Difference between revisions of "Reverse Proxy (Nginx)"

A reverse proxy is a server that sits between clients (like web browsers) and your servers. When someone visits your website, for example, they connect to the reverse proxy and not directly to your server. The proxy then forwards the request to the appropriate server/service and returns the response to the client.

This is a high level guide on how to install Nginx on a server and configure Nginx (and adjacent services), so that traffic can be routed via the proxy instead of directly to the content-providing servers themselves.

Prerequisites

You will need a server running either locally or in the cloud that you can access locally or via SSH.

Assistance setting up a cloud instance can be here.

Installing Nginx

RHEL 9+

To install the Nginx package:

sudo dnf install nginx

RHEL <9

You may need to include the EPEL (Extra Packages for Enterprise Linux) repo beforehand:

sudo dnf install epel-release
sudo dnf install nginx

Configuring The Firewall

Below are a couple basic commands to configure Firewalld to accommodate HTTP/HTTPS traffic, but much more information regarding Firewalld can be found here.

Adding Firewall Rules (Firewalld)

In order for the reverse proxy to accept incoming/outgoing HTTP/HTTPS traffic, the firewall will need to be updated to whitelist those protocols.

sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https

To view the rules that are in place and confirm that the changes are the correct changes:

sudo firewall-cmd --list-all

Once these rules are added and confirmed to be correct, the firewall can be reloaded via:

sudo firewall-cmd --reload

SELinux Configuration Changes

On RHEL systems, SELinux is enforced by default. As a result, these SELinux policies may need to be adjusted to allow the Nginx reverse proxy service to function.

To allow Nginx to connect to backend services like a database:

sudo setsebool -P httpd_can_network_connect on

To allow Nginx to serve content from non-standard directories:

sudo chcon -R -t httpd_sys_content_t /path/to/non-standard/content
sudo restorecon -R /path/to/non-standard/content

Reverse Proxy Configuration File

Typically this configuration file, which may be (and can be) named something different, is located here:

/etc/nginx/conf.d/reverse-proxy.conf

An example reverse-proxy.conf file for a very basic HTTP reverse proxy serving a static site (SiteA) on a second host (10.0.0.1) that is hosting a web server:

server {
    listen 80;
    server_name example.com;

    location /siteA {
        proxy_pass http://10.0.0.1/siteA #Forwards requests for siteA
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

This example works like this...

Susan's laptop requests example.com/siteA.

The reverse proxy receives this request on port 80 (HTTP), and passes it along to 10.0.0.1 also on port 80 (HTTP).

10.0.0.1 then serves the contents of the /siteA directory to the proxy server.

The proxy server then delivers that content to Susan's laptop as example.com/siteA.

When all is completed, Susan was delivered the contents of /siteA without ever having directly accessed the server hosting those contents.

Starting The Service

The proxy will not reroute traffic until the relevant services are up and running.

To enable the nginx service so that it starts automatically on every boot:

sudo systemctl enable nginx

And to start it manually to verify that it's working:

sudo systemctl start nginx

Next Steps

Once the reverse proxy is up and running and redirecting HTTP traffic successfully, you may want to encrypt that traffic by changing the protocol to HTTPS using SSL/TLS and certificates from Let's Encrypt.

Instructions to do so can be found here with special instructions for doing so on a reverse proxy here.

Additional Resources

Nginx Documentation Site