Install Nginx as a Reverse Proxy on Fedora 27
-
This guide has worked perfectly for me -- great for learning as well, as I had a chance to take pieces and look them up.
Just to make sure my thinking is right, tell me if this is what's happening if I try to reach my site using HTTP.
URL for the example is http://testweb1.ejsllc.com
- Request gets to the reverseproxy.
- Request does not match the first server block, as it is specifically listening on port 443.
- Request does match the second server block since
server_name
matches and it's listening on port 80. - The second server block rewrites the URL to use https.
- The reverse proxy now evaluates the request again, which is now written as https://testweb1.ejsllc.com.
- Since no port was specified in the request, reverse proxy assumes the port will be 443, which will match the first server block, which is specifically listening on 443 and matches the
server_name
. - The reverse proxy unencrypts the request and follows the
proxy_pass
directive to send it to http://SERVER_IP
. SERVER_IP
is listening on port 80, receives the unencrypted request, processes it, and sends the response back to the reverse proxy.- The reverse proxy encrypts the response and send its back to the original requester.
-
@eddiejennings Correct.
-
@JaredBusch This is from the Nginx website under pitfalls and common mistakes. I read that return's are much faster than rewrites due to not needing to evaluate RegEx(?) which is why you see return listed as a better option. I know you use rewrite and there's a lot you know that I don't so I was just wondering why that is your preference
-
@jaredbusch said in Install Nginx as a Reverse Proxy on Fedora 27:
certbot --nginx -n --email [email protected] --agree-tos --domains nc.domain.com
Adding
--redirect
tells certbot to redirect http to https. -
@aaronstuder said in Install Nginx as a Reverse Proxy on Fedora 27:
@jaredbusch said in Install Nginx as a Reverse Proxy on Fedora 27:
certbot --nginx -n --email [email protected] --agree-tos --domains nc.domain.com
Adding
--redirect
tells certbot to redirect http to https.I had no idea you could do this
-
@wirestyle22 You learn something new everyday! This is what I learned
-
@aaronstuder Can you paste the edit to the server block? I'd like to see what it looks like after
--redirect
is run -
server { client_max_body_size 40M; server_name domain.com; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://10.157.95.208:80; proxy_redirect off; } listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # m$ ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; #$ include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot server { if ($host = domain.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; server_name domain.com; return 404; # managed by Certbot }
-
@aaronstuder Hmm, looks like mine but I didn't use the --redirect.
-
@obsolesce Maybe you adding it manually?
-
It's standard. Only part you shouldn't have is the commented out parts.
-
@wirestyle22 said in Install Nginx as a Reverse Proxy on Fedora 27:
@JaredBusch This is from the Nginx website under pitfalls and common mistakes. I read that return's are much faster than rewrites due to not needing to evaluate RegEx(?) which is why you see return listed as a better option. I know you use rewrite and there's a lot you know that I don't so I was just wondering why that is your preference
I updated the OP to reflect this.
Using the
return 301 https://$host$request_uri;
style. -
What is a good "size" for a VM that is strictly a reverse proxy? Would 20Gb be sufficient as it is not storing any data other than log files?
-
@brandon220 said in Install Nginx as a Reverse Proxy on Fedora 27:
What is a good "size" for a VM that is strictly a reverse proxy? Would 20Gb be sufficient as it is not storing any data other than log files?
Yes. 15-20 GB is enough to run with a minimal install.
-
@brandon220 said in Install Nginx as a Reverse Proxy on Fedora 27:
What is a good "size" for a VM that is strictly a reverse proxy? Would 20Gb be sufficient as it is not storing any data other than log files?
Likely just fine. I use 24GB for small servers like this. And 32GB for the big ones.
-
I thin provision, so a little extra is no problem for me.
-
@scottalanmiller Yeah, thin provisioning makes sense for something like this for sure
-
@wirestyle22 said in Install Nginx as a Reverse Proxy on Fedora 27:
@scottalanmiller Yeah, thin provisioning makes sense for something like this for sure
For almost everything thin provisioning makes sense. I'm sure there is an exception to the rule but I can't think of one off the top of my head.
-
@coliver said in Install Nginx as a Reverse Proxy on Fedora 27:
@wirestyle22 said in Install Nginx as a Reverse Proxy on Fedora 27:
@scottalanmiller Yeah, thin provisioning makes sense for something like this for sure
For almost everything thin provisioning makes sense. I'm sure there is an exception to the rule but I can't think of one off the top of my head.
Databases?
-
@black3dynamite said in Install Nginx as a Reverse Proxy on Fedora 27:
@coliver said in Install Nginx as a Reverse Proxy on Fedora 27:
@wirestyle22 said in Install Nginx as a Reverse Proxy on Fedora 27:
@scottalanmiller Yeah, thin provisioning makes sense for something like this for sure
For almost everything thin provisioning makes sense. I'm sure there is an exception to the rule but I can't think of one off the top of my head.
Databases?
That would generally be it. HOWEVER, I normally put my DB on thin provisioning and have a separate, dedicated storage just for the data (DB files) which is thick provisioned.
Or if on Scale, the main storage gets a low HEAT score and the dedicated DB files gets set to 11.