NGINX service configuration
DerScanner utilizes NGINX reverse-proxy server. NGINX configuration file does not provide for the user changes. To configure proxy server operation, please change the variables in the /opt/derscanner/app/configs/frontend.env file.
HTTPS connection setup
By default, DerScanner uses HTTP. To switch to HTTPS, a certificate and a private key without a password are needed for the selected domain name. Upload them to the host with the APP module installed to /opt/derscanner/app/services/frontend/nginx/ssl (private key as in 600 access format).
After that, edit /opt/derscanner/app/configs/frontend.env by changing the SSL_STATE value to on, and add two additional fields:
- SSL_CERT_NAME with the name of the certificate you add.
- SSL_KEY_NAME with the name of the private key.
Example:
...
SSL_STATE=on
SSL_CERT_NAME=my_certificate.cer
SSL_KEY_NAME=my_private_key.key
To apply changes, restart the APP module service:
sudo systemctl restart derscanner-app.service
Please notice that you don't need to additionally configure HTTP to HTTPS request redirection. This functionality enables automatically when using HTTPS.
Server connection timeout configuration
For NGINX configuration, the following directives are used for timeout management:
proxy_connect_timeout ${TIMEOUT_SCOPE};
proxy_send_timeout ${TIMEOUT_SCOPE};
proxy_read_timeout ${TIMEOUT_SCOPE};
send_timeout ${TIMEOUT_SCOPE};
Every parameter uses the TIMEOUT_SCOPE variable. You can edit its value in the /opt/derscanner/app/configs/frontend.env configuration file. The default value is 600.
To apply changes, restart the APP module service:
sudo systemctl restart derscanner-app.service
Client request size configuration
To limit the size of client requests, NGINX uses the client_max_body_size directive. You can edit its value in the /opt/derscanner/app/configs/frontend.env configuration file. The default value is 4GB.
To apply changes, restart the APP module service:
sudo systemctl restart derscanner-app.service
Please notice:
This variable can be used to limit the size of the archives that are uploaded for analysis in DerScanner. However, relevant changes should also be made in the administrator's interface, Section Admin Panel > System > General > Size limit for uploaded files (bytes). The CLIENT_MAX_BODY_SIZE value should be >= the Size limit for uploaded files field value.
Figure 10.82: Size limit for uploaded files setting
NGINX configuration custom settings
To customize the NGINX configuration file, add the variables with multiline values to the /opt/derscanner /app/configs/frontend.env file. Each variable is responsible for additional settings in the respective section of the preset NGINX configuration file.
| Section | Variable Name |
|---|---|
| server | SERVER_BASE |
| location / | LOCATION_ROOT |
| location /app | LOCATION_APP |
| location /app/ws | LOCATION_APP_WS |
| server(redirect) | SERVER_REDIRECT |
To view the preset NGINX configuration file, execute:
sudo docker exec frontend cat /etc/nginx/templates/default.conf.template
For each section, the preset configuration file already has configured directives and nested sections that cannot be redefined. A variable with the configuration directive(s) should contain a string enclosed in quotation marks. Use a different type of quotes (single/double) for the variable if the directive value is also enclosed in quotation marks.
The SERVER_REDIRECT variable should only be used in case of a HTTPS connection, to make changes to the server section for HTTP to HTTPS redirection.
Example of a multilined variable for the server section, file: /opt/derscanner/app/configs/frontend.env
CLIENT_MAX_BODY_SIZE=4G
TIMEOUT_SCOPE=600
SSL_STATE=off
SERVER_BASE="
add_header X-Frame-Option DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection '1; mode=block';"
Figure 10.83: Configuration example
To apply changes, restart the APP module service:
sudo systemctl restart derscanner-app.service
The information that a multilined variable is set in the configuration file is also displayed in the frontend log. To view the log, execute: sudo docker logs frontend
Figure 10.84: Frontend log after changes