Reverse Proxy (Nginx)
Placeholder Text
Prerequisites
You will need a server running either locally or in the cloud that you can access locally or via SSH.
Assistance setting up a cloud instance can be here.
Installing Nginx
RHEL 9+
To install the Nginx package:
sudo dnf install nginx
RHEL <9
You may need to include the EPEL (Extra Packages for Enterprise Linux) repo beforehand:
sudo dnf install epel-release sudo dnf install nginx
Configuring The Firewall
Below are a couple basic commands to configure Firewalld to accommodate HTTP/HTTPS traffic, but much more information regarding Firewalld can be found here.
Adding Firewall Rules (Firewalld)
In order for the reverse proxy to accept incoming/outgoing HTTP/HTTPS traffic, the firewall will need to be updated to whitelist those protocols.
sudo firewall-cmd --permanent --add-service=http sudo firewall-cmd --permanent --add-service=https
To view the rules that are in place and confirm that the changes are the correct changes:
sudo firewall-cmd --list-all
Once these rules are added and confirmed to be correct, the firewall can be reloaded via:
sudo firewall-cmd --reload
SELinux Configuration Changes
On RHEL systems, SELinux is enforced by default. As a result, these SELinux policies may need to be adjusted to allow the Nginx reverse proxy service to function.
To allow Nginx to connect to backend services like a database:
sudo setsebool -P httpd_can_network_connect on
To allow Nginx to serve content from non-standard directories:
sudo chcon -R -t httpd_sys_content_t /path/to/non-standard/content sudo restorecon -R /path/to/non-standard/content
Reverse Proxy Configuration File
Typically this configuration file, which may be (and can be) named something different, is located here:
/etc/nginx/conf.d/reverse-proxy.conf
An example reverse-proxy.conf file for a very basic HTTP reverse proxy serving a static site (SiteA) on a second host (10.0.0.1) that is hosting a web server:
server {
listen 80;
server_name example.com;
location /siteA {
proxy_pass http://10.0.0.1/siteA #Forwards requests for siteA
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
This example works like this...
Susan's laptop requests example.com/siteA.
The reverse proxy receives this request on port 80 (HTTP), and passes it along to 10.0.0.1 also on port 80 (HTTP).
10.0.0.1 then serves the contents of the /siteA directory to the proxy server.
The proxy server then delivers that content to Susan's laptop as example.com/siteA.
When all is completed, Susan was delivered the contents of /siteA without ever having directly accessed the server hosting those contents.
Starting The Service
The proxy will not reroute traffic until the relevant services are up and running.
To enable the nginx service so that it starts automatically on every boot:
sudo systemctl enable nginx
And to start it manually to verify that it's working:
sudo systemctl start nginx
Next Steps
Once the reverse proxy is up and running and redirecting HTTP traffic successfully, you may want to encrypt that traffic by changing the protocol to HTTPS using SSL/TLS and certificates from Let's Encrypt.
Instructions to do so can be found here with special instructions for doing so on a reverse proxy here.