nginx Reverse Proxy

From KlavoWiki
Revision as of 02:52, 19 April 2023 by David (Sọ̀rọ̀ | contribs) (Created page with "This will allow you to host mutliple internal web servers via a single public IP address. The following instrucitons are based on Raspbian 11.6 = Installation = <pre> apt install nginx </pre> == Configuration File == <pre> vi /etc/nginx/sites-available/reverse-proxy </pre> <pre> server { listen 443 ssl; server_name ha.klaverstyn.com.au; ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; ssl_certificate /etc/nginx/ssl-cert/ha.klaverstyn.com.au.crt; ssl_ce...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

This will allow you to host mutliple internal web servers via a single public IP address. The following instrucitons are based on Raspbian 11.6

Installation

 apt install nginx 

Configuration File

 vi /etc/nginx/sites-available/reverse-proxy 
server {
  listen 443 ssl;
  server_name ha.klaverstyn.com.au;

  ssl_protocols         TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_certificate       /etc/nginx/ssl-cert/ha.klaverstyn.com.au.crt;
  ssl_certificate_key   /etc/nginx/ssl-cert/privkey.ha.pem;

  location / {
    proxy_pass         https://ha.klaverstyn.com.au;
    proxy_http_version 1.1;
    proxy_set_header   Host       $host;
    proxy_set_header   X-Real-IP  $remote_addr;
    proxy_set_header   Upgrade    $http_upgrade;
    proxy_set_header   Connection "Upgrade";
  }
}




server {
  listen 80;
  server_name teslamate.klaverstyn.com.au;

  auth_basic "Restricted Content";
  auth_basic_user_file /etc/nginx/.htpasswd-teslamate;

  location / {
    proxy_pass         http://teslamate.klaverstyn.com.au;
    proxy_http_version 1.1;
    proxy_set_header   Host       $host;
    proxy_set_header   X-Real-IP  $remote_addr;
    proxy_set_header   Upgrade    $http_upgrade;
    proxy_set_header   Connection "Upgrade";
  }
}


server {
  listen 88;
  server_name teslamate.klaverstyn.com.au;
  location / {
    proxy_pass          http://teslamate.klaverstyn.com.au:88;
    proxy_set_header    Host                            $host;
    proxy_set_header    X-Real-IP                       $remote_addr;
  }
}


server {
  listen 80;
  server_name box.mailadmin.au;
  location / {
    proxy_pass          http://box.mailadmin.au;
    proxy_set_header    Host                            $host;
    proxy_set_header    X-Real-IP                       $remote_addr;
  }
}

server {
  listen 443 ssl;
  server_name box.mailadmin.au;

  ssl_protocols         TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_certificate       /etc/nginx/ssl-cert/box.mailadmin.au.crt;
  ssl_certificate_key   /etc/nginx/ssl-cert/privkey.box.pem;

  location / {
    proxy_pass          https://box.emailadmin.au;
    proxy_set_header    Host                            $host;
    proxy_set_header    X-Real-IP                       $remote_addr;
  }
}

nginx service

unlink /etc/nginx/sites-enabled/default
ln -s /etc/nginx/sites-available/reverse-proxy /etc/nginx/sites-enabled/reverse-proxy

Notes

The server_name is the host header name that is an A record for your public IP address. The proxy_pass is the FQDN for the server internal to your network. This means a split DNS for FQDN.

Either update your /etc/hosts file so that the internal FQDN is mapped to the correct IP or
Use an internal DNS such as Pi-Hole where you can assign an internal IP address for the FQDN.

I'm storing my TLS certificates in /etc/nginx/ssl-cert/
I'm using a password for file site teslamate as there is no authentication by default.

Other

I'm using iptables and ip6tables to block all access unless from Australia to block unwanted access. Implemeting fail2ban would be more ideal.