nginx reverse proxy with multiple servers

Discussion in 'Server Operation' started by mesiah, Jan 16, 2020.

  1. mesiah

    mesiah New Member

    Hi,
    I was in a need to place several webservers behind a reverse proxy. But without encrypt and reencrypt or just pass unencrypted traffic from the reverse proxy. So this Tutorial may help for some people.
    issue:
    1. Several Webservers with various applications on each are running behind a FW and responding only on Port 443
    2. The Webservers have a wildcard Certificate, they are IIS Webservers(whoooho very brave), have public IP addresses on each
    3. It is requested, that all webserver should not be exposed to the Internet and moved to a DMZ
    4. Since IP4 addresses are short these days, it is not possible get more IPs addresses
    5. Nginx should only passthrough the requests. No Certificate break, decrypt, re-encrypt between webserver and reverse proxy or whatsoever.
    Solution:
    1. All websservers should be moved to a internal DMZ
    2. A single nginx reverse proxy should handle all requests based on the webservers DNS entries and map them. This will make the public IP4 address needs obsolete
    3. All webservers would get a private IP
    4. A wild certificate would be just fine to handle all aliases for DNS forwarding.
    Steps to be done:

    1. A single nginx RP should be placed on the external-DMZ.

    2. Configure nginx: - Install nginx on a fully patched debian with apt-get install nginx. At this Point you'll get Version 1.14 for nginx. Of course you may compile it too

    1. If you have installed nginx by the apt-get way, it will be configured with the following modules, which you will need later: ngx_stream_ssl_preread, ngx_stream_map, and stream. Don't worry, they are already in the package. You may check with nginx -V
    4. external DNS Configuration: - all DNS request from the Internet should point the nginx.

    E.g webserver1.domain.com --> nginx
    webserver2.domain.com --> nginx
    webserver3.domain.com --> nginx

    5. Configuration nginx reverse-proxy

    • CD to /etc/nginx/modules-enabled
    • vi a filename of your choice (e.g. passtru) Content of this file:
    Code:
    stream {
    
      map $ssl_preread_server_name $name {
         webserver01.domain.com webserver01_backend;
         webserver02.domain.com webserver02_backend;
    }
    
    upstream support_backend {
       server 192.168.0.1:443; # or DNS Name
    }
    
    upstream intranet_backend {
       server 192.168.0.2:443;  # or DNS Name
    }
    
    log_format basic '$remote_addr [$time_local] '
                '$protocol $status $bytes_sent $bytes_received '
                '$session_time "$upstream_addr" '
                '"$upstream_bytes_sent" "$upstream_bytes_received"
                 "$upstream_connect_time"';
    
    access_log /var/log/nginx/access.log basic;
    error_log  /var/log/nginx/error.log;
    
    server {
       listen 443;
       proxy_pass $name;   # Pass allrequests to the above defined variable container $name
       ssl_preread on;
    
     }
    }

    6. Unlink the default virtual webserver rm /etc/nginx/sites-enabled/default

    7. Redirect all http traffic to https:

    • create a file vi /etc/nginx/conf.d/redirect.conf add following code


    Code:
    server {
    
    listen 80;
    
    return 301 https://$host$request_uri;
    
    }
    1. test nginx -t
    2. reload systemctl reload nginx
    3. Open up a browser and check the /var/log/nginx/access.log while calling the webservers

    4. Finish
     

Share This Page