nginx Reverse Proxy: Difference between revisions
No edit summary |
|||
Line 19: | Line 19: | ||
server_name ha.klaverstyn.com.au; | server_name ha.klaverstyn.com.au; | ||
ssl_protocols | ssl_protocols TLSv1.2 TLSv1.3; | ||
ssl_certificate /etc/nginx/ssl-cert/ha.klaverstyn.com.au.crt; | ssl_certificate /etc/nginx/ssl-cert/ha.klaverstyn.com.au.crt; | ||
ssl_certificate_key /etc/nginx/ssl-cert/privkey.ha.pem; | ssl_certificate_key /etc/nginx/ssl-cert/privkey.ha.pem; |
Revision as of 05:21, 13 July 2023
This will allow you to host multiple internal web servers via a single public IP address. The following instructions are based on Raspbian 11.6
Installation
apt install nginx
Configuration File
vi /etc/nginx/sites-available/reverse-proxy
server { listen 80; server_name ha.klaverstyn.com.au; return 301 https://ha.klaverstyn.com.au; } server { listen 443 ssl; server_name ha.klaverstyn.com.au; ssl_protocols TLSv1.2 TLSv1.3; ssl_certificate /etc/nginx/ssl-cert/ha.klaverstyn.com.au.crt; ssl_certificate_key /etc/nginx/ssl-cert/privkey.ha.pem; location / { proxy_pass https://ha.klaverstyn.com.au; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } server { listen 80; server_name teslamate.klaverstyn.com.au; auth_basic "Restricted Content"; auth_basic_user_file /etc/nginx/.htpasswd-teslamate; location / { proxy_pass http://teslamate.klaverstyn.com.au; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } server { listen 88; server_name teslamate.klaverstyn.com.au; location / { proxy_pass http://teslamate.klaverstyn.com.au:88; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } } server { listen 80; server_name box.mailadmin.au; location / { proxy_pass http://box.mailadmin.au; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } } server { listen 443 ssl; server_name box.mailadmin.au; ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; ssl_certificate /etc/nginx/ssl-cert/box.mailadmin.au.crt; ssl_certificate_key /etc/nginx/ssl-cert/privkey.box.pem; location / { proxy_pass https://box.emailadmin.au; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } }
Enable Config
unlink /etc/nginx/sites-enabled/default ln -s /etc/nginx/sites-available/reverse-proxy /etc/nginx/sites-enabled/reverse-proxy
Testing Config
Test the configuration file before restarting and committing the new changes.
nginx -t
Restarting
For the new config file to take effect restart the service.
systemctl restart nginx
systemctl status nginx
Notes
The server_name is the host header name that is an A record for your public IP address. The proxy_pass is the FQDN for the server internal to your network. This means a split DNS for FQDN.
- Either update your /etc/hosts file so that the internal FQDN is mapped to the correct IP or
- Use an internal DNS such as Pi-Hole where you can assign an internal IP address for the FQDN.
I'm storing my TLS certificates in /etc/nginx/ssl-cert/
I'm using a password file for the site TeslaMate as there is no authentication by default on the application.
Other
I'm using iptables and ip6tables to block all access unless connectivity is from Australia to block unwanted access. Implementing fail2ban would be more ideal.