Latest revision as of 05:22, 13 July 2023

This will allow you to host multiple internal web servers via a single public IP address. The following instructions are based on Raspbian 11.6

Installation

 apt install nginx

Configuration File

 vi /etc/nginx/sites-available/reverse-proxy

server {
    listen 80;
    server_name ha.klaverstyn.com.au;

    return 301 https://ha.klaverstyn.com.au;
}

server {
  listen 443 ssl;
  server_name ha.klaverstyn.com.au;

  ssl_protocols         TLSv1.2 TLSv1.3;
  ssl_certificate       /etc/nginx/ssl-cert/ha.klaverstyn.com.au.crt;
  ssl_certificate_key   /etc/nginx/ssl-cert/privkey.ha.pem;

  location / {
    proxy_pass         https://ha.klaverstyn.com.au;
    proxy_http_version 1.1;
    proxy_set_header   Host       $host;
    proxy_set_header   X-Real-IP  $remote_addr;
    proxy_set_header   Upgrade    $http_upgrade;
    proxy_set_header   Connection "Upgrade";
  }
}




server {
  listen 80;
  server_name teslamate.klaverstyn.com.au;

  auth_basic "Restricted Content";
  auth_basic_user_file /etc/nginx/.htpasswd-teslamate;

  location / {
    proxy_pass         http://teslamate.klaverstyn.com.au;
    proxy_http_version 1.1;
    proxy_set_header   Host       $host;
    proxy_set_header   X-Real-IP  $remote_addr;
    proxy_set_header   Upgrade    $http_upgrade;
    proxy_set_header   Connection "Upgrade";
  }
}


server {
  listen 88;
  server_name teslamate.klaverstyn.com.au;
  location / {
    proxy_pass          http://teslamate.klaverstyn.com.au:88;
    proxy_set_header    Host                            $host;
    proxy_set_header    X-Real-IP                       $remote_addr;
  }
}


server {
  listen 80;
  server_name box.mailadmin.au;
  location / {
    proxy_pass          http://box.mailadmin.au;
    proxy_set_header    Host                            $host;
    proxy_set_header    X-Real-IP                       $remote_addr;
  }
}

server {
  listen 443 ssl;
  server_name box.mailadmin.au;

  ssl_protocols         TLSv1.2 TLSv1.3;
  ssl_certificate       /etc/nginx/ssl-cert/box.mailadmin.au.crt;
  ssl_certificate_key   /etc/nginx/ssl-cert/privkey.box.pem;

  location / {
    proxy_pass          https://box.emailadmin.au;
    proxy_set_header    Host                            $host;
    proxy_set_header    X-Real-IP                       $remote_addr;
  }
}

Enable Config

unlink /etc/nginx/sites-enabled/default
ln -s /etc/nginx/sites-available/reverse-proxy /etc/nginx/sites-enabled/reverse-proxy

Testing Config

Test the configuration file before restarting and committing the new changes.

 nginx -t

Restarting

For the new config file to take effect restart the service.

 systemctl restart nginx

 systemctl status nginx

Notes

The server_name is the host header name that is an A record for your public IP address. The proxy_pass is the FQDN for the server internal to your network. This means a split DNS for FQDN.

Either update your /etc/hosts file so that the internal FQDN is mapped to the correct IP or

Use an internal DNS such as Pi-Hole where you can assign an internal IP address for the FQDN.

I'm storing my TLS certificates in /etc/nginx/ssl-cert/
I'm using a password file for the site TeslaMate as there is no authentication by default on the application.

Other

I'm using iptables and ip6tables to block all access unless connectivity is from Australia to block unwanted access. Implementing fail2ban would be more ideal.

nginx Reverse Proxy: Difference between revisions

Latest revision as of 05:22, 13 July 2023

Contents

Installation

Configuration File

Enable Config

Testing Config

Restarting

Notes

Other

Navigation menu

Page actions

Page actions

Àwọn irinṣẹ́ tèmi

Navigation

Search

Tools

@@ Line 1: / Line 1: @@
-This will allow you to host mutliple internal web servers via a single public IP address.  The following instrucitons are based on Raspbian 11.6
+This will allow you to host multiple internal web servers via a single public IP address.  The following instructions are based on Raspbian 11.6
 = Installation =
@@ Line 8: / Line 8: @@
 <pre>
+server {
+    listen 80;
+    server_name ha.klaverstyn.com.au;
+    return 301 https://ha.klaverstyn.com.au;
+}
 server {
    listen 443 ssl;
    server_name ha.klaverstyn.com.au;
-   ssl_protocols         TLSv1.1 TLSv1.2 TLSv1.3;
+   ssl_protocols         TLSv1.2 TLSv1.3;
    ssl_certificate       /etc/nginx/ssl-cert/ha.klaverstyn.com.au.crt;
    ssl_certificate_key   /etc/nginx/ssl-cert/privkey.ha.pem;
@@ Line 72: / Line 79: @@
    server_name box.mailadmin.au;
-   ssl_protocols         TLSv1.1 TLSv1.2 TLSv1.3;
+   ssl_protocols         TLSv1.2 TLSv1.3;
    ssl_certificate       /etc/nginx/ssl-cert/box.mailadmin.au.crt;
    ssl_certificate_key   /etc/nginx/ssl-cert/privkey.box.pem;
@@ Line 84: / Line 91: @@
 </pre>
-== nginx service ==
+== Enable Config ==
 <pre>
 unlink /etc/nginx/sites-enabled/default
 ln -s /etc/nginx/sites-available/reverse-proxy /etc/nginx/sites-enabled/reverse-proxy
 </pre>
+== Testing Config ==
+Test the configuration file before restarting and committing the new changes.
+<pre> nginx -t </pre>
+== Restarting ==
+For the new config file to take effect restart the service.
+<pre> systemctl restart nginx </pre>
+<pre> systemctl status nginx </pre>
 = Notes =
@@ Line 98: / Line 114: @@
 I'm storing my TLS certificates in /etc/nginx/ssl-cert/<br>
-I'm using a password for file site teslamate as there is no authentication by default.
+I'm using a password file for the site TeslaMate as there is no authentication by default on the application.
 = Other =
-I'm using iptables and ip6tables to block all access unless from Australia to block unwanted access.  Implemeting fail2ban would be more ideal.
+I'm using iptables and ip6tables to block all access unless connectivity is from Australia to block unwanted access.  Implementing fail2ban would be more ideal.
 [[Category : Raspberry Pi]] [[Category : Debian]]