How to Configure a Nginx HTTPs Reverse Proxy on Ubuntu

Thank to: https://www.scaleway.com/

Nginx HTTPS Reverse Proxy Overview

Nginx HTTPS reverse proxy is an intermediary proxy service which takes a client request, passes it on to one or more servers, and subsequently delivers the server’s response back to the client. While most common applications are able to run as web server on their own, the Nginx web server is able to provide a number of advanced features such as load balancing, TLS/SSL capabilities and acceleration that most specialized applications lack. By using a Nginx reverse proxy all applications can benefit from these features.

Benefits of Using a Nginx Reverse Proxy on an Instance

There are a important benefits of setting up a Nginx HTTPS reverse proxy:

  • Load Balancing: A Nginx reverse proxy can perform load balancing which helps distribute client requests evenly across backend servers. It also improves redundancy as if one server goes down, the reverse proxy will simply reroute requests to a different server according to the routing policy.
  • Increased Security: A Nginx reverse proxy also acts as a line of defense for your backend servers. Configuring a reverse proxy ensures that the identity of your backend servers remains unknown.
  • Better Performance: Nginx has been known to perform better in delivering static content file and analyse URLs
  • Easy Logging and Auditing: Since there is only one single point of access when a Nginx reverse proxy is implemented, this makes logging and auditing much simpler.
  • Encrypted Connection By encrypting the connection between the client and the Nginx reverse Proxy with TLS, users profit from a encrypted and securized HTTPS connection, protecting their data.

Requirements:

  • You have an account and are logged into console.scaleway.com
  • You have configured your SSH Key
  • You have sudo privileges or access to the root user.
  • You have an web application running on a non-standard web port on the instance
  • You have a compute instance running Ubuntu Bionic Beaver
  • Make sure your domain name points towards your server ip (A or AAAA record)

Installing and Configuring Nginx

Note: This tutorial requires that you have already a web application running on your instance. You can for example install a lightweight web server like Webfsd, which runs on port 8000 by default to be joignable on the standard HTTP(s) ports via the proxy. If required it can be installed with apt install webfs

In the following example, we will configure an Nginx reverse proxy in front of an Apache web server. As a result, we assume that Apache is already installed and configured (on the same machine).

1 . Update the APT packet cache and install the Nginx web server via the packet manager:

apt update
apt install nginx

2 . Disable the default virtual host, that is pre-configured when Nginx is istalled via Ubuntu’s packet manager apt:

unlink /etc/nginx/sites-enabled/default

3 . Enter the directory /etc/nginx/sites-available and create a reverse proxy configuration file.

cd /etc/nginx/sites-available
nano reverse-proxy.conf

4 . Paste the following Nginx configuration in the text editor. The proxy server redirects all incomming connections on port 80 to the Webfsd server, listening on port 8000. Edit the port value depending on the applications specific port.

server {
        listen 80;
        listen [::]:80;

        access_log /var/log/nginx/reverse-access.log;
        error_log /var/log/nginx/reverse-error.log;

        location / {
                    proxy_pass http://127.0.0.1:8000;
  }
}

Note: Accesses and errors are located in a log files at /var/log/nginx.

5 . Copy the configuration from /etc/nginx/sites-available to /etc/nginx/sites-enabled. It is recommended to use a symbolic link.

ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf

6 . Test the Nginx configuration file

nginx -t

which returns

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful 

7 . Open a web browser on your local computer and paste your public_ip which will display your web applications homepage. 

Adding TLS to your Nginx Reverse Proxy using Let's Encrypt

Important: Make sure your domain name points towards your server ip (A or AAAA record).

With the current setup, all incoming traffic on the standard, non-securized, HTTP port is anserwered by Nginx, which passes it to the web application on the instance.

For security reasons, it is recommended to add an encryption layer with TLS/SSL and to use HTTPS. Whilst it is technically possible to use self-signed certficates, it may cause very inconveniences as a warning is displayed by default in an users web browser when a self-signed certificate is used. A certificate authentity (CA) can issue trusted certificates which a recognized by most modern web browsers. The CA Let’s Encrypt provides TLS certificate for free and the configuration of Nginx can be done easily with Certbot, a tool provided by the EFF.

