If you like my work, please consider supporting its development.

This guide goes over how to set up Nebula Forms behind a reverse proxy. This is necessary to make Nebula available from a specific (sub)domain and on the standard HTTP ports when other servers are running on the host. This guide uses Nginx.

Install Nginx

Nginx is included in the repositories of most, if not all Linux distributions and FreeBSD. Use the package manager to install. If you want/need a newer version, see if Nginx offers an official repository for your system.

If you’re using Fedora Server, you can use the RHEL/CentOS repositories, though you may run into issues down the road because of the differing release schedules.

Set Up Nebula Forms

If you haven’t already, follow the docker setup guide to get Nebula Forms running on your server.

Nginx Configuration

Nebula Forms can be configured to respond to requests on a given domain, (e.g. https://forms.example.com) or only on a subdirectory on that domain (e.g. https://example.com/forms).

Copy and paste the following configuration file onto your server. Depending on what system you are running, it should go either in `/etc/nginx/conf.d` or `/etc/nginx/sites-available` as e.g. `nebula.conf`.
# Redirect insecure connections to HTTPS
server {
    listen         80;
    server_name    forms.example.com; 

    # Change root to a directory where files can be written to verify
    # this server/domain with Let's Encrypt
    root /var/www/forms.example.com/;

    location /.well-known/acme-challenge {
        try_files $uri $uri/ =404;
    }
    
    # Redirects connections to HTTPS if it isn't Let's Encrypt
    return         301 https://$server_name$request_uri;
}

server {
    listen       443 ssl http2;
    server_name  forms.example.com;

    # Uncomment the below ssl_* lines once this domain is set up
    # with an SSL certificate, e.g. with Let's Encrypt. Also
    # uncomment the add_header line below if you want to enable HSTS.
    # Don't enable unless you know what HSTS is. Then you should
    # really enable it.

    #ssl_certificate      /etc/letsencrypt/live/forms.example.com/fullchain.pem;
    #ssl_certificate_key  /etc/letsencrypt/live/forms.example.com/privkey.pem;

    #ssl_session_timeout  5m;

    #ssl_ciphers  HIGH:!aNULL:!MD5;
    #ssl_prefer_server_ciphers  on;

    # Uncomment to enable HSTS headers for your site
    #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;

    #charset koi8-r;
    #access_log  logs/host.access.log  main;

    # Change root to a directory where files can be written to verify
    # this server/domain with Let's Encrypt
    root /var/www/forms.example.com/;

    # Add this block in the SSL connection as well for renewing certificates
    location /.well-known/acme-challenge {
        try_files $uri $uri/ =404;
    }

    # Reverse proxy to Nebula Forms
    location / {
        # Change the port on this line to whatever port on the host
        # Nebula is listening on.
        proxy_pass http://127.0.0.1:2002;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Origin $http_origin;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    # Don't expose server info
    server_tokens off;

    # Don't allow iframing except on same site/server
    add_header X-Frame-Options "SAMEORIGIN" always;

    # Browsers display things is mime type specified, not sniffed
    # Prevents trying to load an exacutable as "text/html"
    add_header X-Content-Type-Options "nosniff" always;
}
To make Nebula listen on a subdirectory of an existing domain, e.g. at https://example.com/forms, copy the below configuration block into that domain's configuration file.
location /forms/ {
    # Uncomment to rewrite requests for /forms/foo to /foo for
    # a server configured to listen on path /foo. Useful so you
    # don't have to prefix every path in the config file(s) with
    # "/forms".
    # If this prefix is okay with you, leave the rewrite commented.
    # If you want a different prefix, change the "location" line
    # above and the rewrite statement below to whatever prefix you
    # prefer.
    #rewrite ^/forms/?(.*)$ /$1 break;
    proxy_pass http://127.0.0.1:2002;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Origin $http_origin;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Reload Nginx

Reload Nginx to use the new/updated configuration. The exact command to do so differs based on what system the server is running.

Ubuntu, Debian, Fedora, RHEL/CentOS, openSUSE/SLES, Arch, and other systems using systemd:

systemctl reload nginx

Alpine, Gentoo, Funtoo, Devuan, TrueOS, and other systems using OpenRC:

rc-service nginx reload

FreeBSD and other systems using rc:

service nginx reload

Optional: Let’s Encrypt

An optional, but highly recommended (it’s assumed in the above Nginx configurations), step is to get an SSL certificate through Let’s Encrypt.

To start, install certbot on your server.

Package names:

  • Arch, CentOS, Debian, Fedora, Gentoo, openSUSE, Ubuntu: certbot
  • FreeBSD: py36-certbot

The binary may have different names, depending on what system you’re running on the server. Examples include certbot, certbot-3, certbot-36, and letsencrypt. The commands below assume it is installed as certbot.

To request a certificate, ensure that Nginx successfully reloaded its configuration file and that your server is available over the internet at the domain you want to generate a certificate for (i.e. that DNS is set up correctly). Then, run the following command, replacing example.com with the (sub)domain Nebula will be running from.

certbot certonly --webroot -d example.com

It will ask for an email address to notify of certification expirations and if you want to received emails from the EFF. Then it will ask for the web root of the (sub)domain. Enter the same path that you used in the Nginx configuration file. If you didn’t edit those parts of the file (there are two in the example above), cancel the process (press Ctrl-C if you have to), modify the file, reload Nginx, and try again.

Once the certificate has been generated, go back and modify the Nginx configuration file to uncomment the ssl_* lines and optionally the HSTS line starting with add_header. Save the file and reload Nginx. Your domain should now be accessible over SSL.