Versions Compared

Old Version 18

changes.mady.by.user Vincent Balbarin

Saved on

compared with

New Version Current

changes.mady.by.user Vincent Balbarin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Generating a self-signed SSL certificate

  2. Installing Nginx

  3. Configuring Nginx as a reverse-proxy using the self-signed SSL certificate

  4. Example configurations

  5. Configuring Nginx to start automatically as a service

  6. Configuring Firewalls

...

Code Block
# CentOS
sudo yum -y update
sudo yum install -y epel-release
sudo yum install -y nginx

# Amazon Linux 2
# sudo amazon-linux-extras install nginx1.12

# Ubuntu
# sudo apt update
# sudo apt install nginx

Configuring Nginx as Reverse-Proxy

Configuration of Nginx is modular. Global configuration is located in /etc/nginx/nginx.conf. One could create server blocks in this file. However, a better practice is to separate server definitions in separate configuration files that are sourced into the main configuration when it starts.

...

Code Block
export CERT_KEY='/etc/pki/tls/private/domain.key' # Default CentOS certificate key
export CERT='/etc/pki/tls/certs/domain.crt' # Default CentOS certificate path

export SERVER_FQDN="{{ .serverFqdn }}"
export BACKEND_PORT="{{ .backEndPort }}" # change {{}} to the port the webapp is listening on.

sudo tee /etc/nginx/conf.d/reverse-proxy-tls.conf<<-EOF
upstream backend {
  server localhost:${BACKEND_PORT};
}

server {
  listen 80;
  listen [::]:80;
  server_name ${SERVER_FQDN};

  # redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
  return 301 https://${SERVER_FQDN}\$request_uri;
}

server {
  listen 443;
  server_name ${SERVER_FQDN};

  ssl   on;
  ssl_session_cache   shared:SSL:40m;
  ssl_session_timeout  4h;
  ssl_protocols  TLSv1.2;
  ssl_ciphers ECDH+AESGCM:ECDH+AES256-CBC:ECDH+AES128-CBC:DH+3DES:!ADH:!AECDH:!MD5;
  ssl_prefer_server_ciphers   on;

  ssl_certificate         ${CERT};
  ssl_certificate_key     ${CERT_KEY};

  access_log /var/log/nginx/${SERVER_FQDN//./_}.log;
  error_log /var/log/nginx/${SERVER_FQDN//./_}-error.log error;

  location / {
    proxy_pass http://backend;
    proxy_buffers 16 4k;
    proxy_buffer_size 2k;
    proxy_set_header Host \$http_host;
    proxy_set_header ServerName \$server_name;
    proxy_set_header ServerPort 443;
    proxy_set_header X-Real-IP: \$remote_addr;
    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-Scheme https;
    proxy_set_header X-Forwarded-URL-Scheme https;
    proxy_redirect default;
  }
}
EOF

...

Example Configurations

Example: uWSGI

Code Block
server {

    # .... Omitted

    location / {
        include uwsgi_params;
        uwsgi_pass unix:///home/klo9/webapp/webapp.sock;
    }
}

...