Reverse Proxy (Nginx)
A reverse proxy is a server that sits between clients (like web browsers) and your servers. When someone visits your website, for example, they connect to the reverse proxy and not directly to your server. The proxy then forwards the request to the appropriate server/service and returns the response to the client.
This is a high level guide on how to install Nginx on a server and configure Nginx (and adjacent services), so that traffic can be routed via the proxy instead of directly to the content-providing servers themselves.
Prerequisites
You will need a server running either locally or in the cloud that you can access locally or via SSH.
Assistance setting up a cloud instance can be here.
Installing Nginx
RHEL 9+
To install the Nginx package:
sudo dnf install nginx
RHEL <9
You may need to include the EPEL (Extra Packages for Enterprise Linux) repo beforehand:
sudo dnf install epel-release sudo dnf install nginx
Configuring The Firewall
Below are a couple basic commands to configure Firewalld to accommodate HTTP/HTTPS traffic, but much more information regarding Firewalld can be found here.
Adding Firewall Rules (Firewalld)
In order for the reverse proxy to accept incoming/outgoing HTTP/HTTPS traffic, the firewall will need to be updated to whitelist those protocols.
sudo firewall-cmd --permanent --add-service=http sudo firewall-cmd --permanent --add-service=https
To view the rules that are in place and confirm that the changes are the correct changes:
sudo firewall-cmd --list-all
Once these rules are added and confirmed to be correct, the firewall can be reloaded via:
sudo firewall-cmd --reload
SELinux Configuration Changes
On RHEL systems, SELinux is enforced by default. As a result, these SELinux policies may need to be adjusted to allow the Nginx reverse proxy service to function.
To allow Nginx to connect to backend services like a database:
sudo setsebool -P httpd_can_network_connect on
To allow Nginx to serve content from non-standard directories:
sudo chcon -R -t httpd_sys_content_t /path/to/non-standard/content sudo restorecon -R /path/to/non-standard/content
Reverse Proxy Configuration File
Typically this configuration file, which may be (and can be) named something different, is located here:
/etc/nginx/conf.d/reverse-proxy.conf
An example reverse-proxy.conf file for a very basic HTTP reverse proxy serving a static site (SiteA) on a second host (10.0.0.1) that is hosting a web server:
server {
listen 80;
server_name example.com;
location /siteA {
proxy_pass http://10.0.0.1/siteA #Forwards requests for siteA
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
This example works like this...
Susan's laptop requests example.com/siteA.
The reverse proxy receives this request on port 80 (HTTP), and passes it along to 10.0.0.1 also on port 80 (HTTP).
10.0.0.1 then serves the contents of the /siteA directory to the proxy server.
The proxy server then delivers that content to Susan's laptop as example.com/siteA.
When all is completed, Susan was delivered the contents of /siteA without ever having directly accessed the server hosting those contents.
Starting The Service
The proxy will not reroute traffic until the relevant services are up and running.
To enable the nginx service so that it starts automatically on every boot:
sudo systemctl enable nginx
And to start it manually to verify that it's working:
sudo systemctl start nginx
What About A Forward Proxy? (Squid)
Create a new shell script in /etc/profile.d/ that sets the variables when a user logs in here:
/etc/profile.d/http_proxy.sh
The script should contain the following, be sure to replace PROXY_IP:PORT with your actual Proxy's IP:Port Number, i.e. 1.1.1.1:9000:
# System-wide HTTP/HTTPS Proxy Settings export http_proxy="http://PROXY_IP:PORT" export https_proxy="http://PROXY_IP:PORT" export HTTP_PROXY="http://PROXY_IP:PORT" export HTTPS_PROXY="http://PROXY_IP:PORT"
You may want to exclude local network traffic from being routed via the proxy, include the below to do so (you will need to specify your local network/subnet):
export no_proxy="localhost,127.0.0.1,LOCALNETWORK_IP/SUBNET" export NO_PROXY="localhost,127.0.0.1,LOCALNETWORK_IP/SUBNET"
You have two options to apply this immediately:
Option A: Re-login Simply log out and log back in (or reboot the server). Option B: Source the file manually (Immediate) Run this command to load the variables into your current session:
source /etc/profile.d/http_proxy.sh
Then to verify that it's working:
echo $http_proxy
And you should get an output like this:
http://PROXY_IP:PORT i.e. 1.1.1.1:9000
Now dnf has to be configured to route via the proxy as well. In order to do so, create the config file (if it doesn't already exist):
/etc/dnf/dnf.conf
And add the following lines, again with the actual IP and Port for your proxy, below the [main] section (if it doesn't already exist):
[main] proxy=http://PROXY_IP:PORT proxy_username=None proxy_password=None
Now to confirm that it's working:
sudo dnf check-update
If the command executes normally, it's likely working. If it times out or hangs for a long time, additional troubleshooting of the Squid forward proxy, firewalls, and network configs may be required.
Helpful tip: If hosting these services in the cloud, be sure to triple check any provided firewall settings of the cloud hosting service to make sure that even if the firewalls of the hosts are accurate, there's not a firewall interfering between them. Ask me how I know...
Next Steps
Once the reverse proxy is up and running and redirecting HTTP traffic successfully, you may want to encrypt that traffic by changing the protocol to HTTPS using SSL/TLS and certificates from Let's Encrypt.
Instructions to do so can be found here with special instructions for doing so on a reverse proxy here.