NavigationContentFooter
Jump toSuggest an edit

Setting up an Nginx reverse proxy with Object Storage

Reviewed on 09 April 2024Published on 04 June 2020
  • Object-Storage
  • S3
  • reverse-proxy
  • nginx

Scaleway Object Storage provides the capability to securely store unlimited data within designated buckets. Accessing your stored data is convenient and direct, facilitated through your storage bucket.

For optimized access, you can use an Instance as a proxy, leveraging the power of Nginx as a reverse proxy. This configuration enables read-only access to the contents of your bucket.

When a client initiates an HTTP request to the Nginx proxy server, the request to retrieve a bucket is directly forwarded to the Object Storage bucket. The Object Storage platform promptly responds by delivering the requested object to Nginx, which efficiently relays it to the client.

To further enhance performance and reduce the load on the bucket, frequently accessed objects can be cached locally within Nginx.

In this setup, requested objects are temporarily stored in Nginx’s cache. Consequently, when a client requests an object, it is delivered directly from Nginx without requiring a forward request to the Object Storage platform. This caching mechanism significantly improves delivery speed and resource utilization.

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • An SSH key
  • An Instance running on Ubuntu or Debian Linux
  • An Object Storage bucket with public, readable objects

Installing Nginx as a reverse proxy

  1. Log into your Instance using SSH:
    ssh root@<your_instance_ip>
  2. Make sure the apt repositories as well as the software already installed on the Instance are up-to-date:
    apt update && apt upgrade -y
  3. Install the nginx reverse proxy using the apt package manager:
    apt install nginx -y

Configuring Nginx as a reverse proxy

  1. Open the Nginx configuration file in a text editor:

    nano /etc/nginx/nginx.conf
  2. Edit the file as follows:

    Note

    Remember to replace s3proxy.mydomain.eu with the domain name of your Instance and myobjectstoragebucket.s3.fr-par.scw.cloud with the URL of your Object Storage bucket.

    user www-data;
    worker_processes auto;
    pid /run/nginx.pid;
    include /etc/nginx/modules-enabled/*.conf;
    events {
    worker_connections 768;
    }
    http {
    default_type text/html;
    #access_log /;
    sendfile on;
    keepalive_timeout 65;
    proxy_cache_path /tmp/ levels=1:2 keys_zone=s3_cache:10m max_size=500m
    inactive=60m use_temp_path=off;
    server {
    listen 80;
    # Configure your domain name here:
    server_name s3proxy.mydomain.eu;
    access_log /var/log/s3proxy.access.log combined;
    # Configure your Object Storage bucket URL here:
    set $bucket "myobjectstoragebucket.s3.fr-par.scw.cloud";
    # This configuration provides direct access to the Object Storage bucket:
    location /s3/ {
    rewrite ^/s3/(.*) /$1 break;
    resolver 1.1.1.1;
    proxy_http_version 1.1;
    proxy_redirect off;
    proxy_set_header Connection "";
    proxy_set_header Authorization '';
    proxy_set_header Host $bucket;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_hide_header x-amz-id-2;
    proxy_hide_header x-amz-request-id;
    proxy_hide_header x-amz-meta-server-side-encryption;
    proxy_hide_header x-amz-server-side-encryption;
    proxy_hide_header Set-Cookie;
    proxy_ignore_headers Set-Cookie;
    proxy_intercept_errors on;
    add_header Cache-Control max-age=31536000;
    proxy_pass http://$bucket;
    }
    # This configuration uses a 60 minute cache for files requested:
    location /s3_cached/ {
    resolver 51.159.47.28;
    proxy_cache s3_cache;
    proxy_http_version 1.1;
    proxy_redirect off;
    proxy_set_header Connection "";
    proxy_set_header Host $bucket;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_hide_header Authorization;
    proxy_hide_header x-amz-id-2;
    proxy_hide_header x-amz-request-id;
    proxy_hide_header x-amz-meta-server-side-encryption;
    proxy_hide_header x-amz-server-side-encryption;
    proxy_hide_header Set-Cookie;
    proxy_ignore_headers Set-Cookie;
    proxy_cache_revalidate on;
    proxy_intercept_errors on;
    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
    proxy_cache_lock on;
    proxy_cache_valid 200 304 60m;
    add_header Cache-Control max-age=31536000;
    add_header X-Cache-Status $upstream_cache_status;
    proxy_pass https://$bucket/;
    }
    }
    }

    Save the file and exit nano once it is edited.

  3. Make sure that there are no typos in the Nginx configuration file by syntax-checking it using the following command:

    nginx -t
  4. Restart Nginx to apply the new configuration:

    service nginx restart

You can now access the files of your bucket by going directly to http://s3proxy.mydomain.eu/s3/myfile.txt, for example. You can also access a cached version after the first retrieval by going to http://s3proxy.mydomain.eu/s3_cached/myfile.txt.

Configuring Nginx as a reverse proxy for HTTPS

Connections to your S3 proxy are currently available in plain, unencrypted HTTP only. It is possible to encrypt the connection between the client and the Nginx proxy by configuring HTTPS. To do so, we will obtain a free SSL certificate issued by Let’s Encrypt using Certbot, a tool to obtain, manage and renew Let’s Encrypt certificates automatically.

  1. Add the Certbot repository to apt to download the latest release of the software. Certbot is in active development and the packages included in Ubuntu may be already outdated.

    add-apt-repository ppa:certbot/certbot

    Press Enter when asked to confirm the action.

  2. Install Certbot for Nginx proxy reverse:

    apt install python3-certbot-nginx -y
  3. Launch the generation of the certificate.

    Note

    Replace <yourdomain.name> with the domain name of your Instance.

    certbot --nginx -d <yourdomain.name>

    When running Certbot for the first time, you will be asked to enter your email address. Confirm it by pressing Enter on your keyboard. Once confirmed Certbot will run a challenge and request the certificate.

  4. Press 2, then Enter on your keyboard when asked to redirect all traffic to HTTPS.

    Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    1: No redirect - Make no further changes to the webserver configuration.
    2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
    new sites, or if you're confident your site works on HTTPS. You can undo this
    change by editing your web server's configuration.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

    Certbot will now reconfigure Nginx and once you see the following message your certificate is successfully installed:

    IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/example.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/example.com/privkey.pem
    Your cert will expire on 2019-04-15. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the "certonly" option. To non-interactively renew *all* of
    your certificates, run "certbot renew"
    - Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.
    - If you like Certbot, please consider supporting our work by:
    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

You have now secured the connection between the client and your Nginx proxy using TLS. You can verify it by opening a web browser and going to https://s3proxy.mydomain.eu/s3/myfile.txt, for example. The file will be downloaded using an encrypted connection.

Docs APIScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCarreer
© 2023-2024 – Scaleway