How to configure a basic Nginx reverse proxy for Hipchat Data Center
Reference configuration only
This article provides an example configuration to help you set up your Hipchat Data Center deployment, however third-party software might require extra configuration work to function in your environment. Atlassian provides best-effort to assist you with your deployment, but does not directly support these components.
Purpose
This article provides guidance on how to configure a basic NGINX reverse proxy for use in a Small-Scale Hipchat Data Center environment.
Not for Enterprise-scale Hipchat Data Center deployments
While NGINX can provide load-balancing services, it is not recommended for Enterprise-scale Hipchat Data Center deployments. If you're setting up an Enterprise-scale Hipchat deployment, see our article on HAProxy here.
Prepare
- Make sure the system on which Nginx will be installed meets the Hardware Requirements for the Load Balancer Node
- Install Nginx via the commands compatible with your operating system
- Setup your firewall on your reverse proxy server to accept traffic on port 443. Optionally, you can accept traffic on port 80, the reverse proxy will redirect it to 443 anyways.
Make sure a DNS record exists for the load balancer node and obtain an SSL certificate per the Reverse Proxy Configuration Requirements.
The process of obtaining an SSL certificate falls outside of the scope of this guide. There are plenty of resources on the Internet that can guide you through the process. For example: "How to Install an SSL Certificate from a Commercial CA"
Configure
As the root user, create
/etc/nginx/sites-available/hipchat
and add the sample configuration below:# This is your Hipchat node's DNS name upstream chat { server hipchat01.example.com:80; keepalive 32; } # HTTP to HTTPS redirection server { listen 80; server_name hipchat.example.com; return 301 https://$host$request_uri; } # server { listen 443; server_name hipchat.example.com; ssl_certificate /etc/nginx/ssl/hipchat.crt; ssl_certificate_key /etc/nginx/ssl/hipchat.key; ssl on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; location / { proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 90; proxy_pass http://chat; } }
hipchat01.example.com
is the DNS name of your node.
andssl_certificate
ssl_certificate_key
indicate the location of your SSL certificate and key respectively.Save the changes to the file.
Create a symbolic link to the config file under
/etc/
nginx/sites-available/
to enable the new config:ln -s /etc/nginx/sites-available/hipchat /etc/nginx/sites-enabled/hipchat
Verify the main Nginx config includes the config files under
/etc/nginx/sites-enabled/
in thehttp
directive:include /etc/nginx/sites-enabled/*;
Restart the Nginx service, the command to run depends on your environment.