Run Acrolinx Behind a Reverse Proxy

We recommend setting up a dedicated reverse proxy for your Acrolinx Core Platform as a standard security measure. This reverse proxy should be on the same computer as the Core Platform.

A reverse proxy not only ensures that any traffic to your Core Platform is secure, it will also help you avoid other security issues. For example, on Linux a reverse proxy will help you avoid privilege escalations – you can create a dedicated Acrolinx Core Platform user with restricted permissions, and let the reverse proxy listen on ports that require superuser permissions. The Core Platform uses the default ports 80 and 443, which require superuser permissions.

In this article, you'll learn how to set up a reverse proxy for Acrolinx. We use NGINX at Acrolinx, so we've included an NGINX configuration example to show you how we do it. You can use our example as a template – especially if you're on Standard Stack it should work as is. You can of course use other reverse proxy software if you prefer.

Configuring Your Reverse Proxy

To run your Core Platform behind a reverse proxy, you'll need the following configuration:

  • Your proxy server is secured with an SSL certificate.
  • Your proxy server has Transport Layer Security (TLS) termination enabled.
  • Your proxy server adds forwarding information. The following headers are supported:
    • Forwarded as defined by rfc7239

    • X-Forwarded-Host and X-Forwarded-Proto

  • The proxy timeout limit is set to at least 360 seconds.

Example Configuration with NGINX

Below you can see an example configuration for an NGINX reverse proxy. This is the configuration that we use at Acrolinx, and we know it works for Standard Stack installations. If you have a different setup, you can still use this example as a template, but you should adapt it to your specific environment and needs. For the full details on how to set up a reverse proxy with NGINX, take a look at NGINX's own documentation on reverse proxy configuration and TLS termination.

Example NGINX Configuration
server {
    listen       80 default_server;
    listen       [::]:80 default_server;
    server_name  _;
    return       301 https://$host$request_uri;
server {
    listen                      443 default_server ssl;
    listen                      [::]:443 default_server ssl;
    server_name                 _;

    ssl_certificate             /etc/ssl/certs/cert.crt; # Your SSL cert goes here
    ssl_certificate_key         /etc/ssl/private/cert.key; # Your SSL key goes here

    ssl_session_timeout         5m;
    ssl_protocols               TLSv1.2; # Add TLSv1.1 here if required for older versions of Java
    ssl_prefer_server_ciphers   On;
    ssl_ciphers                 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

    location / {
        client_max_body_size        0;
        proxy_set_header            X-Real-IP $remote_addr;
        proxy_set_header            X-Forwarded-For $remote_addr;
        proxy_set_header            X-Forwarded-Proto $scheme;
        proxy_set_header            Host $host;
        proxy_pass        ;
        proxy_read_timeout          900s;

Using Acrolinx for GitHub Behind a Reverse Proxy

If you're using Acrolinx for GitHub, you'll need to update the external base URL of the core server. This ensures that external users can’t see the real Acrolinx URL. Instead, external users see only the address of your proxy server when interacting with Acrolinx.

To configure the external base URL for the core server, follow these steps:

  1. Open the

    To edit from the Dashboard, go to Maintenance > Configuration Properties, then follow the folder structure config > server > bin and click on the file You can then edit the properties directly from the Dashboard.

    Alternatively, you can edit from the configuration directory: %ACROLINX_CONFIGURATION_ROOT%\server\bin\

  2. Add the following property:



    Enter a base URL only. Don’t enter a base URL with a subdirectory such as Some Acrolinx components assume that Acrolinx is running at the top level of the host address. These components won’t work if the internal base URL is redirected to a subdirectory of the external base URL.

  3. Save your changes and restart the core server.