Nginx as Reverse Proxy

From PKC
Jump to navigation Jump to search

The first place to learn Nginx can be found in this book[1]:

The following content is assuming that you are running an Ubuntu distribution of Linux.

Install Nginx

The following code can be copied and pasted to perform the task of installing Nginx on Ubuntu:[2] For scripted installation, please refer to Install Nginx using bash script on Ubuntu.

sudo apt-get update
sudo apt-get install nginx -y

To test the installation, make sure that your server's port 80 and 443 are open, and their respective sources[note 1] are set to 0.0.0.0/0.

For Amazon AMI Linux distribution,

sudo amazon-linux-extras install nginx1

Disable Default Virtual Host of Nginx

Then, try to unlink this existing link:

sudo unlink /etc/nginx/sites-enabled/default


To configure Nginx for multiple hosts, please refer to this website[3]:

Create the Reverse Proxy

Now go to the Nginx site-available directory

cd /etc/nginx/sites-available

Use a text editor or copy a file with the following file name: reverse-proxy.conf.

For example, use the text editor vi, you can type the following command:

vi reverse-proxy.conf


In the file, type in the following content. Please note that this configuration, especially the port number 9352 is a PKC specific specification.

server {
    listen 80;
    location / {
        proxy_pass http://localhost:9352;
    }
}

Test Nginx and the Reverse Proxy

Activate the directives by linking to /sites-enabled/ using the following command:

sudo ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf

For websites that must handle upload more than 2Mb in size, one must add the following entry to the file /etc/nginx/nginx.conf[4]:

# set client body size to 50M #
client_max_body_size 50M;


First, verify the syntax of all the above content is legitimate:

sudo service nginx configtest

Then, restart Nginx to kick it into action:

sudo service nginx restart

Set up Let's Encrypt

After setting up Nginx, one can consider setting up the free-of-charge Let's Encrypt certificate. The following instructions are modeled after this Medium article[5]: (For installation on AMI Linux, please see this page Tutorial: Configure SSL/TLS on Amazon Linux 2. )

sudo add-apt-repository ppa:certbot/certbot


Then, install the python3 certbot for Nginx.

sudo apt install python3-certbot-nginx

For AMI Linux:

sudo yum install -y certbot python2-certbot-apache


Then, install the python3 certbot for Nginx.

cd /etc/nginx/sites-enabled/

In this directory: /etc/nginx/sites-enabled/ create the following file using a text editor or just copy a text file to this location with a name that is similar to this:dev.example.com For example, if the name of your domain is dev.thewiki.us, then the file name should be: dev.thewiki.us. Using vi as a text editor, your will type this in command line:

  
vi dev.thewiki.us.conf
                                                  
server {
    server_name dev.thewiki.us;
    # The internal IP of the VM that hosts your Apache config
    set $upstream 127.0.0.1:9352;
        location / {
        proxy_pass_header Authorization;
        proxy_pass http://$upstream;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Connection “”;
        proxy_buffering off;
        client_max_body_size 0;
        proxy_read_timeout 36000s;
        proxy_redirect off;
    }
    listen 80;
}


First, test if the above file passes the syntactical test:

 
sudo nginx -t

Then, you may run:

 
sudo systemctl reload nginx

Run the Certbot to get the Let's Encrypt certificate

The installation script[6] will take you up to this point. You should use a terminal application to conduct the following steps manually.

Before running the following statement, make sure that the domain names listed here have already had the relevant IP addresses properly associated with the domain names, such as example.com, and dev.example.com

sudo certbot --nginx -d example.com -d dev.example.com

Reverse Proxy

After succeeded in running the certbot program, files in /etc/nginx/conf.d/ will be updated. The file to pay attention to is the domain_name.conf file, in the case of dev.example.com, the file name should be: dev.example.com.conf.

Specifically, in the directory: /etc/nginx/conf.d/ create the following file using a text editor or just copy a text file to this location with a name that is similar to this:dev.example.com.conf For example, if the name of your domain is example.com, then the file name should be: example.com.conf. Using vi as a text editor, your will type this in command line:

  
vi example.com.conf

The following content can be copied and pasted into your example.com.conf file. The port number, in this example, 9352 should be replaced by the port number of your choice.

server {
    root /var/www/html;
    server_name example.com www.example.com;

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/thewiki.us/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/thewiki.us/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location / {
      proxy_pass  http://localhost:9352;
    }


}
server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80 default_server;
    listen [::]:80 default_server;
    server_name example.com www.example.com;
    return 404; # managed by Certbot

    location / {
      proxy_pass  http://localhost:9352;
    }
}

References

Notes

  1. Source: "Determines the traffic that can reach your instance. Specify a single IP address, or an IP address range in CIDR notation (for example, 203.0.113.5/32). If connecting from behind a firewall, you'll need the IP address range used by the client computers. You can specify the name or ID of another security group in the same region. To specify a security group in another AWS account (EC2-Classic only), prefix it with the account ID and a forward slash, for example: 111122223333/OtherSecurityGroup." text extracted from Amazon Web Service