Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


[TUTORIAL] How to setup an NGINX Reverse Proxy
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

[TUTORIAL] How to setup an NGINX Reverse Proxy

xaitmixaitmi Member
edited March 2016 in Tutorials

This tutorial is written for Centos 6, you can make it work on other versions of Linux.

For Debian/Ubuntu you would use apt-get instead of yum, the file paths may or may not be different.

I always recommend installing the minimal template if your provider has it, this ensures only the OS is installed.

If you need a reverse proxy, you probably want to protect your site from DDOS attacks, so get a VPS with a DDOS protected IP.

Server Side:

Make sure your system is up to date

yum update -y

Install EPEL:

yum install epel-release -y

Install NGINX

yum install nginx nano -y

Now we configure our reverse proxy.

The domain we are setting up in the configuration below is whistle.com.
Make sure you edit whistle.com with YOUR DOMAIN

This configuration assumes your site is using SSL. If it does not use SSL, edit it out and configure it to your own needs.

server {
       listen         80;
       server_name    whistle.com;
       return         301 https://$server_name$request_uri;
}
server {
      listen 443 ssl;
      server_name whistle.com;

      ssl_certificate /home/ssl/cert.crt;
      ssl_certificate_key /home/ssl/cert.key;

      access_log   /home/logs/whistle.com.access.log;
      error_log /home/logs/whistle.com.error.log;

      location / {
            proxy_pass https://WEBSERVERIP/;
            proxy_redirect off;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-SSL on;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_max_temp_file_size 0;
            client_max_body_size 10m;
            client_body_buffer_size 128k;
            proxy_connect_timeout 90;
            proxy_send_timeout 90;
            proxy_read_timeout 90;
            proxy_buffer_size 4k;
            proxy_buffers 4 32k;
            proxy_busy_buffers_size 64k;
            proxy_temp_file_write_size 64k;

      }
}

Finally, we need to configure IP Tables.

Here's a sample configuration you can use, but you can always customize it to your own needs.

nano /root/ip.sh
iptables -F
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
chmod +x ip.sh
sh ip.sh

And finally, restart the web-server.

service nginx restart

Cloudflare Side

Since your using a reverse proxy, you probably want to hide your webservers IP.

Go to Cloudflare, and make sure your @ Record is pointed to your Reverse Proxy VPS's IP, make sure the cloud is orange, the same goes for your WWW Record.

If your site uses mail, use an SMTP provider that hides the source IP, I recommend MailJet.

That's all there is to it.

If you need any help post below.

Comments

  • When did Nginx get added to the default repos for CentOS 6?

  • tenperatenpera Member
    edited March 2016

    @xaitmi wouldn't it be same with Debian? except yum part of course..

  • @Rallias said:
    When did Nginx get added to the default repos for CentOS 6?

    Whoops, added yum install epel-release -y
    Thanks

    @tenpera said:
    xaitmi wouldn't it be same with Debian? except yum part of course..

    Yes.

  • Use repo from nginx.org instead epel.

  • mustafaramadhan said: Use repo from nginx.org instead epel.

    why? any benefit?

  • because epel gives you a bunch of garbage.

  • @tenpera said:
    because epel gives you a bunch of garbage.

    i sort of like it though, i dont need to recompile everytime i need to use some modules.

  • xaitmi , After setting up, will the https:// work with the free plan of cloudflare ?

  • Mridul said: xaitmi , After setting up, will the https:// work with the free plan of cloudflare ?

    look like yes

  • @namhuy said:
    why? any benefit?

    For CentOS 6, latest version in Epel is nginx-1.0.15-12.el6.x86_64.rpm but latest version in nginx.repo is nginx-1.8.1-1.el6.ngx.x86_64.rpm

  • @namhuy said:

    have u tested it ?

  • @Mridul said:
    xaitmi , After setting up, will the https:// work with the free plan of cloudflare ?

    Yes it does.

  • Would it be possible to get a video tutorial? That would be super epic :D

  • I prefer to compile NGINX as it gives me the ability to fine tune it to my requirements - for example, LibreSSL.

  • MridulMridul Member
    edited March 2016

    @xaitmi said:
    Yes it does.
    @xaitmi said:
    Yes it does.

    Thanx Buddy, I have a few Queries/issues :

    1. I am able to reach the pages at https://www.domain.com , but when i try to access https://www.domain.com/folder/

    It gives an error : not found.
    It seems this is the same issue faced by a user : http://serverfault.com/questions/641446/nginx-reverse-proxy-folder

    Can you plz advise exact setup of the default.conf as per ur tutorial ?

    1. Also, do i need to create a new conf file for domain.com ( i read it should be like conf.d/domain.com.conf ) or the settings in conf.d/default.conf will do the job automatically ?

    2. Lastly if the "folder" ( mydomain.com/folder ) is whmcs, will i need to add the proxy IP to security settings as described here : http://docs.whmcs.com/Trusted_Proxy_Settings#Configuring_Trusted_Proxies_in_WHMCS ?

    is this needed ?

    Thanked by 1postcd
  • @Mridul said:
    is this needed ?

    1. I never had that /folder issue, that is odd.

    2. Yes new conf for each domain

    3. No you do not need to add proxy ip to security.

  • @xaitmi said:
    2. No you do not need to add proxy ip to security.

    can u plz elaborate over point no. 2 ?

    When nginx is installed a conf file is already there in conf.d at conf.d/default.conf

    1. will this file remain unchanged

    2. what will be the new conf filename for domain.com ?

    I plan to keep a single domain.

  • xaitmixaitmi Member
    edited March 2016

    If your domain is www.whistle.com your conf would be

    your website files would be located in

    /home/nginx/domains/whistle.com/*

    config would be

    /usr/local/nginx/conf/conf.d/whistle.com.conf

    and the contents would be

    server {
           listen         80;
           server_name    whistle.com;
           return         301 https://$server_name$request_uri;
    }
    server {
          listen 443 ssl;
          server_name whistle.com;
    
          ssl_certificate /home/ssl/cert.crt;
          ssl_certificate_key /home/ssl/cert.key;
    
          access_log   /home/logs/whistle.com.access.log;
          error_log /home/logs/whistle.com.error.log;
    
          location / {
                proxy_pass https://WEBSERVERIP/;
                proxy_redirect off;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-SSL on;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_max_temp_file_size 0;
                client_max_body_size 10m;
                client_body_buffer_size 128k;
                proxy_connect_timeout 90;
                proxy_send_timeout 90;
                proxy_read_timeout 90;
                proxy_buffer_size 4k;
                proxy_buffers 4 32k;
                proxy_busy_buffers_size 64k;
                proxy_temp_file_write_size 64k;
    
          }
    }
    
    
    Thanked by 1Mridul
  • @Mridul said:
    will this file remain unchanged

    You can delete it if you want

    what will be the new conf filename for domain.com ?

    anything.conf

    Thanked by 1Mridul
  • 56gomez56gomez Member
    edited August 2018

    Thank you for tutorial. How can i manage if i dont use SSL?

  • postcdpostcd Member
    edited August 2018

    @56gomez said:
    Thank you for tutorial. How can i manage if i dont use SSL?

    try to replace https by http in the tutorial (the largest block of yellow backrounded text) in the first post of this discussion thread. It belongs i assume into /usr/local/nginx/conf/conf.d/yourdomain.tld.conf

This discussion has been closed.