Skip to content

Setup Proxy Domain (nginx)

Jump to bottom
Marcel Hofer edited this page Feb 21, 2023 · 2 revisions

Proxy Domain (nginx)

For ISPConfig with nginx, it's not possible to make some of the url-rewrites in a persistent manner.

For this reason, the DDNS module supports a secure mode using a proxy secret for administrators that do not want to change the ISPConfig port to 80 or 443 for some reason.

Setting nginx to trust all X-Forwared-For headers may be insecure in a shared environment, so a secret header can be used instead.

Use the following instructions to create a secure proxy just for DDNS.

1. Configuring the proxy domain

You can either use an existing website, or create a new website. Make sure to enable SSL.

Open the website settings in ISPConfig and change to the Options tab.

Under Nginx Directives, add the following snipped:

location = /ddns/update.php {
  # ddns proxy key header is only required if nginx does not trust the x-forwarded-for header already
  proxy_set_header X-DDNS-Proxy-Key     "";
  proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
  proxy_pass https://127.0.0.1:8080/ddns/update.php;
}
location /nic/ {
  # ddns proxy key header is only required if nginx does not trust the x-forwarded-for header already
  proxy_set_header X-DDNS-Proxy-Key     "";
  proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
  proxy_set_header X-Original-Request-URI $request_uri;
  rewrite /(.*) /ddns/update.php  break;
  proxy_pass https://127.0.0.1:8080/ddns/update.php;
}

On the line with X-DDNS-Proxy-Key, you must set a long, randomly generated string between ""

If your proxy is not running on the same host as ISPConfig, change the IP in both proxy_pass directives accordingly.

2. Configuring the DDNS module to trust the proxy

You will need to create a local configuration inside the ddns module directory:

cd /var/www/ispconfig/ddns
cp update.config.local-example.php update.config.local.php

Now you should modify update.config.local.php and set the following options:

  • PROXY_HOST: the domain of your proxy website from step 1
  • TRUSTED_PROXY_KEY: the same key you set in the Apache Directives on the second line as the X-DDNS-Proxy-Key header

If your proxy is on a different server, you also need to add the TRUSTED_PROXY_IP config entry.

3. Verify

  • Create an test dns record and token
  • open the update URL popup in the token list
  • The URLs should now show your proxy domain
  • If you open an update url in your browser, you should receive a success message.
  • Verify that your real IP was set in the domain record.
  • Delete the test token and dns records again

If the proxy was misconfigured, it should show an error when accessing the URL via proxy domain.

Clone this wiki locally