Skip to content

Secure Mergin Maps installation

WARNING

This sections aims to provide some guidelines and a minimalistic example on how to secure a Mergin Maps deployment.

Further security enhancements should be implemented by experts in accordance to cybersecurity policies in place.

For security and privacy reasons Mergin Maps deployments should enable HTTPS secured connection via certificate file.

We provide a template configuration file ssl-proxy.confas base for your configuration.

Let's have a quick look at the main sections:

shell
    server {
        listen                  443 ssl;
        server_name             merginmaps.company.com; # FIXME
        client_max_body_size    4G;
        ...

Here we enable SSL via the default 443 port and configure name-based HTTPS server via server_name. Here you should change this according to your target server name.

We don't recommend setting a client_max_body_size higher than specified, because that might lead to timeouts while uploading your data to Mergin Maps.

Next, you need to point your certificate files to NGINX configuration. This is done on the next lines on the secured configuration:

shell
    ...
    ssl_certificate_key /etc/letsencrypt/live/merginmaps.company.com/privkey.pem; # FIXME
    ssl_certificate     /etc/letsencrypt/live/merginmaps.company.com/fullchain.pem; # FIXME
    ...

The above example uses automated keys generated by CertBot. For more information, visit CertBot website and check how you can generate your own keys.

Some extra security settings for HTTP headers are provided. Please review them and update in accordance to your requirements.

shell
        # Prevent crawlers from indexing and following links for all content served from the mergin app
        add_header X-Robots-Tag "none";

        # Protect against clickjacking iframe
        add_header Content-Security-Policy "frame-ancestors 'self';" always;

        # Add a HSTS policy to prevent plain http from browser
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

        # Set cookies security flags
        proxy_cookie_flags ~ secure httponly samesite=strict;

        location / {
            root /var/www/html;

            # The lines below were copied from application proxy
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $http_host;
            # we don't want nginx trying to do something clever with
            # redirects, we set the Host: header above already.
            proxy_redirect off;
            proxy_pass http://app_server;
        }