Skip to main content
Version: 3.8.x

JATOS with Nginx

Here is an example for a configuration of Nginx as a reverse proxy in front of JATOS. It is not necessary to run JATOS with a proxy but it's common.

A JATOS server that handles sensitive or private data should always use encryption (HTTPS). A nice free certificate issuer is certbot.eff.org from the Electronic Frontier Foundation.

The following config is the content of /etc/nginx/nginx.conf. Change it to your needs. You probably want to change your servers address (www.example.com in the example) and the path to the SSL certificate and its key.

For JATOS versions 3.8.1 and older it is necessary to set the X-Forwarded-* headers with proxy_set_header to tell JATOS the original requester's IP address. This is not necessary from 3.8.2 and newer.

As an additional security measurement you can uncomment the location /jatos and config your local network. This will restrict the access to JATOS' GUI (every URL starting with /jatos) to the local network.

user                    www-data;
pid /run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;

# Load modules
include /etc/nginx/modules-enabled/*.conf;

events {
multi_accept on;
worker_connections 65535;
}

http {
sendfile on;
tcp_nopush on;
client_max_body_size 500M;

# MIME
include mime.types;
default_type application/octet-stream;

# Logging
access_log off;
error_log /var/log/nginx/error.log warn;

proxy_buffering off;
proxy_set_header Host $http_host;
proxy_http_version 1.1;

# Needed for websockets
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}

# Load configs
include /etc/nginx/conf.d/*.conf;

upstream jatos-backend {
server 127.0.0.1:9000;
}

# Redirect http to https
server {
listen 80;
# --> Change to your domain <--
server_name www.example.com;
rewrite ^ https://www.example.com$request_uri? permanent;
}

server {
listen 443 ssl http2;
# --> Change to your domain <--
server_name www.example.com;
keepalive_timeout 70;

# Encryption
# --> Change to your certificate <--
ssl_certificate /etc/ssl/certs/localhost.crt;
ssl_certificate_key /etc/ssl/private/localhost.key;
ssl_protocols TLSv1.2 TLSv1.3;

# WebSocket location (JATOS' group and batch channel and the test page)
location ~ "/(jatos/testWebSocket|publix/[a-z0-9-]+/(group/join|batch/open))" {
proxy_pass http://jatos-backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_connect_timeout 7d; # Keep open for 7 days even without any transmission
proxy_send_timeout 7d;
proxy_read_timeout 7d;
}

# Restrict access to JATOS' GUI to local network, e.g. 192.168.1.*
# location /jatos {
# allow 192.168.1.0/24;
# deny all;
# proxy_pass http://jatos-backend;
# proxy_connect_timeout 300;
# proxy_send_timeout 300;
# proxy_read_timeout 300;
# send_timeout 300;
# }

# All other traffic
location / {
proxy_pass http://jatos-backend;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
}
}
}