Author Topic: Nginx Reverse Proxy  (Read 16052 times)

vshaulsk

  • Zen Samurai
  • ****
  • Posts: 477
  • Karma: +9/-1
    • View Profile
Nginx Reverse Proxy
« on: September 29, 2011, 10:08:06 pm »
I am thinking of using Nginx reverse proxy in order to connect to a webser located on one of my Vlans.

The server will have a couple of vhosts all on IP 192.168.0.112  (one will be named appointments.com and the other will be services.com)

My external host name is provided by dyndns so it is xxxxx.dyndns.org

I have looked at some google documentation on Nginx, but I am not entirely sure how to implement it.
I also would like to make it listen on port 8080 so that I don't change any of the apache configurations present within my lan. 

Has anyone setup Nginx reverse proxy?  Could you provide me with some instructions based on my scenario??  I don't want to cause an error in my Zentyal setup.
Thank you !!!

check-ict

  • Zen Apprentice
  • *
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: Nginx Reverse Proxy
« Reply #1 on: September 29, 2011, 11:38:24 pm »
Hi,

I just setup a extra virtual Ubuntu server and redirect all port 80 and 443 to the nginx reverse proxy.

From there I redirect it to my servers.

It's very easy to install. Just install a basic Ubuntu server, apt-get install nginx and create virtual hosts in the sites-enabled directory.

Here is a example config wich I created right after the apt-get install nginx:

/etc/nginx/sites-enabled/zarafa

server {
        listen   80;
        server_name  webmail.check-ict.nl mail.check-ict.nl;

        access_log  /var/log/nginx/access_zarafa.log;


        location / {
                proxy_pass      http://10.10.1.20/;
        }
}

Yours,

Nomad - Check ICT

christian

  • Guest
Re: Nginx Reverse Proxy
« Reply #2 on: September 30, 2011, 07:35:44 am »
Wow, dedicated (virtual) server to run Nginx  :o  You have plenty of resources  ;D  anyway...

I'm glad to see that somes are trying to use Nginx instead of Apache. The main added value here is speed (for static content) and small footprint. However, if it's done installing dedicated virtual server, I'm not sure footprint is small anymore  ::)

Your example works. What might be required is to introduce some rewriting in case what you expose through Nginx is not 100% aligned with internal server.
e.g. you want to redirect http://my.public.domain/appointments/ to http://appointments.com/ and http://my.public.domain/services/ to http://services.com/

The trick here is to use rewrite as described here:
http://wiki.nginx.org/NginxHttpRewriteModule#rewrite

in your case, this could be something like:
Code: [Select]
location /appointments {
    rewrite /appointments/(.*) /$1 break;
    proxy_pass http://appointments.com;
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
« Last Edit: September 30, 2011, 07:38:45 am by christian »

check-ict

  • Zen Apprentice
  • *
  • Posts: 30
  • Karma: +0/-0
    • View Profile
Re: Nginx Reverse Proxy
« Reply #3 on: September 30, 2011, 09:09:26 am »
Hehe, I have a big server with virtualisation. So it's no problem to create a little nginx server.

My only problem with nginx is that it can't forward SSL without having the keys etc. This is anoying when I want to forward https requests to Zentyal for example. I work around this by using a different port in the firewall, and redirect it to Zentyal.

Yours,

Nomad - Check ICT

vshaulsk

  • Zen Samurai
  • ****
  • Posts: 477
  • Karma: +9/-1
    • View Profile
Re: Nginx Reverse Proxy
« Reply #4 on: September 30, 2011, 02:53:35 pm »
I tried installing Nginx last night, but I failed to make it work....

I did not do any rewrite so that maybe the problem.

I need to set it to listen on port 999 (just a random chosen port). I setup a rule that anything that comes in on the external interface on port 80 gets redirected to port 999.

I also need to setup https to port forward to some port and make Nginx work for SSL.

To give me a better understanding .... in the end I want to use it in order to connect to my zarafa webacess.  This is under Vhost webmail (192.168.0.1) and is forced SSL.  Would this be possible to do with Nginx???

christian

  • Guest
Re: Nginx Reverse Proxy
« Reply #5 on: September 30, 2011, 03:09:53 pm »
May I suggest we investigate one problem, solve it (hopefully  ;D) then we will look at the next one...

starting with the first step that is to make Nginx working:
- you have installed Nginx listening on external interface, say port 999
- if your internal web server has exactly same structure than what you want to "expose" on internet, rewriting is not mandatory because the left part is handled by reverse proxy itself.
- simple redirect should do.

