $connection_upgrade;
                        proxy_connect_timeout   7d; # keep open for 7 days even without any transmission
                        proxy_send_timeout      7d;
                        proxy_read_timeout      7d;
                }

                # restrict access to JATOS' GUI to local network
                #location /jatos {
                #       allow           192.168.1.0/24;
                #       deny            all;
                #       proxy_pass      http://jatos-backend;
                #       proxy_connect_timeout   300;
                #       proxy_send_timeout      300;
                #       proxy_read_timeout      300;
                #       send_timeout            300;
                #}

                # all other traffic
                location / {
                        proxy_pass              http://jatos-backend;
                        proxy_connect_timeout   300;
                        proxy_send_timeout      300;
                        proxy_read_timeout      300;
                        send_timeout            300;

                }
        }

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        include /etc/nginx/conf.d/*.conf;
        #include /etc/nginx/sites-enabled/*;
}