1 . Install Certbot on your instance by using the APT packet manager:

apt-get update
apt-get install software-properties-common
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install python-certbot-nginx

2 . Certbot provides a plugin designed for the Nginx web server, automatizing most of the configuration work related with requesting, installing and managing the TLS certificate:

certbot --nginx

3 . Answer the prompts that display on the screen to request a valid Let’s Encrypt TLS certificate:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: your.domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for your.domain.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/reverse-proxy.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/reverse-proxy.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://your.domain.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=your.domain.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

When asked if you want to redirect HTTP traffic automatically to HTTPS, choose the option 2. This enables the automatic redirection of all incoming requests via an unencrypted HTTP connection to a secure HTTPS connection. Providing an additional layer of security for the Web application running behind the Nginx reverse proxy.

Comentarios

Publicar un comentario

Dime si la información de este blog te sirvio.

Entradas populares de este blog

Guía de herramientas básicas para estudiantes: 31 apps y webs imprescindibles para ayudarte con los estudios

Imagen
  Te traemos una guía con   31 aplicaciones y herramientas web para ayudarte como estudiante , una colección muy variada para sacar provecho en diferentes ámbitos en los que puedas necesitarlo. Nos hemos dejado fuera el ámbito educativo para los más jóvenes, recursos que tenemos en   esta otra guía , y nos hemos centrado en estudiantes más adultos. Hemos decidido centrarnos en herramientas prácticas, dejando fuera las plataformas para cursos online, tanto  las más conocidas  como  otras menos conocidas . Lo que hemos preferido buscar son recursos que puedas usar en tu día a día, como gestores de fuentes y citaciones, herramientas para diagramas, para intercambiar apuntes o para crear diferentes contenidos. Y lo que decimos siempre en Xataka Basics hoy cobra más sentido que nunca. Nosotros te traemos 31 herramientas, pero te invitamos a  compartir tus propuestas en la sección de comentarios  para que el resto de usuarios también pueda beneficiarse de los conocimientos de nuestros xatake
Leer más

Comando FOR para archivos BAT

Gracias a: http://profesoremiliobarco.blogspot.com/ El comando FOR sirve para ejecutar bucles de instrucciones, y es una instrucción que se encuentra disponible en todos los lenguajes de programación. Un bucle son varias repeticiones de algunas instrucciones. Este comando suele ser el más complicado de entender para las personas que empiezan a escribir archivos BAT complejos. Aqui intentaré explicar todas las opciones y usos del comando FOR, así como intentar resolver las dudas que los usuarios de Internet me puedan plantear. La sintaxis normal del comando FOR es: FOR %var IN (lista) DO (      comando     comando      ... )  Pero si lo vamos a usar dentro de un archivo BAT será así: FOR %%var IN (lista) DO (      comando     comando      ... ) Observa que la variable "var" ahora va precedida por dos simbolos de "%". Además, si este for está dentro de un archivo BAT, el nombre de la variable debe ser UNA SOLA LETRA (p.ej: %%n, %%i,  %%j , etc
Leer más

Policy Based Routing example: route one subnet via ISP A and another via ISP B

Imagen
thanks to: http://glennmatthys.wordpress.com/ Goal Setup a network with a Cisco router that routes one local subnet via internet connection A and another local subnet via internet connection B. In this example we’ll use one LAN side, which has two subnets: 192.168.1.0/24 192.168.2.0/24 We want traffic destined for the internet, originating from the 192.168.1.0/24 network, to be sent to ISP A, which is connected to FastEthernet0 We want traffic destined for the internet, originating from the 192.168.2.0/24 network, to be sent to ISP B, which is connected to FastEthernet1 Both internet connections get their IP address via DHCP. Prerequisites For this  configuration you’ll need: One dual WAN router, such as a 1811 Two internet connections (or simulated ones) 2 nodes, one for the 192.168.1.0/24 subnet and one for the 192.168.2.0/24 subnet. These can be two different computers, or two virtual machines, etc… ClientA, Windows 7, will connect to 192.168.1.0/24 and sur
Leer más