Setting up Nginx on CentOS 7 as a reverse proxy

JaredBusch

Now for a site on a non standard back end port that is still coming in on port 80 like my nodeBB example above, it is very similar.

#save as file: /etc/nginx/conf.d/forum.domain.conf
server {
	client_max_body_size 40M;
	listen 80;
	server_name forum.domain.com;

	location / {
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $http_host;
		proxy_set_header X-NginX-Proxy true;
		proxy_pass http://10.0.0.3:4567;
		proxy_redirect off;
	}
}

Now restart nginx
systemctl reload nginx

JaredBusch

The non standard port redirect also works with SSL. Again you need your proper certificate information in here. This example is used for my helpdesk.

#save as file: /etc/nginx/conf.d/helpdesk.domain.conf
server {
	client_max_body_size 40M;
	listen 443 ssl;
	server_name helpdesk.domain.com;
	ssl          on;
	ssl_certificate /etc/ssl/cacert.pem;
	ssl_certificate_key /etc/ssl/privkey.pem;

	location / {
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $http_host;
		proxy_set_header X-NginX-Proxy true;
		proxy_pass https://10.0.0.4:8090;
		proxy_redirect off;
	}
}

Now restart nginx
systemctl reload nginx

iroal

@JaredBusch Thanks, with your tutorial it's very easy to set up.

Alex Sage

This post is deleted!

JaredBusch

@anonymous said:

So I have ScreenConnect setup using the reverse proxy, but the clients can't connect the to relay port. How do I fix this?

What ports are you using? What is the proxy config?

Alex Sage

This post is deleted!

JaredBusch

@anonymous said:

I think I will have to port forward the relay port to the ScreenConnect server?

From the reading I have done, yes. That connection is not SSL, but pre encrypted by ScreenConnect itself.

Alex Sage

This post is deleted!

Dashrender

Considering the new found love of Fedora, should this be done on Fedora instead?

JaredBusch

@dashrender said in Setting up Nginx on CentOS 7 as a reverse proxy:

Considering the new found love of Fedora, should this be done on Fedora instead?

Yeah, I need to make a new guide for Fedora.

Process is basically the same. Substitute dnf in place of yum, generally.

No need for the epel

wirestyle22

If I have multiple web servers, how does nginx know which host is which when they are both using the same port? It it just the subdomain and internal IP (proxy_pass)?

Example:

server {
	client_max_body_size 40M;
	listen 443 ssl;
	server_name nc.skynetli.com;	#change to your domain name
	ssl          on;
	ssl_certificate /etc/ssl/cacert1.pem;	#this needs to be the path to your certificate information
	ssl_certificate_key /etc/ssl/privkey1.pem;	#this needs to be the path to your certificate information

	location / {
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $http_host;
		proxy_set_header X-NginX-Proxy true;
		proxy_pass https://192.168.1.205:443;	#change to your internal server IP
		proxy_redirect off;
	}
}
server {
	client_max_body_size 40M;
	listen 443;
	server_name xo.skynetli.com;	#change to your domain name

	location / {
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $http_host;
		proxy_set_header X-NginX-Proxy true;
		proxy_pass http://192.168.1.206:443;	#change to your internal server IP
		proxy_redirect off;
	}
}

Obsolesce

You use multiple server config areas in your example code, and then server_name and proxy_pass for each site using different ports.

wirestyle22

@tim_g So essentially what I did above, correct?

Obsolesce

I'll find a good link to reference, I can't do this on my phone... gimme a few mins.

wirestyle22

@tim_g Np. Thanks

JaredBusch

I prefer to have each server block for each domain/subdomain in it's own config file.

0_1514323567627_24a83769-9483-4b32-af2c-3a190ad8f60d-image.png

Dashrender

@jaredbusch said in Setting up Nginx on CentOS 7 as a reverse proxy:

I prefer to have each server block for each domain/subdomain in it's own config file.

wow, you are hosting a lot there.

JaredBusch

[jbusch@nginxproxy ~]$ cat /etc/nginx/conf.d/daerma.com.conf 
server {
    client_max_body_size 40M;
    listen 443 ssl;
    server_name www.daerma.com daerma.com;
    ssl          on;
    ssl_certificate /etc/letsencrypt/live/daerma.com-0001/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/daerma.com-0001/privkey.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass https://10.254.0.101:443;
        proxy_redirect off;
    }
}

server {
    client_max_body_size 40M;
    listen 80;
    server_name www.daerma.com daerma.com;
    rewrite        ^ https://daerma.com$request_uri? permanent;
}

Obsolesce

Like this, this is a good example of what I meant...

https://timothy-quinn.com/using-nginx-as-a-reverse-proxy-for-multiple-sites

JaredBusch

[jbusch@nginxproxy ~]$ cat /etc/nginx/conf.d/unms.bundystl.com.conf 
server {
    client_max_body_size 40M;
    listen 443 ssl;
    server_name unms.bundystl.com;
    ssl          on;
    ssl_certificate /etc/letsencrypt/live/unms.bundystl.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/unms.bundystl.com/privkey.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass https://10.254.0.39:443;
        proxy_redirect off;

        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

    }
}
server {
    client_max_body_size 40M;
    listen 80;
    server_name unms.bundystl.com;
    rewrite        ^ https://$server_name$request_uri? permanent;
}