Using Nginx with Enclave EndpointsΒΆ

Nginx is a popular choice for a reverse proxy to route requests through to Enclave Endpoints using a proxy_pass directive.

However, one major pitfall of using Nginx with Enclave Endpoints is that, by default, Nginx disregards DNS TTLs and caches the IPs of its upstream servers forever, whereas the IPs for Enclave Endpoints change periodically (under the hood, Enclave use AWS ELBs, from which their inherit this property)

This means that Nginx will, by default, eventually use the wrong IPs when pointed at an Enclave Endpoint through a proxy_pass directive.

To work around this problem, you should avoid the following configuration pattern in your Nginx configuration:

location / {
    proxy_pass https://hostname-of-an-endpoint;
}

Instead, use this:

resolver 8.8.8.8;
set $upstream_endpoint https://hostname-of-an-endpoint;

location / {
    proxy_pass $upstream_endpoint;
}

See also

Credit for this workaround goes to Jeppe Fihl-Pearson in his Nginx with dynamic upstreams blog post. Read it to learn more about why this fix is necessary, and why it works.