Previous Page

nihilist - 00 / 00 / 00

Installing Etherpad behind a nginx reverse proxy

Initial Setup

apt install nodejs git npm -y
cd /srv
git clone --branch master
cd etherpad-lite

wget -O  /etc/systemd/system/etherpad.service 

now since you can't run the server as root for the first time, we create an etherpad user:

adduser etherpad
cd /srv/etherpad-lite
chown etherpad. -R .

apt install sudo -y
usermod -aG sudo etherpad
sudo -u etherpad /srv/etherpad-lite/src/bin/ 

systemctl daemon-reload
systemctl enable --now etherpad
systemctl status etherpad

And that's it ! you should be able to access your etherpad instance on port 9001.

Nginx Reverse Proxy with HTTPS

From there, you can setup your reverse nginx proxy, it can either be on the server itself or it can be on another machine in the same network:

root@etherpad:/srv/etherpad-lite# ip a | grep inet
    inet scope host lo
    inet6 ::1/128 scope host 
    inet brd scope global eth0
    inet6 fe80::44ed:6ff:fef6:77a/64 scope link 

For example here my debian host is in so we can use another debian host with nginx on it in the same subnet:

root@home:~# ip a | grep inet
    inet scope host lo
    inet6 ::1/128 scope host
    inet brd scope global ens18
    inet6 fe80::94b0:53ff:fe08:49a6/64 scope link
    inet6 2001:470:1f12:141::2/64 scope global deprecated
    inet6 fe80::c0a8:65/64 scope link

Right now my other debian host is at, so we can configure nginx accordingly:

apt install nginx -y
rm /etc/nginx/sites-available/default
rm /etc/nginx/sites-enabled/default
vim /etc/nginx/sites-available/

Right now i named my nginx config as because i intend to host it with a TLS 1.3 certificate from letsencrypt. It doesn't matter that the previous debian host with etherpad on it only runs on http, the reverse proxying nginx will turn it into https:

upstream padbackend {

server {
        listen 80;
        listen [::]:80;
        return 301 https://$server_name$request_uri;

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        ssl_certificate /root/;
        ssl_trusted_certificate /root/;
        ssl_certificate_key /root/;

        ssl_protocols TLSv1.3 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_session_tickets off;
        ssl_ecdh_curve auto;
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver valid=300s;
        resolver_timeout 10s;

        add_header X-XSS-Protection "1; mode=block"; #Cross-site scripting
        add_header X-Frame-Options "SAMEORIGIN" always; #clickjacking
        add_header X-Content-Type-Options nosniff; #MIME-type sniffing
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

        location / {
                proxy_pass http://padbackend;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";

With this we are able to connect to our etherpad http service on port 9001, and make it so that for the end user he is connecting through port 443 (https) regardless of the initial http protocol and the weird port number. Next step is to install to get the certificates:

wget -O - | sh
source ~/.bashrc

#make sure that the domain name is actually working

systemctl stop nginx --issue --standalone -d -k 4096	

ln -s /etc/nginx/sites-available/ /etc/nginx/sites-enabled/
nginx -t

systemctl start nginx

Testing the end result

And now all that's left to do is to go and check if it is working properly:

All that's needed from here is to just create a notepad (here i named it tarace)

And if we give it to other people, we can let them write on it as we are writing on it.


Until there is Nothing left.

About nihilist

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8

Contact: (PGP)