Pexip Reverse Proxy – Hosting unique branding for multiple domains and/or sub-directories

In order to serve unique branding for users browsing to a unique domain hosted on the Pexip packaged Reverse Proxy, it is quite a simple task to create an individual nginx configuration file per domain. This can get a little onerous when one needs to do this on a regular basis. When you creates a new configuration file, you must make sure that there are no duplicates as all the configuration files are loaded separately and items such as upstream servers can only be loaded once. With individual nginx configuration files, one need to ensure that they are not duplicated.

To combat this, it makes sense to pull some of the common configuration parameters out of the default nginx configuration, add them to a shared file and pull them into the individual server blocks when needed. This allows us to streamline a single configuration file and only alter that bits that are relevant to the domain that the end user connects to when adding new domains. The reason we need to do this, in addition to defining the branding aliasing is to specify the SSL certificate for the specific domain. This is because the path for the SSL file location can not include a variable.

Below is an example of a configuration on the Reverse Proxy for hosting two domains:

vc.abc.com
vc.xyz.com

This method allows users to provide different branding for each domain FQDN as well as providing a way to offer sub-branding. For example https://vc.abc.com/ will provide ABC’s branding. If XYZ wants to provide further branding, say a department, then this can be done by browsing to a sub directory:

https://vc.abc.com provides the ABC default brand
https://vc.xyz.com/marketing provides the branding for XYZ’s marketing department

Install Pexip Reverse Proxy

First install the Pexip package Ubuntu virtual machine with nginx pre-installed:
https://docs.pexip.com/rp_turn/rpturn_deploy_steps.htm

Reconfigure nginx

SSH into the Reverse Proxy.

The out of the box default nginx configuration is located in the /etc/nginx/sites-enabled directory. If you want to have a look at the default configuration you can view it by typing:

cat /etc/nginx/sites-enabled/pexapp

Note the part at the top of the file that points to the Pexip Conference nodes.

example:

# Upstream servers
upstream pexip {
     ip_hash;
     server 10.61.0.60:443 weight=1 max_fails=2 fail_timeout=30s;
     server 10.61.0.63:443 weight=1 max_fails=2 fail_timeout=30s;
     keepalive 1024;
}

We will need this bit later on so copy it to to notepad or something for later use..

Create common include files

Create the files:

sudo touch /etc/nginx/includes/common_locations.conf
sudo touch /etc/nginx/includes/common_server.conf
sudo touch /etc/nginx/includes/common_upstream.conf

Edit the common_locations.conf file:

sudo nano /etc/nginx/includes/common_locations.conf

Paste in the following and save the file:

 rewrite ^/([a-zA-Z0-9-\.]+?)/(?!webapp|configuration|plugins|js|languages|css|img|assets|fonts)([a-zA-Z0-9-\.]+)/?$ /$1/#/?conference=$2 permanent;

 # Using a local folder in /var/www/branded for the configuration
 location ~ ^/(?!static|api|webapp)(.+)/configuration/(.+)$ {
     alias /var/www/branded/$1/$2;
     access_log /var/log/nginx/branded.access.log;
     error_log /var/log/nginx/branded.error.log;
     add_header Access-Control-Allow-Origin *;
 }

 # Adding a trailing / if using https://domain/cust
 location ~ ^/(?!static|api|webapp)([a-zA-Z0-9]+)$ {
     return 301 /$1/;
     access_log /var/log/nginx/branded.access.log;
     error_log /var/log/nginx/branded.error.log;
 }

 # Redirecting all other files to /webapp on the Conference nodes
 location ~ ^/(?!static|api|webapp)(.+)/(.*) {
     rewrite ^/(?:[^/]+)/(.*)$ /webapp/$1 break;
     proxy_pass https://pexip;
     access_log /var/log/nginx/branded.access.log;
     error_log /var/log/nginx/branded.error.log;
 }

location /api {
    proxy_next_upstream http_500 http_502 http_503 http_504 error timeout;
    proxy_pass https://pexip;
    proxy_redirect off;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_connect_timeout 20s;
    access_log /var/log/nginx/pexapp.access.log pexapplog;
    error_log /var/log/nginx/pexapp.error.log;
    include /etc/nginx/includes/pex-ldap-api.conf;
}

location /webapp {
    proxy_pass https://pexip;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_set_header Host $host;
    proxy_redirect off;
    proxy_connect_timeout 3s;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    access_log /var/log/nginx/webapp.access.log;
    error_log /var/log/nginx/webapp.error.log;
}

location /static/webrtc {
    proxy_pass https://pexip;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_set_header Host $host;
    proxy_redirect off;
    proxy_connect_timeout 3s;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    access_log /var/log/nginx/webrtc.access.log;
    error_log /var/log/nginx/webrtc.error.log;
}

location /stats {
    root /var/www;
    allow 10.0.0.0/8;
    deny all;
    access_log /var/log/nginx/stats.access.log;
    error_log /var/log/nginx/stats.error.log;
}

location /404.html {
    root /var/www;
}

location /50x.html {
    root /var/www;
}

Edit the common_server.conf file:

sudo nano /etc/nginx/includes/common_server.conf

Paste in the below configuration and save:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!DH:!EDH;
ssl_prefer_server_ciphers on;

error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;

# Redirect from web root to /webapp
location / {
    return 301 /webapp;
}

Now we want to edit the common_upstream.conf file:

sudo nano /etc/nginx/includes/common_upstream.conf

Here is where you will need the upstream configuration that you pulled from the default configuration above. Paste the contents below and replace the upstream section (IP addresses) with what was in your configuration.

