Understanding Reverse Proxy:
A reverse proxy sits between client devices and a web server, forwarding client requests to the server and returning the server's responses to clients. It acts as an intermediary, providing several advantages:
- Load Balancing: Distributing incoming traffic across multiple backend servers to ensure optimal resource utilization and prevent server overload.
- SSL Termination: Handling SSL/TLS encryption and decryption, relieving backend servers of the resource-intensive process.
- Web Acceleration: Caching static content, compressing data, and serving as a content delivery network (CDN) to enhance website performance.
- Security: Acting as a shield for backend servers by hiding their details, filtering malicious traffic, and providing an additional layer of protection.
1. Update the system:
#sudo dnf update
2. Install Nginx:
#sudo dnf install nginx
3. Generate a self-signed SSL certificate:
#sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/certs/your_domain.com.key -out /etc/ssl/certs/your_domain.com.crt
Follow the prompts to enter the required information for the certificate.
Note: If you have purchased ssl certificate use that
4. Create a new Nginx server block configuration:
#sudo vim /etc/nginx/conf.d/reverse-proxy.conf
#Add below to create upstreem for load balancer
upstream your_upstream_server {
server 192.168.1.50:81;
server 192.168.1.50:81;
keepalive 64;
}
# Redirect all http request to https
server {
listen 80;
server_name your_domain.com ;return 301 https://$host$request_uri;
}#Add the following configuration for https
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
ssl_certificate "/etc/ssl/certs/your_domain.com.crt";
ssl_certificate_key "/etc/ssl/certs/your_domain.com.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
# 127.0.0.1 and localhost so that those are handled consistently like $hostname
server_name 127.0.0.1 localhost your_domain.com $hostname;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Content-Type-Options nosniff;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://your_upstream_server/;
proxy_redirect off;
proxy_read_timeout 240s;
}
}
- proxy_pass: Specifies the backend server's address.
- proxy_set_header: Configures headers to pass additional information to the backend server, including the original client's IP and the protocol used.
5. Test the Nginx configuration for syntax errors:
#sudo nginx -t
6. Start and enable Nginx:
#sudo systemctl start nginx#sudo systemctl enable nginx#sudo systemctl status nginx
7. Configure the firewall to allow HTTPS traffic:
#sudo firewall-cmd --permanent --add-service=https
or
#sudo firewall-cmd --permanent --add-port=443
#sudo firewall-cmd --reload
Note: Only allow if your firewall is active
This step assumes you are using the firewalld service. Adjust the firewall commands if you are using a different firewall management tool.
At this point, your Nginx reverse proxy with HTTPS should be set up and running. Requests to `https://your_domain.com` will be forwarded to the specified upstream server. Remember to replace `your_domain.com` with your actual domain or IP address and `your_upstream_server` with the correct server address.
No comments:
Post a Comment