Difference between revisions of "Reverse Proxy (Nginx)"

From Nick's Personal Wiki
Jump to navigation Jump to search
(Creating page)
 
m
Line 1: Line 1:
 
Placeholder Text
 
Placeholder Text
 +
 +
== Prerequisites ==
 +
 +
You will need a server running either locally or in the cloud that you can access locally or via SSH.
 +
 +
Assistance setting up a cloud instance can be [https://nlear.xyz/wiki/index.php/Creating_And_Configuring_A_Remote_Server here.]
 +
 +
 +
== Installing Nginx ==
 +
 +
=== RHEL 9+ ===
 +
 +
To install the Nginx package:
 +
<nowiki>sudo dnf install nginx</nowiki>
 +
 +
=== RHEL <9 ===
 +
 +
You may need to include the EPEL (Extra Packages for Enterprise Linux) repo beforehand:
 +
<nowiki>sudo dnf install epel-release
 +
sudo dnf install nginx</nowiki>
 +
 +
 +
== Configuring The Firewall ==
 +
 +
Below are a couple basic commands to configure Firewalld to accommodate HTTP/HTTPS traffic, but much more information regarding Firewalld can be found [https://nlear.xyz/wiki/index.php/Firewalld here.]
 +
 +
=== Adding Firewall Rules (Firewalld) ===
 +
In order for the reverse proxy to accept incoming/outgoing HTTP/HTTPS traffic, the firewall will need to be updated to whitelist those protocols.
 +
<nowiki>sudo firewall-cmd --permanent --add-service=http
 +
sudo firewall-cmd --permanent --add-service=https</nowiki>
 +
 +
 +
To view the rules that are in place and confirm that the changes are the correct changes:
 +
<nowiki>sudo firewall-cmd --list-all</nowiki>
 +
 +
Once these rules are added and confirmed to be correct, the firewall can be reloaded via:
 +
<nowiki>sudo firewall-cmd --reload</nowiki>
 +
 +
 +
== SELinux Configuration Changes ==
 +
 +
On RHEL systems, SELinux is enforced by default. As a result, these SELinux policies '''may''' need to be adjusted to allow the Nginx reverse proxy service to function.
 +
 +
To allow Nginx to connect to backend services like a database:
 +
<nowiki>sudo setsebool -P httpd_can_network_connect on</nowiki>
 +
 +
To allow Nginx to serve content from non-standard directories:
 +
<nowiki>sudo chcon -R -t httpd_sys_content_t /path/to/non-standard/content
 +
sudo restorecon -R /path/to/non-standard/content</nowiki>
 +
 +
 +
== Reverse Proxy Configuration File ==
 +
 +
 +
Typically this configuration file, which may be (and can be) named something different, is located here:
 +
<nowiki>/etc/nginx/conf.d/reverse-proxy.conf</nowiki>
 +
 +
An example reverse-proxy.conf file for a very basic HTTP reverse proxy serving a static site (SiteA) on a second host (10.0.0.1) that is hosting a web server:
 +
<nowiki>server {
 +
    listen 80;
 +
    server_name example.com;
 +
 +
    location /siteA {
 +
        proxy_pass http://10.0.0.1/siteA #Forwards requests for siteA
 +
        proxy_set_header Host $host;
 +
        proxy_set_header X-Real-IP $remote_addr;
 +
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 +
        proxy_set_header X-Forwarded-Proto $scheme;
 +
    }
 +
}</nowiki>
 +
 +
This example works like this...
 +
 +
Susan's laptop requests example.com/siteA.
 +
 +
The reverse proxy receives this request on port 80 (HTTP), and passes it along to 10.0.0.1 also on port 80 (HTTP).
 +
 +
10.0.0.1 then serves the contents of the /siteA directory to the proxy server.
 +
 +
The proxy server then delivers that content to Susan's laptop as example.com/siteA.
 +
 +
When all is completed, Susan was delivered the contents of /siteA without ever having directly accessed the server hosting those contents.
 +
 +
 +
== Starting The Service ==
 +
 +
The proxy will not reroute traffic until the relevant services are up and running.
 +
 +
To enable the nginx service so that it starts automatically on every boot:
 +
<nowiki>sudo systemctl enable nginx</nowiki>
 +
 +
And to start it manually to verify that it's working:
 +
<nowiki>sudo systemctl start nginx</nowiki>
 +
 +
 +
== Next Steps ==
 +
 +
Once the reverse proxy is up and running and redirecting HTTP traffic successfully, you may want to encrypt that traffic by changing the protocol to HTTPS using SSL/TLS and certificates from Let's Encrypt.
 +
 +
Instructions to do so can be found [https://nlear.xyz/wiki/index.php/Certbot here] with special instructions for doing so on a reverse proxy [https://nlear.xyz/wiki/index.php/Certbot#Reverse-Proxy_Setup here.]
 +
 +
 +
== Additional Resources ==
 +
[https://docs.nginx.com/nginx/admin-guide/web-server/web-server/ Nginx Documentation Site]

