Skip to main content
Version: 3.9.x

JATOS with Nginx

This page provides an example configuration for using Nginx as a reverse proxy in front of JATOS. While it is not strictly necessary to run JATOS behind a proxy, it is common practice—especially for enabling HTTPS.

A JATOS server that handles sensitive or private data should always use encryption (HTTPS). A good, free certificate provider is certbot.eff.org from the Electronic Frontier Foundation.

The following configuration is for /etc/nginx/nginx.conf. Adjust it to your needs—especially your server address (www.example.com in the example) and the paths to your SSL certificate and key.

As an additional security measure, you can uncomment the location /jatos block and configure your local network. This will restrict access to JATOS' GUI (all URLs starting with /jatos) to the local network.

user                    www-data;
pid                     /run/nginx.pid;
worker_processes        auto;
worker_rlimit_nofile    65535;

# Load modules
include                 /etc/nginx/modules-enabled/*.conf;

events {
    multi_accept        on;
    worker_connections  65535;
}

http {
    sendfile                on;
    tcp_nopush              on;
    client_max_body_size    500M;

    # MIME
    include                 mime.types;
    default_type            application/octet-stream;

    # Logging
    access_log              off;
    error_log               /var/log/nginx/error.log warn;

    proxy_buffering         off;
    proxy_set_header        Host $http_host;
    proxy_http_version      1.1;

    # Needed for WebSockets
    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    # Load configs
    include /etc/nginx/conf.d/*.conf;

    upstream jatos-backend {
        server 127.0.0.1:9000;
    }

    # Redirect HTTP to HTTPS
    server {
        listen              80;
        server_name         www.example.com; # <-- Change to your domain
        rewrite             ^ https://www.example.com$request_uri? permanent;
    }

    server {
        listen               443 ssl http2;
        server_name          www.example.com; # <-- Change to your domain
        keepalive_timeout    70;

        # Encryption
        ssl_certificate      /etc/ssl/certs/localhost.crt;   # <-- Change to your certificate
        ssl_certificate_key  /etc/ssl/private/localhost.key; # <-- Change to your key
        ssl_protocols        TLSv1.2 TLSv1.3;

        # WebSocket location (JATOS' group and batch channels and the test page)
        location ~ "/(jatos/testWebSocket|publix/[a-z0-9-]+/(group/join|batch/open))" {
            proxy_pass              http://jatos-backend;
            proxy_http_version      1.1;
            proxy_set_header        Upgrade $http_upgrade;
            proxy_set_header        Connection $connection_upgrade;
            proxy_connect_timeout   7d; # Keep open for 7 days even without any transmission
            proxy_send_timeout      7d;
            proxy_read_timeout      7d;
        }

        # Restrict access to JATOS' GUI to local network, e.g. 192.168.1.*
        # location /jatos {
        #     allow                   192.168.1.0/24;
        #     deny                    all;
        #     proxy_pass              http://jatos-backend;
        #     proxy_connect_timeout   300;
        #     proxy_send_timeout      300;
        #     proxy_read_timeout      300;
        #     send_timeout            300;
        # }

        # All other traffic
        location / {
            proxy_pass              http://jatos-backend;
            proxy_connect_timeout   300;
            proxy_send_timeout      300;
            proxy_read_timeout      300;
            send_timeout            300;
        }
    }
}