Homelab - adding an nginx reverse proxy to the mix
Of nginx tutorials there are many on the web. With my growing Homelab, having added Confluence to the mix, and having nearly eleven virtual machines on my Home Servers, I was simply tired of accessing them all with the port number qualifier.
Moving the DNS provider to Cloudflare (Free) was the first step, but I was interested in setting up an nginx reverse proxy to handle the plethora of VM’s that I now have. SO, here’s how I went about it.
I created a separate VM for the nginx proxy, lean on specs, as it really doesn’t need much. I used
- 20GB HDD space
- 2GB RAM
- 1 CPU
Install Ubuntu & nginx
Install Ubuntu, as always. The requirements from an nginx system are quite lean.
Install nginx from the PPA (as the version in the repository is 1.10)
sudo apt-add-repository ppa:nginx/development
sudo apt update && sudo apt upgrade
sudo apt install nginx
Forward all 443 and 80 ports from the router, along with other TCP/UDP ports dealing with HTTP traffic to the new nginx server.
Create the first vhost file.
cd /etc/nginx/sites-available/
sudo vi sodhisnet.conf
Before enabling SSL
server {
listen 80;
listen [::]:80;
server_name sodhis.net www.sodhis.net;
set $upstream <internal ip address of web server>;
location / {
proxy_pass_header Authorization;
proxy_pass http://$upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_ssl_server_name on;
proxy_read_timeout 36000s;
proxy_redirect off;
}
}
Activate the new vhost in nginix
sudo ln -s /etc/nginx/sites-available/sodhisnet.conf /etc/nginx/sites-enabled/sodhisnet.conf
sudo service nginx restart
Do this for every vhost created.
Enabling SSL
LetsEncrypt
sudo certbot -d sodhis.net -d *.sodhis.net --manual --preferred-challenges "dns"--server https://acme-v02.api.letsencrypt.org/directory certonly
Changes to the vhost
server {
listen 80;
listen [::]:80;
server_name sodhis.net www.sodhis.net;
return 301 https://$server_name$request_uri;
}
server {
# The IP that you forwarded in your router (nginx proxy)
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/letsencrypt/live/sodhis.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sodhis.net/privkey.pem;
# Make site accessible from http://localhost/
server_name sodhis.net www.sodhis.net;
# The internal IP of the VM that hosts your Apache config
set $upstream <internal IP of the webhost>;
location / {
proxy_pass_header Authorization;
proxy_pass http://$upstream;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_ssl_server_name on;
proxy_read_timeout 36000s;
proxy_redirect off;
}
}
sudo service nginx restart
IF one has a WordPress blog on the web host, add the following to wp-config.php
/**
* Handle SSL reverse proxy
*/
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
$_SERVER['HTTPS']='on';
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}