Revision as of 09:40, 25 March 2026

Placeholder Text

Prerequisites

You will need a server running either locally or in the cloud that you can access locally or via SSH.

Assistance setting up a cloud instance can be here.


Installing Nginx

RHEL 9+

To install the Nginx package: 

sudo dnf install nginx

RHEL <9

You may need to include the EPEL (Extra Packages for Enterprise Linux) repo beforehand: 

sudo dnf install epel-release
sudo dnf install nginx


Configuring The Firewall

Below are a couple basic commands to configure Firewalld to accommodate HTTP/HTTPS traffic, but much more information regarding Firewalld can be found here.

Adding Firewall Rules (Firewalld)

In order for the reverse proxy to accept incoming/outgoing HTTP/HTTPS traffic, the firewall will need to be updated to whitelist those protocols. 

sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https


To view the rules that are in place and confirm that the changes are the correct changes: 

sudo firewall-cmd --list-all

Once these rules are added and confirmed to be correct, the firewall can be reloaded via: 

sudo firewall-cmd --reload


SELinux Configuration Changes

On RHEL systems, SELinux is enforced by default. As a result, these SELinux policies may need to be adjusted to allow the Nginx reverse proxy service to function.

To allow Nginx to connect to backend services like a database: 

sudo setsebool -P httpd_can_network_connect on

To allow Nginx to serve content from non-standard directories: 

sudo chcon -R -t httpd_sys_content_t /path/to/non-standard/content
sudo restorecon -R /path/to/non-standard/content


Reverse Proxy Configuration File

Typically this configuration file, which may be (and can be) named something different, is located here: 

/etc/nginx/conf.d/reverse-proxy.conf

An example reverse-proxy.conf file for a very basic HTTP reverse proxy serving a static site (SiteA) on a second host (10.0.0.1) that is hosting a web server: 

server {
    listen 80;
    server_name example.com;

    location /siteA {
        proxy_pass http://10.0.0.1/siteA #Forwards requests for siteA
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

This example works like this...

Susan's laptop requests example.com/siteA.

The reverse proxy receives this request on port 80 (HTTP), and passes it along to 10.0.0.1 also on port 80 (HTTP).

10.0.0.1 then serves the contents of the /siteA directory to the proxy server.

The proxy server then delivers that content to Susan's laptop as example.com/siteA.

When all is completed, Susan was delivered the contents of /siteA without ever having directly accessed the server hosting those contents.


Starting The Service

The proxy will not reroute traffic until the relevant services are up and running.

To enable the nginx service so that it starts automatically on every boot: 

sudo systemctl enable nginx

And to start it manually to verify that it's working: 

sudo systemctl start nginx


Next Steps

Once the reverse proxy is up and running and redirecting HTTP traffic successfully, you may want to encrypt that traffic by changing the protocol to HTTPS using SSL/TLS and certificates from Let's Encrypt.

Instructions to do so can be found here with special instructions for doing so on a reverse proxy here.


Additional Resources

Nginx Documentation Site

Retrieved from "https://nlear.xyz/wiki/index.php?title=Reverse_Proxy_(Nginx)&oldid=177"