[TUTORIAL] How to setup an NGINX Reverse Proxy
This tutorial is written for Centos 6, you can make it work on other versions of Linux.
For Debian/Ubuntu you would use apt-get instead of yum, the file paths may or may not be different.
I always recommend installing the minimal template if your provider has it, this ensures only the OS is installed.
If you need a reverse proxy, you probably want to protect your site from DDOS attacks, so get a VPS with a DDOS protected IP.
Server Side:
Make sure your system is up to date
yum update -y
Install EPEL:
yum install epel-release -y
Install NGINX
yum install nginx nano -y
Now we configure our reverse proxy.
The domain we are setting up in the configuration below is whistle.com.
Make sure you edit whistle.com with YOUR DOMAIN
This configuration assumes your site is using SSL. If it does not use SSL, edit it out and configure it to your own needs.
server {
listen 80;
server_name whistle.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name whistle.com;
ssl_certificate /home/ssl/cert.crt;
ssl_certificate_key /home/ssl/cert.key;
access_log /home/logs/whistle.com.access.log;
error_log /home/logs/whistle.com.error.log;
location / {
proxy_pass https://WEBSERVERIP/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
Finally, we need to configure IP Tables.
Here's a sample configuration you can use, but you can always customize it to your own needs.
nano /root/ip.sh
iptables -F iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -i eth0 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT iptables -P OUTPUT ACCEPT iptables -P INPUT DROP
chmod +x ip.sh
sh ip.sh
And finally, restart the web-server.
service nginx restart
Cloudflare Side
Since your using a reverse proxy, you probably want to hide your webservers IP.
Go to Cloudflare, and make sure your @ Record is pointed to your Reverse Proxy VPS's IP, make sure the cloud is orange, the same goes for your WWW Record.
If your site uses mail, use an SMTP provider that hides the source IP, I recommend MailJet.
That's all there is to it.
If you need any help post below.
Comments
When did Nginx get added to the default repos for CentOS 6?
@xaitmi wouldn't it be same with Debian? except yum part of course..
Whoops, added yum install epel-release -y
Thanks
Yes.
Use repo from nginx.org instead epel.
https://www.nginx.com/resources/wiki/start/topics/tutorials/install/
why? any benefit?
because epel gives you a bunch of garbage.
i sort of like it though, i dont need to recompile everytime i need to use some modules.
xaitmi , After setting up, will the https:// work with the free plan of cloudflare ?
look like yes
For CentOS 6, latest version in Epel is nginx-1.0.15-12.el6.x86_64.rpm but latest version in nginx.repo is nginx-1.8.1-1.el6.ngx.x86_64.rpm
have u tested it ?
Yes it does.
Would it be possible to get a video tutorial? That would be super epic
I prefer to compile NGINX as it gives me the ability to fine tune it to my requirements - for example, LibreSSL.
Thanx Buddy, I have a few Queries/issues :
It gives an error : not found.
It seems this is the same issue faced by a user : http://serverfault.com/questions/641446/nginx-reverse-proxy-folder
Can you plz advise exact setup of the default.conf as per ur tutorial ?
Also, do i need to create a new conf file for domain.com ( i read it should be like conf.d/domain.com.conf ) or the settings in conf.d/default.conf will do the job automatically ?
Lastly if the "folder" ( mydomain.com/folder ) is whmcs, will i need to add the proxy IP to security settings as described here : http://docs.whmcs.com/Trusted_Proxy_Settings#Configuring_Trusted_Proxies_in_WHMCS ?
is this needed ?
I never had that /folder issue, that is odd.
Yes new conf for each domain
No you do not need to add proxy ip to security.
can u plz elaborate over point no. 2 ?
When nginx is installed a conf file is already there in conf.d at conf.d/default.conf
will this file remain unchanged
what will be the new conf filename for domain.com ?
I plan to keep a single domain.
If your domain is www.whistle.com your conf would be
your website files would be located in
/home/nginx/domains/whistle.com/*
config would be
/usr/local/nginx/conf/conf.d/whistle.com.conf
and the contents would be
server { listen 80; server_name whistle.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name whistle.com; ssl_certificate /home/ssl/cert.crt; ssl_certificate_key /home/ssl/cert.key; access_log /home/logs/whistle.com.access.log; error_log /home/logs/whistle.com.error.log; location / { proxy_pass https://WEBSERVERIP/; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Forwarded-SSL on; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_max_temp_file_size 0; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; } }You can delete it if you want
anything.conf
Thank you for tutorial. How can i manage if i dont use SSL?
try to replace https by http in the tutorial (the largest block of yellow backrounded text) in the first post of this discussion thread. It belongs i assume into /usr/local/nginx/conf/conf.d/yourdomain.tld.conf