Recommended Nginx Config As Single Proxy For Multiple Web Servers

NashBrydges

As the subject states, as I've become more familiar with Linix over the last few months, I started with simple Apache servers, then included SSL through Let's Encrypt for a single server, then found myself running multiple servers in this config. I then began incorporating Nginx along with SSL which brings me to now.

I'd like to setup a single Nginx VM to serve as proxy and manage all of the SSL certs for all web servers (currently running 7). They're all low traffic for internal team or a few clients and I'm likely to introduce other servers in the future as I find more and more things I want to test/try.

Are there any gotchas when setting up this way? Are there well known applications that will require SSL certs on both the proxy and the web server? Should I protect the connection between Nginx and all web servers anyway? They're all running on the same Hyper-V host so there's no concern for traffic going between Hyper-V hosts or to other services. Assuming it'll be easier to manage individual vhost files instead of one large one since each can be setup for one web server.

Really just looking for best practices here and/or any hints you might have that might simplify my life.

scottalanmiller

That's very standard and how lots of large hosting companies do it. We run all of our systems with a common Nginx SSL proxy out front and whatever application server behind it. Works really well.

JaredBusch

I dunno about best practice, but here is what I do.

I use an individual conf file per domain in/etc/nginx/conf.d/

Then with Let's Encrypt I run it with the standalone and cert only switches. I also use the pre and post hook options to stop and start nginx.
I run LE twice. Once for personal domains and once for work domains just to keep the SAN clean on the certs.

I can post some samples tomorrow if I see this thread again and remember.

Dashrender

@jaredbusch said in Recommended Nginx Config As Single Proxy For Multiple Web Servers:

I dunno about best practice, but here is what I do.

I use an individual conf file per domain in/etc/nginx/conf.d/

Then with Let's Encrypt I run it with the standalone and cert only switches. I also use the pre and post hook options to stop and start nginx.
I run LE twice. Once for personal domains and once for work domains just to keep the SAN clean on the certs.

I can post some samples tomorrow if I see this thread again and remember.

it's practically tomorrow - this is is a reminder

JaredBusch

This is what my Nginx conf.d directory looks like.

[jbusch@nginxproxy ~]$ ls -l /etc/nginx/conf.d/
total 64
-rw-r--r--. 1 root root 1334 May 12 14:37 AAAA.bundystl.com.conf
-rw-r--r--. 1 root root  446 Nov 16  2015 BBBB.com.conf
-rw-r--r--. 1 root root 1306 May 12 14:25 community.bundystl.com.conf
-rw-r--r--. 1 root root 1289 May 12 22:56 CCCC.bundystl.com.conf
-rw-r--r--. 1 root root 1092 May 26 14:02 daerma.com.conf
-rw-r--r--. 1 root root 1253 May 12 14:27 helpdesk.bundystl.com.conf
-rw-r--r--. 1 root root 1087 May 29 13:18 DDDDDD.daerma.com.conf
-rw-r--r--. 1 root root 1226 May 12 14:28 EEEEEE.com.conf
-rw-r--r--. 1 root root 1235 May 12 14:29 nc.bundystl.com.conf
-rw-r--r--. 1 root root 1362 May 12 14:29 nc.daerma.com.conf
-rw-r--r--. 1 root root 1237 May 12 14:29 obelisk.daerma.com.conf
-rw-r--r--. 1 root root 1066 May 12 14:29 oc.daerma.com.conf
-rw-r--r--. 1 root root 1110 May 12 14:30 FFFFF.com.conf
-rw-r--r--. 1 root root 1273 May 12 14:31 support.bundystl.com.conf
-rw-r--r--. 1 root root 1257 May 12 14:31 GGGGGG.bundystl.com.conf
-rw-r--r--. 1 root root 1247 May 12 14:31 unifi.bundystl.com.conf

JaredBusch

Here is what certbot looks like when I run it to add a new domain.

certbot certonly -n --standalone --agree-tos --email [email protected] --expand --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" --domains support.bundystl.com,unifi.bundystl.com,helpdesk.bundystl.com,community.bundystl.com,GGGGGG.bundystl.com,nc.bundystl.com,AAAA.bundystl.com,CCCC.bundystl.com

There is a similar one that I execute for personal domains.

JaredBusch

This is what is in crontab to keep the certs up to date

[root@nginxproxy ~]# crontab -l
13 5 * * * certbot renew --standalone  --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"

JaredBusch

This is the conf file for my unifi controller.

[jbusch@nginxproxy ~]$ cat /etc/nginx/conf.d/unifi.bundystl.com.conf 
server {
    client_max_body_size 40M;
    listen 443 ssl;
    server_name unifi.bundystl.com;
    ssl          on;
    ssl_certificate /etc/letsencrypt/live/support.bundystl.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/support.bundystl.com/privkey.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass https://10.254.0.32:8444/;
        proxy_redirect off;

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

    }
}
server {
    client_max_body_size 40M;
    listen 80;
    server_name unifi.bundystl.com;
    rewrite        ^ https://$server_name$request_uri? permanent;
}

And this is the conf for our underused nodebb instance.

[jbusch@nginxproxy ~]$ cat /etc/nginx/conf.d/community.bundystl.com.conf 
server {
    client_max_body_size 40M;
    listen 443 ssl;
    server_name community.bundystl.com;
    ssl          on;
    ssl_certificate /etc/letsencrypt/live/support.bundystl.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/support.bundystl.com/privkey.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://10.254.0.35:4567;
        proxy_redirect off;

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

    }
}
server {
    client_max_body_size 40M;
    listen 80;
    server_name community.bundystl.com;
    rewrite        ^ https://$server_name$request_uri? permanent;
}

NashBrydges

Thanks @JaredBusch this will be a huge help! I'll give this a try later this evening when I'm back.