Fronting with nginx

It is recommended to proxy traffic to both ZoneControl and the PowerDNS Authoritative server through the nginx webserver. This will catch possibly broken HTTP requests and allows for SSL termination.

ZoneControl

To proxy to a ZoneControl instance running on 127.0.0.1:8083, the following configuration is a good starting point. Don’t forget to set the ssl_certificate and ssl_certificate_key directives to your certificates and keys.

server {
  # redirect to https
  listen 80;
  listen [::]:80;
  server_name _;
  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log error;
  location / {
    return 301 https://$http_host$request_uri;
  }
}

server {
  listen 443 ssl;
  listen [::]:443 ssl;
  server_name _;
  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log error;
  ssl_certificate /etc/ssl/public/chain.pem;
  ssl_certificate_key /etc/ssl/private/privkey.pem;

  location / {
    proxy_pass http://127.0.0.1:8053/;

    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_redirect off;
    proxy_buffering off;
  }
}

PowerDNS Authoritative Server

Fronting the PowerDNS Authoritative Server with nginx is very similar to fronting ZoneControl. The biggest difference is that HTTP is disabled and no headers are passed to the server. Don’t forget to set the ssl_certificate and ssl_certificate_key directives to your certificates and keys.

server {
  listen 443 ssl;
  listen [::]:443 ssl;
  server_name _;
  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log error;
  ssl_certificate /etc/ssl/public/chain.pem;
  ssl_certificate_key /etc/ssl/private/privkey.pem;

  location / {
    proxy_pass http://127.0.0.1:8081/;
    proxy_redirect off;
    proxy_buffering off;
  }
}