Skip to content

Nginx Proxy Configuration

All public-facing services are accessed through Nginx reverse proxies with TLS termination and authentication.

Proxy Overview

flowchart LR
    subgraph Internet["Browser (127.0.0.1)"]
        Client
    end

    subgraph Proxies["Nginx Proxies"]
        n8nProxy["n8n-proxy<br/>:443"]
        WebappProxy["webapp-proxy<br/>:8000"]
        OllamaProxy["ollama-proxy<br/>:11434"]
        MinioProxy["minio-api-proxy"]
    end

    subgraph Services["Backend Services"]
        n8n["n8n:5678"]
        Webapp["pentest-webapp:8000"]
        Ollama["ollama:11434"]
        MinioAPI["minio-api:8080"]
    end

    Client --> n8nProxy
    Client --> WebappProxy

    n8nProxy --> n8n
    WebappProxy --> Webapp
    OllamaProxy --> Ollama
    MinioProxy --> MinioAPI

Service Configurations

n8n Proxy

File: nginx/n8n.conf

Setting Value
Listen Port 443 (HTTPS)
Backend n8n:5678
Max Body Size 50 MB
Timeout 600 seconds

Features: - HTTP/2 enabled

server {
    listen 443 ssl http2;

    ssl_certificate /etc/nginx/ssl/n8n.crt;
    ssl_certificate_key /etc/nginx/ssl/n8n.key;

    client_max_body_size 50M;

    location / {
        proxy_pass http://n8n:5678;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 600s;
    }
}

Webapp Proxy

File: nginx/webapp.conf

Setting Value
Listen Port 443 (internal :8000 on host)
Backend pentest-webapp:8000
Max Body Size 50 MB
Timeout 600 seconds

Ollama Proxy

File: nginx/ollama.conf.template

Setting Value
Listen Port 11434 (HTTPS)
Backend ollama:11434
Max Body Size Unlimited
Timeout 600 seconds
Auth Bearer token

Features: - API Key Authentication via Bearer token

server {
    listen 11434 ssl;

    location / {
        # Require Bearer token authentication
        if ($http_authorization != "Bearer ${OLLAMA_API_KEY}") {
            return 401;
        }

        proxy_pass http://ollama:11434;
        proxy_read_timeout 600s;
    }
}

MinIO API Proxy

File: nginx/minio-api.conf

Setting Value
Listen Port 8081 (HTTPS, internal)
Backend minio-api:8080
Max Body Size 500 MB
Timeout 600 seconds

SSL/TLS Configuration

Certificate Generation

Script: nginx/generate-ssl-certs.sh

Generates self-signed certificates for all services on first run:

# Services with generated certificates
- n8n (localhost)
- ollama-proxy (ollama-proxy, ollama, localhost)
- minio-api-proxy (minio-api-proxy, minio-api, localhost)
- qdrant
- credential-vault
- webapp

Certificate Details

Property Value
Algorithm RSA 2048-bit
Validity 365 days
SANs Service hostname, localhost, 127.0.0.1

CA Bundle

A CA bundle (ca-bundle.crt) is created combining certificates from: - Ollama - MinIO API - Qdrant - Credential Vault - Webapp

This bundle is mounted into n8n for trusting internal services.

TLS Settings

All proxies use secure TLS configuration:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+CHACHA20:DHE+CHACHA20:!aNULL:!MD5:!DSS;
ssl_prefer_server_ciphers on;

Proxy Headers

Standard headers passed to backends:

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

WebSocket Support

For n8n and webapp real-time features:

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

Timeout Configuration

Long timeouts configured for: - LLM inference (can take minutes) - Workflow execution - Large file uploads - Report generation

proxy_connect_timeout 600s;
proxy_send_timeout 600s;
proxy_read_timeout 600s;

File Locations

File Purpose
nginx/n8n.conf n8n proxy configuration
nginx/webapp.conf Webapp proxy configuration
nginx/ollama.conf.template Ollama proxy (template)
nginx/minio-api.conf MinIO API proxy
nginx/generate-ssl-certs.sh Certificate generation
nginx/ssl/ Generated certificates and keys
nginx/ssl/ca-bundle.crt Combined CA certificates

Docker Integration

Each proxy is an nginx:alpine container:

n8n-proxy:
  image: nginx:alpine
  volumes:
    - ./nginx/n8n.conf:/etc/nginx/conf.d/default.conf:ro
    - ./nginx/ssl:/etc/nginx/ssl:ro
  depends_on:
    ssl-cert-generator:
      condition: service_completed_successfully

The ssl-cert-generator service runs first to ensure certificates exist before proxies start.