Using a proxy and the Internet (NGINX)

The people at Bizagi helped us debug how to setup a proxy redirect for NGINX. Version 10.7 security didn't validate the info within the cookie, and v11 now does. We had to get the proxy to rewrite the cookies for it to work.

The usage would be that you want to use a single WAN ip connection for exposing Bizagi over https, but you might also want to host other content, other servers, etc.

The results below show a typical setup:

# NGINX help for using with Bizagi v11

# Shows port redirection and cookie domain rewrite

#

# Example based on this information, change accordingly for your setup:

# - domain name: bizagi.com

# - For the FQDN https://secure.bizagi.com, the WAN IP will hit your company firewall, then that hit is

# forwarded to the proxy NGINX (both usually in the DMZ) and the proxy can talk to the internal network

# and the DMZ network.

# - The internal Bizagi IIS server is on IP address 172.16.0.46

# - The default port # was changed from 80 to 8080

# - The Bizagi project name is "CustomerSupport"

#

# What is required:

# That https://secure.bizagi.com/CustomerSupport is the same as using internally

# http://172.16.0.46:8080/CustomerSupport

#

# In this manner, NGINX can redirect to multiple Bizagi projects, multiple web servers

#

# Cookie situation - they must be rewritten by NGINX, because Bizagi thinks the url is "/CustomerSupport",

# and thus writes that information into the cookie.

# However the user will have "secure.bizagi.com/CustomerSupport" in the cookie. Bizagi's security will reject

# the login, pressing F12 in the browser, you will see an authentication error.

#

server {

listen 80;

return 301 https://$host$request_uri;

}

server {

# Standard stuff in this section

listen 443 ssl http2;

server_name nginx.bizagi.com;

root /var/www/bizagi/;

ssl_certificate /etc/nginx/ssl/http://www.bizagi.com.crt;

ssl_certificate_key /etc/nginx/ssl/http://www.bizagi.com.key;

ssl on;

ssl_session_cache builtin:1000 shared:SSL:10m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;

ssl_prefer_server_ciphers on;

access_log /var/log/nginx/bizagi.access.log;

error_page 404 /custom_404.html;

location = /custom_404.html {

root /var/www/bizagi/;

internal;

}

error_page 500 502 503 504 /custom_50x.html;

location = /custom_50x.html {

root /var/www/bizagi/;

internal;

}

location /.well-known/acme-challenge/ {

alias /var/www/bizagi/;

try_files $uri =404;

}

location /CustomerSupport/ {

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

# Bizagi needs the cookie info to match what the url used was, the two lines below will

# do this, making outgoing & incoming cookies match so that Bizagi's security accepts it

proxy_cookie_domain ~.* .$host;

proxy_cookie_path ~.* /CustomerSupport/;

# put your server ip address and port #, 8080 is a common port redirect value

proxy_pass http://172.16.0.46:8080/CustomerSupport/;

proxy_read_timeout 90;

# line below is a default config item

proxy_redirect http://172.16.0.46:8080/CustomerSupport/ https://172.16.0.46/CustomerSupport/;

}

}