Nginx Reverse Proxy

[vshaulsk]

Well I think I got Nginx to work through SSL, but I can still only connect to the default "It Works" page.

It is like it is just connecting to the IP address and not looking up the vhost on that address.
my Vhost= webmail= 192.168.0.1       From vhost webmail you can get to zarafa by typing http://webmail/webaccess.

However if you just type in the address 192.168.0.1 into the browser you get the default "It Works" page.....

Nginx only gets me to the default page ... even though in the proxy_pass I have https://webmail/;.... its seems to just go to the standard IP (the vhost's IP is the interface for one of the Vlan's)

Could this be because my Vhost and Nginx are on the same server..... would it act differently if the Vhost was on a separate server???

[christian]

No, I think this is because of the regular expression and lack of rewrite if you need something not "direct".
If you look at my example, it works because I do not rewrite anything.

That's the reason why I suggest to start with the very basics: ensure the reverse proxy stuff relays properly to target server.
Once this works, you can fine tune. Devil is in the detail when it comes to rewrite.

Regarding HTTPS, I had no time, last night, to react because I launched 2.2 migration that failed  and I needed to fix it.

you need to:
- enable HTTPS at Nginx level because client will need HTTPS. This is one certificate matching name of exposed server (the Nginx one) and you may also need to add the public part of CA having signed certificate on target server so that Nginx, as client (because in proxy mode, it acts as client too) can connect to target server, validating target certificate. But I saw you sorted it out 

[vshaulsk]

I have a client who is running XBMC .... I set it up to allow network access on port 80. 

I rewrote the /etc/nginx/sites-available/default....  to listen on a port of my choosing...and proxy_pass to http://revo.home.lan:80/;}.  This worked perfectly... it redirected me to the webpage of XBMC and asked me for my log in and password.  I have not tried this over HTTPS...

However when I try the same thing but make the proxy_pass http://(vhost).home.lan it only connects me to the "It Works" web page.  It seems to only find the IP address (192.168.11.1) and not the actual vhost running at the same IP.  I have two vhosts under that address... also that is the address to the interface for that lan. 

Would rewrite really matter in this scenario  (do I even need a rewrite).... since I am just trying directly to connect to the vhost

[yokobr]

Hey guys,

I'm trying to do reverse proxy as well, but on apache.
I've found this

2009/11/14 Eduardo J. Ortega U. <ejorte...@gmail.com>:
> Hi, Paul:
>
> Thanks for your reply. However, I am unsure about how to do that. I do
> not see any option for that on eBox DNS module, and from what I have
> read about split DNS for bind, i will need two DNS servers, not just
> one. Any hints or reading material on alternative ways to achieve it
> are greatly appreciated.

You don't need two dns servers for split dns, you can do it creating
two different "views": the external view will give to external IP, and
the internal view the internal IP.

You can achieve the same with a (probably) simpler solution: instead
of redirecting connections to port 80 to the internal host, you can
setup a reverse proxy in the eBox firewall and accept HTTP connections
in the eBox firewall. This way, apache will proxy the connection to
the internal hosts. This solution has the additional benefit that you
can have several internal web servers and proxy connections to them
depending on the name.

You can setup apache adding the file /etc/apache2/conf.d/proxy.conf
with this content:
---
ProxyRequests Off

# Intranet
<VirtualHost *:80>
        ServerName www.example.com # You "official name"
        ServerAlias intranet intranet.example.com # Aliases you may need

        ProxyPass / http://ip_or_name_of_internal_host/
        ProxyPassReverse / http://ip_or_name_of_internal_host/
</VirtualHost>
---

- You can have as many virtualhost definitions as you want for
different internal web servers
- Don't forget the "ProxyRequests Off" setting at the beginning, it
could be a MAJOR security problem
- Make sure you have the setting "NameVirtualHost *:80" somewhere in
your apache config file

Maybe it could be a nice feature to add this type of configuration to
eBox firewall module

Salu2!
--
Miguel Armas <k...@canarytek.com>
CanaryTek Consultoria y Sistemas SL
ModularIT http://www.modularit.org/

And so i've tryed to do

You can setup apache adding the file /etc/apache2/conf.d/proxy.conf
with this content:
---
ProxyRequests Off

# Intranet
<VirtualHost *:80>
        ServerName www.example.com # You "official name"
        ServerAlias intranet intranet.example.com # Aliases you may need

        ProxyPass / http://ip_or_name_of_internal_host/
        ProxyPassReverse / http://ip_or_name_of_internal_host/
</VirtualHost>

but no success :/

[christian]

YokoBR, following our IRC chat, there is something wrong with your DNS: public DNS is showing your virtual server (the one on Apache) with IP address in the RFC1918 range, meaning it can't be reached from outside.
You have to set it with public routable IP, not a private one 

[vshaulsk]

I have been trying to tweak my nginx configuration, but still can't get it to connect to any of the virtual hosts.  Only connects to the standard "it works page"  or if I setup a second server it connects to that machine.  I see that there is a post about using Apache to reverse proxy.... would this be an easier solution ... is it a good idea to use for security reasons??? 

