Reverse proxy
There are two options when setting up DQM on premise. You can either use application provided HTTPS mode or set up a reverse proxy of your choice. We recommend using a 3rd party reverse proxy as it simplifies certificate management.
Required headers
Header | Explanation |
|---|---|
X-Forwarded-For | Originating IP address for a client connecting through reverse proxy |
X-Forwarded-Proto | Protocol the client is using to connect to reverse proxy |
Host | Originating host name (example.com) which responds to proxy, used for CSP policy |
Samples
your.host.name {
reverse_proxy 127.0.0.1:8090;
}
server {
listen 443 ssl http2;
server_name yourdomain.com;
ssl_certificate /etc/nginx/certs/yourdomain.crt;
ssl_certificate_key /etc/nginx/certs/yourdomain.key;
# Strong TLS settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:8090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
client_max_body_size 200M;
proxy_redirect off;
}
}
# Optional: redirect HTTP to HTTPS
server {
listen 80;
server_name yourdomain.com;
return 301 https://$host$request_uri;
}
<VirtualHost *:443>
ServerName yourdomain.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/yourdomain.crt
SSLCertificateKeyFile /etc/apache2/ssl/yourdomain.key
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8090/
ProxyPassReverse / http://127.0.0.1:8090/
RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set Host "%{HTTP_HOST}s"
LimitRequestBody 209715200
</VirtualHost>
# Optional: redirect HTTP to HTTPS
<VirtualHost *:80>
ServerName yourdomain.com
Redirect "/" "https://yourdomain.com/"
</VirtualHost>
Host headers
To prevent host header injection and related attacks, production deployments should restrict allowed Host headers at reverse proxy level.
# Reject all unknown HTTP requests — no redirect fallback
http:// {
respond "No redirect" 400
}
# Handle only the allowed domain over HTTPS
your.host.name {
@valid_host host your.host.name
handle @valid_host {
reverse_proxy selectzero:8090
}
handle {
respond "Invalid Host Header" 400
}
}
server {
listen 443 ssl;
server_name your.host.name;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
if ($host != "your.host.name") {
return 400 "Invalid Host Header";
}
location / {
proxy_pass http://selectzero:8090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
<VirtualHost *:443>
ServerName your.host.name
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/your.host.name/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/your.host.name/privkey.pem
# Block if Host header doesn't match ServerName
<If "%{HTTP_HOST} != 'your.host.name'">
Redirect 400 /
</If>
ProxyPass / http://localhost:8090/
ProxyPassReverse / http://localhost:8090/
</VirtualHost>
07 May 2025