# Upstream servers
upstream pexip {
    ip_hash;
    server 10.61.0.60:443 weight=1 max_fails=2 fail_timeout=30s;
    server 10.61.0.63:443 weight=1 max_fails=2 fail_timeout=30s;
    keepalive 1024;
}

So these three files will hold the common configuration for all your domains.

Create new configuration

Delete the default configuration file from the working directory:

sudo rm /etc/nginx/sites-enabled/pexapp

If you need it later on, the original is located at: /etc/nginx/sites-available/pexapp.

Create a new file. You can call it what you want. For this example, I have called it pexapp-multi.

sudo touch /etc/nginx/sites-available/pexapp-multi

Now edit the file:

sudo nano/etc/nginx/sites-available/pexapp-multi

..and paste in the below:

include /etc/nginx/includes/common_upstream.conf;

# Redirect HTTP to HTTPS
server {
    listen 80;
    server_name _;
    return 301 https://$host$request_uri;
}

# Config for vc.abc.com
server {
    listen 443 ssl;
    server_name vc.adb.com;

    ssl_certificate ssl/vc.adb.com.pem;
    ssl_certificate_key ssl/vc.adb.com.pem;
    ssl_session_timeout 5m;
    include /etc/nginx/includes/common_server.conf;

    location ~ ^/webapp/configuration/(.+)$ {
            alias /var/www/branded/vc.abc.com/$1;
            access_log /var/log/nginx/webrtc.access.log;
            error_log /var/log/nginx/webrtc.error.log;
    }
    include /etc/nginx/includes/common_locations.conf;

}

# Config for vc.xyz.com
server {
    listen 443 ssl;
    server_name vc.xyz.com;
    ssl_certificate ssl/vc.xyz.com.pem;
    ssl_certificate_key ssl/vc.xyz.com.pem;
    ssl_session_timeout 5m;
    include /etc/nginx/includes/common_server.conf;
    
    location ~ ^/webapp/configuration/(.+)$ {
            alias /var/www/branded/vc.xyz.com/$1;
            access_log /var/log/nginx/webrtc.access.log;
            error_log /var/log/nginx/webrtc.error.log;
    }
    include /etc/nginx/includes/common_locations.conf;

}

Replace vc.abc.com and vc.xyz.com with the FQDNs of the two domains that you are hosting.

Now we want to make the new config active by create a symbolic link to the file located in the /etc/nginx/site-available directory to the /etc/nginx/sites-enabled directory. To do this:

sudo ln -s /etc/nginx/sites-available/pexapp-multi /etc/nginx/sites-enabled/

Branding files

As you have probably worked out from the configuration file above, there is an individual aliasing for the ^/webapp/configuration/ directory per domain. This directory is where the Pexip webapp branding files are located. Aliasing per domain FQDN allows us to deliver a unique branding experience and settings for each domain.

Create branding files for each domain at: https://branding.pexip.com and download the ZIP file. Extract the files and rename the folder to the same name as your domain FQDN, i.e.  vc.abc.com or vc.xyz.com

One the Reverse Proxy, create a folder in the /vaw/www directory:

sudo mkdir -p /var/www/branded

Now give it the appropriate ownership:

sudo chown -R $USER:$USER /var/www/branded

SCP the branding folder(s) (i.e. vc.abc.com or vc.xyz.com) into the above directory using WinSCP for Windows or via terminal for Mac users:

Mac:

scp -r //vc.abc.com pexip@:/var/www/branded/

Repeat for the other branding folder.
Now give the folder appropriate permissions:

sudo chmod -R 755 /var/www/branded

Restart nginx:

sudo service nginx restart

SSL Certificate

Are you may have noticed in the pexapp-multi config, each server block points to it’s own corresponding SSL certificate and key file(s). Follow the following guide to replace the respective certificated for each domain FQDN:
https://docs.pexip.com/rp_turn/rpturn_replace_certificate.htm

Related: Letsencrypt Certificate on Pexip Reverse Proxy (Nginx)

Advertisements

4 thoughts on “Pexip Reverse Proxy – Hosting unique branding for multiple domains and/or sub-directories

  1. Hi Dennis,

    Thank you for this helpful and easy to follow guide!
    I’m working on the RP and got to the point where I need to restart the nginx service after I added branding themes to /var/www/branded.

    The sudo service nginx restart command returns the following error:

    Restarting nginx: nginx: [emerg] pcre_compile() failed: unrecognized character after (? or (?- in “^(www\.)?(?.+)$” at “.+)$” in /etc/nginx/sites-enabled/pexapp-multi:6
    nginx: configuration file /etc/nginx/nginx.conf test failed

    Any ideas?

    Thanks

    Like

      1. I have done the above and now nginx is complaining again about line 6 which is server_name_;

        Restarting nginx: nginx: [emerg] unknown directive “server_name_” in /etc/nginx/sites-enabled/pexapp-multi:6
        nginx: configuration file /etc/nginx/nginx.conf test failed

        This is the beginning of my pexapp-multi file:

        include /etc/nginx/includes/common_upstream.conf;

        # Redirect HTTP to HTTPS
        server {
        listen 80 default_server;
        server_name_;
        return 301 https://$host$request_uri;
        }

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s