Running Solid behind a reverse proxy

Nick Bell edited this page Oct 13, 2018 · 12 revisions

Need: Running Solid alongside other services on a single port

If you want to run multiple services on a single port 443 of a machine, you will need a reverse proxy (such as NGINX) to route on HTTP level between different back-end services.

One of Solid's authentication mechanisms is WebID-TLS: the client sends its client certificate during the TLS handshake. However, by default, this requires the client to set up a TLS connection directly with the Solid server: if the TLS handshake is performed by an intermediary, the Solid server cannot see the client certificate.

Solution 1: Run Solid on a different port

When running Solid on a different port than the reverse proxy, we can bypass that proxy.

The drawbacks are uglier URLs (such as https://example.org:1234/), and possibly firewall problems (if only ports 80 and 443 are allowed).

Solution 2: HAProxy

Example of a config:

https://gist.github.com/melvincarvalho/17c2675978576ed37f83c88fbc0a9327

Advanced usage:

https://www.haproxy.com/blog/using-haproxy-as-an-api-gateway-part-1/

Solution 3: Apache

    SSLProxyEngine On
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    ProxyPreserveHost on
    ProxyPass / https://localhost:8444/
    ProxyPassReverse / https://localhost:8444/

see: https://github.com/linkeddata/gold/issues/88

see: https://gitter.im/linkeddata/chat?at=5a54c72fb48e8c3566bba507

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.