NginX as Reverse Proxy

From Linux Infrastructure Advisory
Revision as of 10:25, 20 December 2024 by Adminforsysengwiki (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Setup Details
hostname: infrabase1
Network: 10.1.65.0/24
IP Address : 10.1.65.11
Subnet Mask: 255.255.255.0
Gateway: 10.1.65.1
DNS: 8.8.8.8
sudo user: kedar
Software: nginx

Container: webserver
Network: 10.1.65.0/24
IP Address : 10.1.65.107
Subnet Mask: 255.255.255.0
Gateway: 10.1.65.1
DNS: 8.8.8.8
sudo user: kedar

User PC Details
PC type: Desktop
OS: Ubuntu Desktop
IP Address: 10.1.65.160

Before you proceed

The domain used here is networked.net. This is used only for demonstration and required dns entries for this domain have already been done to the host file to make the domain and any subdomains reachable on the network. This domain may be owned by someone else and we do not know who it is and we are not linked to them. If you try networked.net and find any material that may be suitable / unsuitable to you, we are not the owners of the same and we are not responsible for the content.

Introduction

  • We will be using NginX as a reverse proxy. Examples shown here will be two websites running wordpress on two different ports using apache webserver
  • NginX will be installed on the infrabase1 server (10.1.65.11) and will be listening to port # 443
  • For below sites that are configured on a different linux container called as webserver (ip-address: 10.1.65.107) , NginX will forward requests to the wordpress sites on the ports they have been configured in apache on webserver
  • While NginX will be listening on port # 443, it can communicate on any port to the internal servers running various applications

What is Reverse Proxy

A proxy server is a go‑between or intermediary server that forwards requests for content from multiple clients to different servers across the Internet. A reverse proxy server is a type of proxy server that typically sits behind the firewall in a private network and directs client requests to the appropriate backend server. A reverse proxy provides an additional level of abstraction and control to ensure the smooth flow of network traffic between clients and servers.

Common uses for a reverse proxy server include:

  • Load balancing – A reverse proxy server can act as a “traffic cop,” sitting in front of your backend servers and distributing client requests across a group of servers in a manner that maximizes speed and capacity utilization while ensuring no one server is overloaded, which can degrade performance. If a server goes down, the load balancer redirects traffic to the remaining online servers.
  • Web acceleration – Reverse proxies can compress inbound and outbound data, as well as cache commonly requested content, both of which speed up the flow of traffic between clients and servers. They can also perform additional tasks such as SSL encryption to take load off of your web servers, thereby boosting their performance.
  • Security and anonymity – By intercepting requests headed for your backend servers, a reverse proxy server protects their identities and acts as an additional defense against security attacks. It also ensures that multiple servers can be accessed from a single record locator or URL regardless of the structure of your local area network.
  • Efficient use of IP Address - Using single public IP address, thousands of websites can be configured using a NginX reverse proxy.

Installing NginX

  • We shall be installing NginX on the base server on which various linux containers are hosted
  • Linux container called webserver will be hosting the two wordpress sites which will be used in this demonstration
  • ssh into the host server (infrabase1) and run the following command
sudo apt install nginx
sudo systemctl status nginx
  • The status should show as below
kedar@infrabase1:~$ sudo systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2020-04-19 01:39:13 UTC; 4h 12min ago
     Docs: man:nginx(8)
  Process: 1248 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
  Process: 821 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
 Main PID: 1261 (nginx)
    Tasks: 5 (limit: 4915)
   CGroup: /system.slice/nginx.service
           ├─1261 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
           ├─1262 nginx: worker process
           ├─1263 nginx: worker process
           ├─1265 nginx: worker process
           └─1266 nginx: worker process

Apr 19 01:39:09 infrabase1 systemd[1]: Starting A high performance web server and a reverse proxy server...
Apr 19 01:39:13 infrabase1 systemd[1]: Started A high performance web server and a reverse proxy server.
kedar@infrabase1:~$

Copy certificate files

  • Copy certificate files created on webserver for two sites that are stored in /etc/ssl/certs and /etc/ssl/private to infrabase1 server
ssh kedar@10.1.65.107
sudo su
scp /etc/ssl/certs/wpress.crt kedar@10.1.65.11:/home/kedar/
scp /etc/ssl/certs/wpress.key kedar@10.1.65.11:/home/kedar/
scp /etc/ssl/certs/jumbo.crt kedar@10.1.65.11:/home/kedar/
scp /etc/ssl/certs/jumbo.key kedar@10.1.65.11:/home/kedar/
  • Now go to infrabase1 server and copy the cert files in appropriate places as shown below
ssh kedar@10.1.65.11
sudo su
cp /home/kedar/wpress.crt /etc/ssl/certs/
cp /home/kedar/wpress.key /etc/ssl/private/
cp /home/kedar/jumbo.crt /etc/ssl/certs/
cp /home/kedar/jumbo.key /etc/ssl/private/

Create config file

Create a file called as wpress.conf in /etc/nginx/sites-available/ on infrabase1 server (10.1.65.11) and paste the below content in the file

server {
listen 80;
server_name 'wpress.networked.net';
return 301 https://$host$request_uri; }

server {
        listen 443 ssl;
        ssl on;
        ssl_certificate '/etc/ssl/certs/wpress.crt';
        ssl_certificate_key '/etc/ssl/private/wpress.key';
        server_name 'wpress.networked.net' 'wpress';
        location / {
                proxy_pass_header Authorization;
                proxy_pass https://10.1.65.107:35503;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_http_version 1.1;
                proxy_set_header Connection "";
                proxy_buffering off;
                client_max_body_size 0;
                proxy_read_timeout 36000s;
                proxy_redirect off;
                proxy_ssl_session_reuse off;
        }
}

Create a file called as jumbo.conf in /etc/nginx/sites-available/ and paste the below content in the file

server {
listen 80;
server_name 'jumbo.networked.net';
return 301 https://$host$request_uri; }

server {
        listen 443 ssl;
        ssl on;
        ssl_certificate '/etc/ssl/certs/jumbo.crt';
        ssl_certificate_key '/etc/ssl/private/jumbo.key';
        server_name 'jumbo.networked.net' 'jumbo';
        location / {
                proxy_pass_header Authorization;
                proxy_pass https://10.1.65.107;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_http_version 1.1;
                proxy_set_header Connection "";
                proxy_buffering off;
                client_max_body_size 0;
                proxy_read_timeout 36000s;
                proxy_redirect off;
                proxy_ssl_session_reuse off;
        }
}
  • Enable the virtualhosts in NginX
sudo ln -s /etc/nginx/sites-available/wpress.conf /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/jumbo.conf /etc/nginx/sites-enabled/
sudo systemctl restart nginx

Testing

  • Try accessing the websites using the browser and accept the certificate errors
  • Websites should be accessible

Conclusion

  • We have two websites running behind the nginx proxy server - one on port # 35503 and other on the standard ssl port 443
  • The websites are running on a webserver with IP address : 10.1.65.107 while the proxy address is : 10.1.65.11
  • Like the above examples, multiple such websites and web applications can be hosted behind the NginX proxy server