- \n
- A whole site,<\/li>\n
- A directory of a site.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Requirements:<\/p>\n
sudo apt update && sudo apt upgrade -y\r\nsudo apt install nginx -y\r\nsudo nano \/etc\/nginx\/sites-available\/default<\/pre>\n
Change the following configuration with your domain:<\/p>\n
server {\r\n listen 80 default_server;\r\n listen [::]:80 default_server;\r\n root \/var\/www\/html;\r\n server_name<\/strong> example.com www.example.com<\/strong><\/span>;\r\n}<\/pre>\nCheck the configuration and restart the server.<\/p>\n
nginx -t && nginx -s reload<\/pre>\n
Access your website using your web browser and note that is labeled as an insecure connection.<\/p>\n
\nSSL\/TLS<\/strong><\/p>\n
Install the Cerbot and execute it against your :<\/p>\n
sudo apt-get install certbot python3-certbot-nginx -y\r\nsudo certbot --nginx<\/pre>\n
![\"\"](\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2021\/06\/Screenshot_2021-06-02_19-26-45.png\")
<\/p>\nOnly on the first time it will ass that many questions.<\/p>\n
Alternatively, the domain could be specified to skip one step.<\/p>\n
sudo certbot --nginx -d example.com<\/span> -d example2.com<\/span><\/strong><\/pre>\nReload the server and refresh the browser to verify that it was automatically redirected to a secure connection.<\/p>\n
nginx -s reload<\/pre>\n
The browser will hop from HTTP<\/strong>:\/\/example.com to HTTPS<\/span><\/strong>:\/\/example.com.<\/p>\n
Create a cron job using the root user to automatically renew the certificate that will expire every 90 days:<\/p>\n
sudo su\r\ncrontab -e<\/pre>\n
Append:<\/p>\n
0 12 * * * \/usr\/bin\/certbot renew --quiet<\/pre>\n
\nREVERSE PROXY<\/strong><\/p>\n
To prevent CPU overload with multiple encrypted sessions it is recommended to use regular HTTP connection internally when possible (restricted VLAN for example).<\/p>\n
Edit the virtual server configuration:<\/p>\n
sudo nano \/etc\/nginx\/sites-available\/default<\/pre>\n
Applying the reverse proxy to the root of the website.<\/strong><\/p>\n
Edit the virtual server configuration:<\/p>\n
sudo nano \/etc\/nginx\/sites-available\/default<\/pre>\n
Look for the location { … }<\/strong> block.<\/p>\n
location \/ {<\/strong>\r\n proxy_pass http:\/\/127.0.0.1:5000<\/span><\/strong>;\r\n proxy_set_header Host $host;\r\n proxy_set_header X-Forwarded-Proto $scheme;\r\n proxy_set_header X-Real-IP $remote_addr;\r\n proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;<\/span>\r\n}<\/strong><\/pre>\nThis configuration will forward the traffic to the host and port defined. The example above will forward to localhost under port 5000, which could be a docker application listening on this port.<\/p>\n
All the lines in orange<\/span> are optional and will provide metadata to the hidden application if necessary.<\/p>\n
Applying the reverse proxy to a directory of the website.<\/strong><\/p>\n
Create a location block to the desired directory.<\/p>\n
location \/proxied_page\/<\/span> {<\/strong>\r\n proxy_pass http:\/\/192.168.1.7<\/strong>;\r\n}<\/strong><\/pre>\nIn the example above the reverse proxy is applied only to the directory proxied_page<\/strong><\/span> to another host (192.168.1.7<\/strong>) in the private network on the default HTTP port.<\/p>\n
\nBONUS: Reverse Proxy with Apache<\/p>\n
sudo a2enmod proxy\r\nsudo a2enmod proxy_http\r\nsudo a2enmod proxy_balancer\r\nsudo a2enmod lbmethod_byrequests<\/pre>\n
Include the following lines accordingly to your need in the site configuration file:<\/p>\n
ProxyPreserveHost On\r\nProxyPass \/ http:\/\/10.1.1.1:8080\/\r\nProxyPass \/directory http:\/\/192.168.1.1\/\r\nProxyPass \/another_directory http:\/\/172.16.1.1\/dir\/<\/pre>\n
Restart the service.<\/p>\n
sudo apachectl configtest\r\nsudo systemctl restart apache2.service<\/pre>\n
Additionally, the reverse proxy can also act as a load balancer:<\/p>\n
<Proxy balancer:\/\/cluster>\r\n BalancerMember http:\/\/webserver1\r\n BalancerMember http:\/\/webserver2\r\n<\/Proxy>\r\n\r\nProxyPreserveHost On\r\nProxyPass \/ balancer:\/\/cluster\/\r\nProxyPassReverse \/ balancer:\/\/cluster\/<\/pre>\n
You can also apply health checks to the nodes of the members of the cluster:<\/p>\n
<Proxy balancer:\/\/cluster>\r\n BalancerMember \"http:\/\/webserver1\" hcmethod=HEAD hcinterval=1 hcpasses=9 hcuri=\/app\/status\r\n BalancerMember \"http:\/\/webserver2\" hcmethod=HEAD hcinterval=1 hcpasses=9 hcuri=\/app\/status\r\n<\/Proxy><\/pre>\n
Moreover, on the host side (where the web application is running) if it is running Apache too:<\/p>\n
- \n
- The logs will contain the Remore Address IP of the reverse proxy server for all clients.<\/li>\n
- To fix this issue the module mod_remoteip<\/strong> must be enabled and configured as follows.<\/span><\/li>\n<\/ul>\n
sudo a2enmod remoteip\r\nsudo nano \/etc\/apache2\/apache2.conf<\/pre>\n
Append the line:<\/p>\n
RemoteIPHeader X-Forwarded-For<\/pre>\n
Change the following line.<\/p>\n
From:<\/p>\n
LogFormat \"%h<\/strong><\/span> %l %u %t \\\"%r\\\" %>s %O \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\"\" combined<\/pre>\nTo:<\/p>\n
LogFormat \"%a<\/strong><\/span> %l %u %t \\\"%r\\\" %>s %O \\\"%{Referer}i\\\" \\\"%{User-Agent}i\\\"\" combined<\/pre>\nThen, check the configuration and apply the changes:<\/p>\n
sudo apachectl configtest && sudo systemctl restart apache2<\/pre>\n","protected":false},"excerpt":{"rendered":"In this tutorial, we will go through: Install and configure NGINX, Install and configure SSL\/TLS, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,6],"tags":[],"class_list":["post-2178","post","type-post","status-publish","format-standard","hentry","category-linux","category-raspberry-pi"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2178","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2178"}],"version-history":[{"count":9,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2178\/revisions"}],"predecessor-version":[{"id":2948,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2178\/revisions\/2948"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2178"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2178"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2178"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}