How to configure a basic Nginx reverse proxy for Hipchat Data Center

Still need help?

The Atlassian Community is here for you.

Ask the community

Reference configuration only

This article provides an example configuration to help you set up your Hipchat Data Center deployment, however third-party software might require extra configuration work to function in your environment. Atlassian provides best-effort to assist you with your deployment, but does not directly support these components.

Purpose

This article provides guidance on how to configure a basic NGINX reverse proxy for use in a Small-Scale Hipchat Data Center environment

Not for Enterprise-scale Hipchat Data Center deployments

While NGINX can provide load-balancing services, it is not recommended for Enterprise-scale Hipchat Data Center deployments. If you're setting up an Enterprise-scale Hipchat deployment, see our article on HAProxy here.

Prepare

  1. Make sure the system on which Nginx will be installed meets the Hardware Requirements for the Load Balancer Node
  2. Install Nginx via the commands compatible with your operating system
  3. Setup your firewall on your reverse proxy server to accept traffic on port 443. Optionally, you can accept traffic on port 80, the reverse proxy will redirect it to 443 anyways. 
  4. Make sure a DNS record exists for the load balancer node and obtain an SSL certificate per the Reverse Proxy Configuration Requirements.  

    The process of obtaining an SSL certificate falls outside of the scope of this guide. There are plenty of resources on the Internet that can guide you through the process. For example: "How to Install an SSL Certificate from a Commercial CA"

Configure

  1. As the root user, create /etc/nginx/sites-available/hipchat and add the sample configuration below:

    # This is your Hipchat node's DNS name
    upstream chat {
        server hipchat01.example.com:80;    
        keepalive 32;
    }
    
    # HTTP to HTTPS redirection
    server {
        listen         80;
        server_name    hipchat.example.com;
        return         301 https://$host$request_uri;
    }
    
    # 
    server {
        listen                  443;
        server_name             hipchat.example.com;
        ssl_certificate         /etc/nginx/ssl/hipchat.crt;
        ssl_certificate_key     /etc/nginx/ssl/hipchat.key;
        ssl on;
        ssl_session_cache  builtin:1000  shared:SSL:10m;
        ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
        ssl_prefer_server_ciphers on;
    
        location / {
            proxy_http_version          1.1;
            proxy_set_header Connection "";
            proxy_set_header            Host $host;
            proxy_set_header            X-Real-IP $remote_addr;
            proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header            X-Forwarded-Proto $scheme;
            proxy_read_timeout          90;
            proxy_pass                  http://chat;
        }
    }
    
    
  2. hipchat01.example.com is the DNS name of your node.
  3. ssl_certificate and ssl_certificate_key indicate the location of your SSL certificate and key respectively.
  4. Save the changes to the file.

  5. Create a symbolic link to the config file under /etc/nginx/sites-available/ to enable the new config:

    ln -s /etc/nginx/sites-available/hipchat /etc/nginx/sites-enabled/hipchat
  6. Verify the main Nginx config includes the config files under /etc/nginx/sites-enabled/ in the http directive: 

            include /etc/nginx/sites-enabled/*;
  7. Restart the Nginx service, the command to run depends on your environment.


Last modified on Nov 2, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.