.. _fronting-with-nginx:
Fronting with nginx
===================

It is recommended to proxy traffic to both ZoneControl and the PowerDNS
Authoritative server through the `nginx webserver <http://nginx.org/>`_.
This will catch possibly broken HTTP requests and allows for SSL termination.

ZoneControl
-----------

To proxy to a ZoneControl instance running on ``127.0.0.1:8083``, the
following configuration is a good starting point. Don’t forget to set the
``ssl_certificate`` and ``ssl_certificate_key`` directives to your
certificates and keys.

.. code-block:: nginx

    server {
      # redirect to https
      listen 80;
      listen [::]:80;
      server_name _;
      access_log /var/log/nginx/access.log;
      error_log /var/log/nginx/error.log error;
      location / {
        return 301 https://$http_host$request_uri;
      }
    }

    server {
      listen 443 ssl;
      listen [::]:443 ssl;
      server_name _;
      access_log /var/log/nginx/access.log;
      error_log /var/log/nginx/error.log error;
      ssl_certificate /etc/ssl/public/chain.pem;
      ssl_certificate_key /etc/ssl/private/privkey.pem;

      location / {
        proxy_pass http://127.0.0.1:8053/;

        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_redirect off;
        proxy_buffering off;
      }
    }

PowerDNS Authoritative Server
-----------------------------

Fronting the PowerDNS Authoritative Server with nginx is very similar to
fronting ZoneControl. The biggest difference is that HTTP is disabled
and no headers are passed to the server. Don’t forget to set the
``ssl_certificate`` and ``ssl_certificate_key`` directives to your
certificates and keys.

.. code-block:: nginx

    server {
      listen 443 ssl;
      listen [::]:443 ssl;
      server_name _;
      access_log /var/log/nginx/access.log;
      error_log /var/log/nginx/error.log error;
      ssl_certificate /etc/ssl/public/chain.pem;
      ssl_certificate_key /etc/ssl/private/privkey.pem;

      location / {
        proxy_pass http://127.0.0.1:8081/;
        proxy_redirect off;
        proxy_buffering off;
      }
    }
