nginx Reverse Proxy: Difference between revisions

From KlavoWiki
Jump to navigationJump to search
No edit summary
Line 19: Line 19:
   server_name ha.klaverstyn.com.au;
   server_name ha.klaverstyn.com.au;


   ssl_protocols        TLSv1.1 TLSv1.2 TLSv1.3;
   ssl_protocols        TLSv1.2 TLSv1.3;
   ssl_certificate      /etc/nginx/ssl-cert/ha.klaverstyn.com.au.crt;
   ssl_certificate      /etc/nginx/ssl-cert/ha.klaverstyn.com.au.crt;
   ssl_certificate_key  /etc/nginx/ssl-cert/privkey.ha.pem;
   ssl_certificate_key  /etc/nginx/ssl-cert/privkey.ha.pem;

Revision as of 05:21, 13 July 2023

This will allow you to host multiple internal web servers via a single public IP address. The following instructions are based on Raspbian 11.6

Installation

 apt install nginx 

Configuration File

 vi /etc/nginx/sites-available/reverse-proxy 
server {
    listen 80;
    server_name ha.klaverstyn.com.au;

    return 301 https://ha.klaverstyn.com.au;
}

server {
  listen 443 ssl;
  server_name ha.klaverstyn.com.au;

  ssl_protocols         TLSv1.2 TLSv1.3;
  ssl_certificate       /etc/nginx/ssl-cert/ha.klaverstyn.com.au.crt;
  ssl_certificate_key   /etc/nginx/ssl-cert/privkey.ha.pem;

  location / {
    proxy_pass         https://ha.klaverstyn.com.au;
    proxy_http_version 1.1;
    proxy_set_header   Host       $host;
    proxy_set_header   X-Real-IP  $remote_addr;
    proxy_set_header   Upgrade    $http_upgrade;
    proxy_set_header   Connection "Upgrade";
  }
}




server {
  listen 80;
  server_name teslamate.klaverstyn.com.au;

  auth_basic "Restricted Content";
  auth_basic_user_file /etc/nginx/.htpasswd-teslamate;

  location / {
    proxy_pass         http://teslamate.klaverstyn.com.au;
    proxy_http_version 1.1;
    proxy_set_header   Host       $host;
    proxy_set_header   X-Real-IP  $remote_addr;
    proxy_set_header   Upgrade    $http_upgrade;
    proxy_set_header   Connection "Upgrade";
  }
}


server {
  listen 88;
  server_name teslamate.klaverstyn.com.au;
  location / {
    proxy_pass          http://teslamate.klaverstyn.com.au:88;
    proxy_set_header    Host                            $host;
    proxy_set_header    X-Real-IP                       $remote_addr;
  }
}


server {
  listen 80;
  server_name box.mailadmin.au;
  location / {
    proxy_pass          http://box.mailadmin.au;
    proxy_set_header    Host                            $host;
    proxy_set_header    X-Real-IP                       $remote_addr;
  }
}

server {
  listen 443 ssl;
  server_name box.mailadmin.au;

  ssl_protocols         TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_certificate       /etc/nginx/ssl-cert/box.mailadmin.au.crt;
  ssl_certificate_key   /etc/nginx/ssl-cert/privkey.box.pem;

  location / {
    proxy_pass          https://box.emailadmin.au;
    proxy_set_header    Host                            $host;
    proxy_set_header    X-Real-IP                       $remote_addr;
  }
}

Enable Config

unlink /etc/nginx/sites-enabled/default
ln -s /etc/nginx/sites-available/reverse-proxy /etc/nginx/sites-enabled/reverse-proxy

Testing Config

Test the configuration file before restarting and committing the new changes.

 nginx -t 

Restarting

For the new config file to take effect restart the service.

 systemctl restart nginx 
 systemctl status nginx 

Notes

The server_name is the host header name that is an A record for your public IP address. The proxy_pass is the FQDN for the server internal to your network. This means a split DNS for FQDN.

Either update your /etc/hosts file so that the internal FQDN is mapped to the correct IP or
Use an internal DNS such as Pi-Hole where you can assign an internal IP address for the FQDN.

I'm storing my TLS certificates in /etc/nginx/ssl-cert/
I'm using a password file for the site TeslaMate as there is no authentication by default on the application.

Other

I'm using iptables and ip6tables to block all access unless connectivity is from Australia to block unwanted access. Implementing fail2ban would be more ideal.