Skip to content

SSL Termination for Martini Server Runtime

SSL termination refers to the process of decrypting SSL/TLS traffic at a designated point in your network, typically at a load balancer or reverse proxy, before forwarding the unencrypted traffic to your application servers. This approach offloads the computational overhead of encryption and decryption from the Martini Server Runtime, allowing it to focus on processing requests more efficiently. Common solutions for SSL termination include load balancers such as AWS Application Load Balancer (ALB) and configuring Nginx as a reverse proxy.

If you choose to use a load balancer for SSL termination, please refer to the documentation for your preferred load balancer for detailed instructions on configuring SSL.

For instructions on how to configure Nginx as a reverse proxy, please see the guide below.

Running Martini with NGINX and TLS

You can run your Martini instances with NGINX to have a secure connection. This guide will help you set up your instance behind a proxy server. NGINX will act as a reverse proxy for Martini.

In this setup, the NGINX server is responsible for managing all SSL connections originating from users. Its primary role is to decrypt incoming requests to ensure they can be forwarded to the Martini server in a readable format. Once Martini processes these requests and generates responses, these responses are relayed back to the NGINX server. Here, they are encrypted before being dispatched to the client's browser. It's crucial to note that in this architecture, Martini is completely abstracted from the encryption/decryption process, focusing solely on handling the business logic and processing of the requests and responses. This delineation of responsibilities ensures a clear separation of concerns, allowing each server to specialize and optimize its designated tasks

Procedure

Note: Addresses of instance and server * NGINX Server: 10.0.0.2 * Martini Instance: 10.0.0.3 * Domain assigned to the instance: martini.example.com

  1. In your NGINX server, go to the /etc/nginx/conf.d/certs/ directory and create two directories called ssl_crt and ssl_key. Copy your SSL certificate and key in these directories respectively.
1
2
3
4
5
/etc/nginx/conf.d/certs/
├── ssl_crt
│   └── <your-ssl-certicate-here>
├── ssl_key
│   └── <your-ssl-key-here>
  1. Create the sites-available and sites-enabled directories inside the /etc/nginx/conf.d directory. NGINXconfiguration files will be stored inside the sites-available directory. Then later, a symbolic link will be created to point to the sites-enabled directory for NGINX to load the configuration.
1
2
3
/etc/nginx/conf.d
    ├── sites-available
    ├── sites-enabled

  1. Edit the file named /etc/nginx/nginx.conf and include all .conf files in the /etc/nginx/conf.d/sites-enabled. By doing this, NGINX will be prompted to load all *.conf files inside the sites-enabled folder upon start or restart of its process.

  2. Create the configuration file for martini.example.com. In this case, the configuration file is named martini.example.com.conf. It should reside in the directory /etc/nginx/conf.d/sites-available.

The content of the file should be like this: 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
upstream martini {
        server 10.0.0.3:8080 fail_timeout=0;
    }

    server {
        listen 80;
        server_name martini.example.com;
        access_log /var/log/nginx/martini.example.com_access.log;
        error_log /var/log/nginx/martini.example.com_error.log;

        location / {
            return 301 https://$server_name$request_uri;

            proxy_pass http://martini;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Port 80;
            proxy_set_header Host $host;
            proxy_redirect off;
            proxy_connect_timeout 240;
            proxy_send_timeout 240;
            proxy_read_timeout 240;
        }

    }
    server {
        listen 443;
        server_name martini.example.com;
        access_log /var/log/nginx/martini.example.com_ssl_access.log;
        error_log /var/log/nginx/martini.example.com_ssl_error.log;
        ssl on;
        ssl_certificate <your-ssl-certicate-here>;
        ssl_certificate_key <your-ssl-key-here>;
        location / {
            proxy_pass http://martini;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Port 443;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_redirect off;
            proxy_connect_timeout 240;
            proxy_send_timeout 240;
            proxy_read_timeout 240;
        }
    }
  1. Create a symbolic link or symlink from the sites-available to the sites-enabled directory.

1
2
3
4
 ln -s /etc/nginx/conf.d/sites-available/martini example.com.conf /etc/nginx/conf.d/sites-enabled/martini.example.com.conf
 ```

Test the NGINX Configuration
nginx -t 
1
If NGINX confirms that all configurations are good to go, you can now reload NGINX using this command:
nginx -s reload ```

  1. Configure your DNS. Make sure that your DNS entry points to the IP of your NGINX instance and not your Martini instance's IP address.