Using the axe-linter Server with a Reverse Proxy

Link to Using the axe-linter Server with a Reverse Proxy copied to clipboard

You can encrypt your connections to your axe-linter server instance (and prevent man-in-the-middle snooping) by using a reverse proxy server such as NGINX. This guide shows you how.



This guide assumes you'll be installing on a Linux machine.

You will need the following software:

  • The axe-linter server
  • OpenSSL (for creating self-signed certificates)

For help installing NGINX, see Install | NGINX.

For more information on installing the axe-linter server, see Setting up the On-Premises Server.

You'll need OpenSSL to create self-signed certificates. For more information about OpenSSL, see OpenSSL.

Configuring NGINX

You can create a configuration file and place it in the /etc/nginx/config.d directory. For this example, create a configuration file named axe-linter.conf and place it in the /etc/nginx/config.d directory. The configuration below is an example of how to configure NGINX as a reverse proxy:

  server {
    listen      443 ssl;
    listen [::]:443 ssl;

    # Configure SSL.
    # Replace `/opt/deque/cert/axe.crt` and `/opt/deque/cert/axe.key` 
    # with your own key files.

    ssl_certificate     /opt/deque/axe/certs/axe.crt;
    ssl_certificate_key /opt/deque/axe/certs/axe.key;

    server_name _;

    # Redirect all requests to axe-linter server
    location / {
      proxy_http_version 1.1;
      proxy_cache_bypass $http_upgrade;

      proxy_set_header Upgrade    $http_upgrade;
      proxy_set_header connection 'upgrade';
      proxy_set_header Host       $host;
      proxy_set_header X-Real-IP  $remote_addr;

You'll need two SSL certificate files as indicated by the ssl_certificate and ssl_certificate_key options in the above configuration.

In the example above, requests to this NGINX server are forwarded to an axe-linter server on localhost ( at port 3000.

After changing the configuration, restart NGINX as shown below:

sudo service nginx restart

Configuring DNS

An SSL certificate is required on your server now that you're using encrypted connections. If the server has a name registered in DNS (as a DNS A record, for instance), you can use a service such as Let's Encrypt to generate free certificates. If you want to access your server via its IP address only, you need to create a self-signed certificate because a service such as Let's Encrypt won't issue certificates for IP addresses—they require the server be registered with a DNS server.

Using a Self-Signed Certificate

For servers accessed via their IP address only, the first step is to create the self-signed certificates with OpenSSL as shown below:

openssl req -newkey rsa:2048 -x509 -nodes -keyout /etc/ssl/private/axe-selfsigned.key -new -out /etc/ssl/certs/axe-selfsigned.crt -subj /CN=axe-linter-server -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=IP:')) -sha256 -days 365

In the above command, you need to change the IP address to the IP address of your server (in the example it's set to, and you'll need to change the certificate paths in your config file in /etc/nginx/config.d to point to /etc/ssl/private/axe-selfsigned.key and /etc/ssl/certs/axe-selfsigned.crt.

The created certificate is valid for one year only (the -days 365 option), but you can change it to a longer duration.

Using axe-linter Connector with Self-Signed Certificates

You'll need to copy the certificate to the client machine (in this example, the axe-selfsigned.crt file) so your client code or axe-linter-connector can use the certificate.

Then you'll need to configure the environment variables as discussed in Setting Up Environment Variables

The following example shows how to use axe-linter-connecter with your self-signed certificate:

NODE_EXTRA_CA_CERTS=/path/to/downloaded/axe-selfsigned.crt axe-linter-connector -s . -d .

The environment variable NODE_EXTRA_CA_CERTS tells node and thus the axe-linter connector to accept the specified self-signed certificate, which would be normally rejected:

axe-linter-connector -s . -d .   
Error: self signed certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1502:34)
    at TLSSocket.emit (events.js:314:20)
    at TLSSocket._finishInit (_tls_wrap.js:937:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:711:12)

Setting Up Environment Variables

To use axe-linter connector with a reverse proxy server, you need to change both of its environment variables:


For example, you can set the variables as shown below:


The URL must start with https and the port must be 443 otherwise you won't be able to connect to your server.

Blocking the Unencrypted Port in Your Firewall

You might want to consider blocking the port assigned to your axe-linter server (here, port 3000) from outside traffic so that you can be sure that all connections go through the proxy server.