Using axe DevTools Linter with a Reverse Proxy
You can encrypt your connections to your on-premises axe DevTools Linter instance (and prevent man-in-the-middle snooping) by using a reverse proxy server such as NGINX. This guide shows you how.
Requirements
This guide assumes you'll be installing on a Linux machine.
You will need the following software:
- On-premises axe DevTools Linter binary
- NGINX
- OpenSSL (for creating self-signed certificates)
For help installing NGINX, see Install | NGINX.
For more information on installing the on-premises axe DevTools Linter server, see Setting up the On-Premises Server.
You'll need OpenSSL to create self-signed certificates. For more information about OpenSSL, see OpenSSL.
Configuring NGINX
You can create a configuration file and place it in the /etc/nginx/config.d directory. For this example, create a configuration file named axe-linter.conf and place it in the /etc/nginx/config.d directory. The configuration below is an example of how to configure NGINX as a reverse proxy:
server {
listen 443 ssl;
listen [::]:443 ssl;
# Configure SSL.
# Replace `/opt/deque/cert/axe.crt` and `/opt/deque/cert/axe.key`
# with your own key files.
ssl_certificate /opt/deque/axe/certs/axe.crt;
ssl_certificate_key /opt/deque/axe/certs/axe.key;
server_name _;
# Redirect all requests to axe DevTools Linter
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
You'll need two SSL certificate files as indicated by the ssl_certificate and ssl_certificate_key options in the above configuration.
In the example above, requests to this NGINX server are forwarded to an axe DevTools Linter server on localhost (127.0.0.1) at port 3000.
After changing the configuration, restart NGINX as shown below:
sudo service nginx restart
Configuring DNS
An SSL certificate is required on your server now that you're using encrypted connections. If the server has a name registered in DNS (as a DNS A record, for instance), you can use a service such as Let's Encrypt to generate free certificates. If you want to access your server via its IP address only, you need to create a self-signed certificate because a service such as Let's Encrypt won't issue certificates for IP addresses—they require the server be registered with a DNS server.
Using a Self-Signed Certificate
For servers accessed via their IP address only, the first step is to create the self-signed certificates with OpenSSL as shown below:
openssl req -newkey rsa:2048 -x509 -nodes -keyout /etc/ssl/private/axe-selfsigned.key -new -out /etc/ssl/certs/axe-selfsigned.crt -subj /CN=axe-linter-server -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=IP:10.10.1.50')) -sha256 -days 365
In the above command, you need to change the IP address to the IP address of your server (in the example it's set to 10.10.1.50), and you'll need to change the certificate paths in your config file in /etc/nginx/config.d to point to /etc/ssl/private/axe-selfsigned.key and /etc/ssl/certs/axe-selfsigned.crt.
The created certificate is valid for one year only (the -days 365 option), but you can change it to a longer duration.
Using axe DevTools Linter Connector with Self-Signed Certificates
You'll need to copy the certificate to the client machine (in this example, the axe-selfsigned.crt file) so your client code or axe DevTools Linter Connector can use the certificate.
Then you'll need to configure the environment variables as discussed in Setting Up Environment Variables
The following example shows how to use axe DevTools Linter Connecter with your self-signed certificate:
NODE_EXTRA_CA_CERTS=/path/to/downloaded/axe-selfsigned.crt axe-linter-connector -s . -d .
The environment variable NODE_EXTRA_CA_CERTS tells node and thus axe DevTools Linter Connector to accept the specified self-signed certificate, which would be normally rejected, as shown below:
axe-linter-connector -s . -d .
Error: self signed certificate
at TLSSocket.onConnectSecure (_tls_wrap.js:1502:34)
at TLSSocket.emit (events.js:314:20)
at TLSSocket._finishInit (_tls_wrap.js:937:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:711:12)
Setting Up Environment Variables
To use axe DevTools Linter Connector with a reverse proxy server, you need to change both of its environment variables:
- AXE_LINTER_SERVER_URL
- AXE_LINTER_SERVER_PORT
For example, you can set the variables as shown below:
export AXE_LINTER_SERVER_URL=https://10.10.1.50
export AXE_LINTER_SERVER_PORT=443
The URL must start with https and the port must be 443 otherwise you won't be able to connect to your server.
Blocking the Unencrypted Port in Your Firewall
You might want to consider blocking the port assigned to your axe DevTools Linter server (here, port 3000) from outside traffic so that you can be sure that all connections go through the proxy server.