All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Nginx Reverse Proxy Tutorial (Centos 6)
Why Nginx (Engine X)?
Sorry for the layout, I'm a noob at writing tutorials, A video tutorial with voice naration will be uploaded soon
We recommend getting a DDoS Protected VPS/Server to defend yourself against Layer 4
Nginx Will pass true HTTP Request's and will drop the bad requests (Floods)
Prerequisites
64MB Ram Minimum
Centos 6 32-64 Bit will do
EPEL repository
Apache Uninstalled to free port 80
Step One
This step isn't really needed however it's good to keep stuff updated
Run Yum update -y
Also by default, Centos Installs Apache, So we're going to need to uninstall that to free port 80 to be used for Nginx
Run the following to get rid of Apache
Yum remove httpd -y
Step Two
We're going to need to install the EPEL repo as you won't find the Nginx package with your current default repo's
So visit this page https://fedoraproject.org/wiki/EPEL
Then copy the direct url of the package and do something like this
rpm -Uvh insert repo package direct link here
However I've done this for you already so just run the following
rpm -Uvh http://mirror.ancl.hawaii.edu/linux/epel/6/i386/epel-release-6-8.noarch.rpm
Step Three
We're now going to install Nginx, To do that run the following command
yum install nginx -y
Now we're going to adjust the Nginx configuration
Run the following command
cd /etc/nginx/conf.d
Now we're going to delete the default configuration, As we're not going to need it.
You can delete it with rm default.conf
or move it with mv default.conf default.conf.disabled
Either way works
Step Four
We're now going to setup the actual reverse proxy, Using your favorite text editor, Mine is Nano, We're going to add the configuration
To install nano do the following yum install nano -y
In my case of using nano, I'll do the following command
Nano testproxy.conf
Feel free to name your configuration file anything you want
Then i'll edit these values to my own domain and IP Address
Then I'll paste it in
server { listen 80; server_name YourDomain.com; access_log off; error_log off; location / { proxy_pass http://Source IP/; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_max_temp_file_size 0; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; } }
Make sure you adjust the YourDomain.com in the server_name are and the Source IP for the Proxy_Pass Area
Then you'll save the configuration
Add the IP Tables rule to allow Port 80
iptables -I INPUT 5 -m state --state NEW -p tcp --dport 80 -j ACCEPT
service iptables save
service iptables restart
We'll start Nginx with the following command
service nginx start
And make sure Nginx starts on a reboot, With the following command
chkconfig nginx on
If all goes Well, Your VPS IP can be used as an A Record for your Website
Congratulations, You're now using a Reverse Proxy for your website!
Here's some adjustment's for Cloudflare usage and Additional Flood Protection
Adjust the Main Nginx configuration by editing /etc/nginx/nginx.conf
To restore your visitor's IP, Add this little snippet of code into the HTTP Block
set_real_ip_from 199.27.128.0/21; set_real_ip_from 173.245.48.0/20; set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 108.162.192.0/18; set_real_ip_from 190.93.240.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; set_real_ip_from 162.158.0.0/15; set_real_ip_from 104.16.0.0/12; real_ip_header CF-Connecting-IP;
For HTTP Flood based Attacks add this into the HTTP Block
limit_req_zone $binary_remote_addr zone=slimitss:10m rate=1r/s; limit_req zone=slimitss burst=10;
Save the config file and restart nginx
Comments
nice tutorial.
btw yum != Yum
@nexmark Very good tutorial, however with "iptables -I INPUT 5 -m state --state NEW -p tcp --dport 80 -j ACCEPT"
This happens: iptables: Index of insertion too big
what is proxying without caching... add a bit to include caching and the tutorial is complete
You should add some code to block wordpress user agent, i see a lot of http flood like this!
Will add
But its this little snippet
WordPress
if ($http_user_agent ~* (wordpress) ) {
return 444;
}
Joomla
if ($http_user_agent = "") { return 444; }
Nice Tutorial! I really like it.
maybe you can add config for remote(source) server
Noob here, what is the use of this?
IFs are evil.
Got it all working. Thank you for the helpful guide!
Hi @nexmark!
A question: what happens with nginx gzipped output from the source when proxied?
I have one of your NAT VMs, with a website configured in your reverse proxy. My Nginx is configured to send gzip output. It listens on one of my assigned ports (say 1234) and port 80.
When I browse directly to mydomain.com:1234, the return headers from my nginx are:
Gzipped output.
But when I browse to mydomain.com via your reverse proxy the headers from your nginx are:
No gzipped output.
Not vital, just curious!
Would also be cool if you could provide information on how to do caching of static content on the reverse proxy, to speed everything up more.
Right now I'm using
Cloudflare --> Reverse Proxy --> Web Server
Everything loads super fast as if I wasan't using CF and Reverse proxy at all.
When I disable CF, pages take some time to load.
One of the reasons I will have to disable CF is because I will be installing an SSL cert on my site.
proxy_pass http://Source IP/;
Is this the IP of the VPS or the website that needs to be protected?
The website..
Has anyone gotten this tutorial working with SSL?
Add
That (should) work. PM me if you're having trouble.
@itgods thank you
Finally got SSL working.
Thanks Jonchun
Not a problem!
I'd also like to mention on this note, that you can modify this tutorial just a little bit to use a single ssl certificate while hosting applications on different servers.
For example, a ssl ceritficate for www.domain.com wouldn't be signed for blog.domain.com. However, you can add a location /blog block and proxy to blog.domain.com, and you will have signed SSL and your blog would be accessible at: www.domain.com/blog
This is really good for people using OV/EV certificates, and have reasons to not want to host certain things on the same server.
To answer my own question...
http://serverfault.com/questions/419984/what-is-the-best-way-to-compress-backend-to-nginx-reverse-proxy-data
http://nginx.org/en/docs/http/ngx_http_gunzip_module.html
looking for debian/ubuntu, anyone?
There wouldn't be much of a difference.
The config files are the same.
Conf files are in different locations
/etc/nginx/nginx.conf
/etc/nginx/sites-available
Then to enable a conf you need to symlink it from /etc/nginx/sites-available or just create the file in /etc/nginx/sites-enabled
Is it possible to proxy Gmail? Any solutions?
What are you trying to accomplish? While not possible with just nginx, this can be achieved using PHP.
Because Gmail is blocked here in our country, we have to use VPN to login, and is very unstable. I want to build a private proxy for gmail, which can check/send email like proxy for google search. Is there any tutorials to make it?
Why not host a webmail client that connects to gmail using smtp/imap? That would be much better.
i am using Outlook app for iOS and it is excellent, but sometimes deal mails maybe much easier with webmail, and prefer their original interface which easy to handle the mass emails.
https://code.google.com/p/php-proxy/
Host that on apache and it should work fine for your uses then.
@Jonchun that was simple and great idea that will do