Set Up NGINX Reverse Proxy and SSL

note

PayString was previously known as PayID.

After you set up a PayString server using your preferred deployment option, you can set up NGINX Reverse Proxy + SSL for load balancing and security.

NGINX Reverse Proxy + SSL setup#

Change the PayString server to run on port 8080 (default).
Set up a Server Block on NGINX for your domain, following these instructions.
Install Certbot, as follows.
apt-get update
apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install python-certbot-nginx
Generate a certificate (choose to redirect) certbot --nginx
Change the location parameter in the NGINX conf file to reverse proxy to the PayString server (running on port 8080): try_files $uri $uri/ =404; to:
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $http_host;
Note: The second line is required to preserve the original URL, which is used to find the user. Note: You can expand your certificate to cover any subdomain used in a PayString using: sudo certbot -d zochow.ski,pay.michael.zochow.ski,www.zochow.ski --expand
Restart NGINX. sudo systemctl restart nginx
[Optional] Update the NGINX configuration that catches PayString headers and forwards them to the PayString server; otherwise, send these headers to the web server.

Note: You will need to add additional proxy passing statements for each additional network supported, or otherwise use a generic regex to identify all PayString headers.

sudo nano /etc/nginx/sites-available/<your-site>

location / {
   proxy_set_header Host $http_host;
   # needed for CORS
   add_header Access-Control-Allow-Origin *;
   add_header Access-Control-Allow-Headers *;

   # proxy passing needed for all supported networks
   # modify port to the one used by your PayString server
   if ($http_accept ~ "application/payid*") {
         proxy_pass http://localhost:8080;
   }
   if ($http_accept ~ "application/xrpl-*") {
         proxy_pass http://localhost:8080;
   }

   try_files $uri $uri/ =404;
}