From version 4.0 of the IV Installer, nginx reverse proxy is included in the installer.
This document covers manual installation, for use with older versions of the installer.
Background
From Intelligent Voice version 6.0, two different sets of certificates are used:
internal communication between containers relies on certificates signed by an internal CA created by the IV installer, with domain names *.intelligentvoice.ivlocal
External communication, such as when users connect to the JumpToWeb web application, or when external applications connect to the IV API, uses a different certificate, which can be one of:
A self-signed certificate generated by the IV installer
A certificate file selected at installation time, such as one issued by a corporate or public CA
A certificate issued by LetsEncrypt, which the installer requests using DNS or HTTP authentication
Before starting
Acquire the certificate and key from your CA in pem file format.
Configure your DNS so that the hostname shown on the certificate resolves to your IV server.
Steps to set up nginx container as reverse proxy
This can be done on the same server as the IV API and JumpToWeb, or a different server. If using a different server, note the different hostnames required for nginx.conf.
Change jumptoweb listening port from 443 to 2443
Edit config file/opt/intelligent-voice/docker-compose.jumptoweb.yml
:ports: - "80:80" - "2443:443"
Put the trusted server certificate and server key to a location, for example
/opt/jumpto/ssl
.Create nginx configuration file (eg.
/opt/intelligent-voice/data/nginx/nginx.conf
) which stores the configuration for proxy redirect. Parameters need to change:<hostname>
(this should match the hostname on the certificate)<hostname-of-jumptoweb>
(can be same server or different server)<hostname-of-vrx-servlet>
(can be same server or different server)Location of the server cert/key files inside the container
Sample content:
events { worker_connections 1024; } http { server { listen 80; server_name <hostname>; location / { return 301 https://$host$request_uri; } } server { listen 443 ssl http2; server_name <hostname>; client_max_body_size 5000M; ssl_certificate /opt/jumpto/ssl/server-cert.pem; ssl_certificate_key /opt/jumpto/ssl/server-key.pem; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; # intermediate configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; ssl_prefer_server_ciphers off; location / { proxy_pass https://<hostname-of-jumptoweb>:2443; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; } location /vrxServlet { proxy_pass https://<hostname-of-vrx-servlet>:8443; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; } location /JumpToWeb { proxy_pass https://<hostname-of-jumptoweb>:2443; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; } } }
Create docker-compose file
/opt/intelligent-voice/docker-compose.nginx.yml
which stores the container configuration (mapping of local directories and ports opening):version: '3' services: nginx: image: nginx container_name: nginx-proxy restart: unless-stopped ports: - "80:80" - "443:443" volumes: - "${DATA_DIRECTORY}/nginx/nginx.conf:/etc/nginx/nginx.conf" - "/opt/jumpto/ssl:/opt/jumpto/ssl:ro"
Create nginx service file
/etc/systemd/system/nginx.service
:[Unit] After = local-fs.target network.target docker.service Description = nginx service [Service] User = root Type = oneshot RemainAfterExit = yes WorkingDirectory = /opt/intelligent-voice ExecStart = /usr/bin/docker compose -f docker-compose.nginx.yml up -d ExecStop = /usr/bin/docker compose -f docker-compose.nginx.yml down SyslogIdentifier = nginx-proxy [Install] WantedBy=multi-user.target
Restart jumptoweb and start nginx service
sudo systemctl restart jumptoweb sudo systemctl start nginx.service
Enable nginx service
sudo systemctl enable nginx.service
Verification
You can now test that your trusted certificate is being served by both the IV API and the JumpToWeb site.
The addresses to test will be:
https://<hostname>/vrxServlet/v2/version
This should prompt you for API credentials then show you the IV versionhttps://<hostname>/JumpToWeb/
This should show you a web page allowing you to log in to JumpToWeb like this:
Both these links should now be using your trusted certificate