I guess my other thoughts are to create a virtual server and install zarafa plus any webserver content on that machine, but I will start a new thread on that.

In the end there is just something I am missing about Nginx... It has to be something I am not setting up right ... it hits the IP itself, but does not actually lookup the virtual host.

[christian]

I spent quite a lot of time trying to help YokoBR on this: reverse proxy in Apache is pretty similar to Nginx.
BTW he was very close to implement something working but he all of a sudden changed his mind to directly connect his Microsoft server to internet and LAN at the same time: Reverse proxy was not required anymore and Zentyal firewall was shunted 

Anyway, what is, to me, tricky with reverse proxy in Apache is:
- manual changes in Apache conf that is managed by Zentyal
- vhost mechanism in Apache can be simple if you rely on "vhost by name" only but can be also a nightmare (perhaps because of my poor understanding) when you need to mix vhost by name and IP and don't want to bind virtual hosts everywhere.

[vshaulsk]

I would rather do it with Nginx...
This way it is separate from my zentyal server package..  It is a separate entity, but I just can't get vhost connection.  No problem getting direct IP website connection... whether to a different box or to zentyal... it just does not look up vhost.  I have read on google and tried a few things, but I feel like I am missing something.

I would thing that when you do a proxy_pass  http://test  (IP 192.168.0.1) it should forward that name through the DNS lookup and bring you the correct website.  When I type that into the browser from the lan ... I get a website "test"  If I type the IP 192.168.0.1 I get the website "It Works".....   From the reverse proxy it only reaches the IP directly even though the proxy pass has the vhost by name. 

There has got to be some theory about how Nginx works and talks to DNS and Apache that I don't understand.  How is it searching for the vhost name???  Where are the signals being sent???

[christian]

OK, there is a couple of things you need to understand.... or I need to explain what "I" understand and if this makes sense to you, feel free to follow 

1 - reverse proxy mechanism is pretty straightforward until you have to rewrite because regular expression might be confusing.
2 - if your target server is an Apache vhost, then you do have to understand how this vhost is managed. If you have "vhost by IP", you can target it directly using IP address but if you have "vhost by name", then is you use the IP, you reach default server that light not be the one you are thinking about... Does it explain why you don't reach what you target?
For Zarafa... I don't know. I'm still not using it 

Does it help?

[vshaulsk]

How does zentyal work??  Is it vhost by name..... it seems that way.

How would I rewrite to make have nginx actually hit a vhost on IP 192.168.0.1 instead of default server.

[christian]

When you create vhost using Zentyal, yes, Apache "available-site" is based on "vhost by name" model.
which mean that using proxy_pass http://name_of_your_vhost/ should work ;-)

[vshaulsk]

But it does not .... it just reaches the default IP that the vhost is based on.

Maybe my problem is with the IP I assing the vhost.  When you create a vhost it automatically assigns it to the first internal interface IP.  From there you can go to DNS module and change the IP the vhost is on.  Does this IP have to to be an interface or can it be any chosen IP of my choice?  Maybe I should choose an IP that is not also an interface IP?

[christian]

Are we both speaking about virtual host you create in Web server module?
If yes, then you do not select the IP and can't change it, can you?
In DNS, CNAME is automatically create for this vhost at the IP of you Zentyal server.

[vshaulsk]

yes in zentyal... when you go to webserver module and create vhost (example TEST) it will create this vhost and bind it to your first internal interface (example 200.200.200.1) ...save

Than go to DNS module and you will see your vhost TEST with IP 200.200.200.1   You can than click on modify and change the IP to whatever you like.  You can also click under hostname and you will see NS 200.200.200.1 which you can also change to whatever IP you like.

The root to your vhost is in srv/www/(your Vhost)  This file is empty until you put something there.

[christian]

hum.... I don't share this understanding.

Something was, at least from my standpoint, very confusing with Virtual host creation in previous versions (it has been fixed in Zentyal 2.2) when you created vhost matching an existing domain: new DNS zone was created.
Let me explain.
You have one physical server (your Zentyal server) at 192.168.1.1 hostname is (e.g.) zentyal.home.lan
When you create vhost in web server section, if domain name is matching home.lan, then this action creates CNAME for zentyal.home.lan

In the past I think it was creating new domain, with NS record 

This said, no, you can't change this IP because it doesn't match anything existing unless you also create virtual IP but then nightmare begins because mixing vhost by name an dby IP is not as easy as it looks to be