You need to authorize, at FW level, incoming flow on port 999 on external interface.
Do not bother with your firewall rule redirecting port 80 to 999.
You can just access, for testing purpose http://your.external.service:999/

Once all this stuff work, we can improve and fine tune.  8)

vshaulsk

  • Zen Samurai
  • ****
  • Posts: 477
  • Karma: +9/-1
    • View Profile
Re: Nginx Reverse Proxy
« Reply #6 on: September 30, 2011, 03:33:04 pm »
I was thinking just that:  Start off basic and build on that.

So here is what I have tried so far.  I have a vhost on 192.168.12.1 called test (regular http and https both)

Opened port 999 in the external firewall
I did the apt-get install nginx - installed correctly.
I opened /etc/nginx/sites-enabled/ and created directory test
Than I did a nano /etc/nginx/sites-enabled/test

this created a new file in which I put in the following text:

server {
        listen   999;
        server_name  test;

        access_log  /var/log/nginx/access_zarafa.log;


        location / {
                proxy_pass      http://192.168.12.1/;
        }
}

perhaps my line under listen port is wrong.... I figured this was the line of the domain name that the proxy should redirect you to.... is this correct??

christian

  • Guest
Re: Nginx Reverse Proxy
« Reply #7 on: September 30, 2011, 03:39:51 pm »
server_name should match the name of your server on internet. As you may guest, test is unreachable  ;)

You also should add, in "http" section this:
Code: [Select]
  # reverse proxy options
  proxy_redirect off;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


vshaulsk

  • Zen Samurai
  • ****
  • Posts: 477
  • Karma: +9/-1
    • View Profile
Re: Nginx Reverse Proxy
« Reply #8 on: September 30, 2011, 03:48:29 pm »
When you say HTTP section... what exactly are you reffering to?

Is this the section in file /etc/nginx/sites-enabled/test
do I put this under my http://192.168.12.1 ???

Also can I just change that address to http://test???

christian

  • Guest
Re: Nginx Reverse Proxy
« Reply #9 on: September 30, 2011, 03:53:05 pm »
for the time being, you can add it in the location section.
Regarding server name, how are you going to reach test or http://test or anything that is not following internet naming convention?
it should be at least test.your-real-domain-name. No HTTP prefix neither.
Or do you try to test it from intranet?
then it should be test.home.lan isn't it?

vshaulsk

  • Zen Samurai
  • ****
  • Posts: 477
  • Karma: +9/-1
    • View Profile
Re: Nginx Reverse Proxy
« Reply #10 on: September 30, 2011, 03:59:02 pm »
sorry I meant in the proxy pass section.  Should the location proxy pass be http://192.168.12.1 or could I put just http://test....

what if I have two vhosts on the same IP how would I make the reverse proxy point to the correct one??

vshaulsk

  • Zen Samurai
  • ****
  • Posts: 477
  • Karma: +9/-1
    • View Profile
Re: Nginx Reverse Proxy
« Reply #11 on: September 30, 2011, 04:07:56 pm »
the the file in /etc/nginx/sites-enabled/test   would look like this??

server {
        listen   999;
        server_name  xxxx.dyndns.org;

        access_log  /var/log/nginx/access_zarafa.log;


        location / {
                proxy_pass      http://test/;  (or would this line be http://192.168.12.1)
                proxy_redirect off;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
}

christian

  • Guest
Re: Nginx Reverse Proxy
« Reply #12 on: September 30, 2011, 04:14:18 pm »
??? what is the issue for the time being?
To make reverse proxy relaying request or to fine tune to reach the right vhost?  I'm lost with the various inputs you add.

Can't we make one simple easy design and describe it once with no changes around until it works?

- you have one server (vhost or not we don't care) exposing http://target.home.lan, not running on Zentyal gateway (could be another Zentyal server, it doesn't matter)
- you want to access it from internet
- you install Nginx on Zentyal gateway, listening on port 999
FW is configured to accept request on port 999 on external interface
- you configure Nginx to redirect requests to http://target.home.lan
et voila

This is the basics. Then it obviously requires some tuning but is it at this stage crystal clear to you? 

christian

  • Guest
Re: Nginx Reverse Proxy
« Reply #13 on: September 30, 2011, 04:15:03 pm »
Well, what you posted while I was replying look much better  ;D except that http://test can't be reached  :-[  still you can use the IP

vshaulsk

  • Zen Samurai
  • ****
  • Posts: 477
  • Karma: +9/-1
    • View Profile
Re: Nginx Reverse Proxy
« Reply #14 on: September 30, 2011, 04:19:23 pm »
Yes I understand trying to understand the basic:

Open the correct port:
Install nginx and make it listen on the port;
Make it relay requests from external address to the target inside my lan.

I get the concept of what to do:

I am just trying to actually implement what to do.  Once I get once instance working ... I can start figuring out how to make it work for other instances.