Any web proxy will work in front of nsolid-console, this document explains how you can achieve this with nginx.


The public nginx docker images are great but don't go far enough for production level security. The following file creates a docker image that locks down file permissions within the image.

FROM nginx:stable

RUN touch /var/run/ \
 && chown -R www-data:root /var/run/ \
 && chmod -R 0770 /var/run/ \
 && chown -R www-data:root /var/cache/nginx \
 && chmod -R 0770 /var/cache/nginx;

USER www-data

CMD ["nginx", "-g", "daemon off;"]

Docker Compose

This is a example addition to docker-compose file. THe key aspect is the dependency on the host folder nginx that will mount resources into the container. More details on the content of this folder will be explained later.

  container_name: nginx
  image: custom/nginx:build
    - "80:80"
    - "443:443"
    - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
    - ./nginx/nsolid-nginx.conf:/etc/nginx/nsolid.conf:ro
    - ./nginx/htpasswd:/etc/nginx/htpasswd:ro
    - ./nginx/certs:/etc/nginx/ssl:ro

Creating certificates / basic auth

Create nginx SSL certificates

This will be a self signed certificate. If you want to avoid cert warning consider getting a certificate for a domain at or other online providers.

openssl req -x509 -nodes -newkey rsa:2048 -keyout ./nginx/certs/nsolid-nginx.key -out ./nginx/certs/nsolid-nginx.crt

Basic Auth file

htpasswd -cb ./nginx/htpasswd {username} {password}


pid /run/;
error_log /dev/stdout;
worker_processes  1;

events {
  worker_connections  1024;

http {

  # Basic Settings

  sendfile on;
  keepalive_timeout 65;

  log_format upstreamlog '[$time_local] $remote_addr - $remote_user - $server_name  to:$upstream_addr request:$request upstream_response_time:$upstream_response_time msec:$msec request_time:$request_time upsteam_status:$upstream_status upstream_cache_status:$upstream_cache_status';

  add_header X-Backend-Loadbalancer $hostname;
  add_header X-Upstream-Backend $upstream_addr;

  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  # Logging Settings
  access_log /dev/stdout upstreamlog;
  error_log /dev/stdout;

  # Redirect all traffic to SSL
  server {
    listen 80;
    return 301 https://$host$request_uri;

  # Expose NGINX status endpoint
  server {
    listen 8080;
    server_name health;
    location / {
      stub_status on;
      access_log   off;

  include nsolid-nginx.conf;

Note: the include line at the end. This allows nsolid to be configured in a seperate file.


upstream console {
  # assumes `nsolid-console` is named `console in your docker-compose file.
  server console:6753; # Port is important to sanity check

# Port 80 server to redirect to a secure connection
server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name nsolid;
  return 301 https://$host$request_uri;

server {
  listen 443 ssl;
  server_name nsolid
  ssl on;
  ssl_certificate /etc/nginx/ssl/nsolid-nginx.crt;
  ssl_certificate_key /etc/nginx/ssl/nsolid-nginx.key;
  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:20m;
  ssl_session_timeout 4h;

  location / {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/htpasswd;

    add_header X-Cache-Status $upstream_cache_status;

    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    proxy_pass http://console;