Homelab – adding an nginx reverse proxy to the mix

3 minutes

Of nginx tutorials there are many on the web. With my growing Homelab, having added Confluence to the mix, and having nearly eleven virtual machines on my Home Servers, I was simply tired of accessing them all with the port number qualifier.

Moving the DNS provider to Cloudflare (Free) was the first step, but I was interested in setting up an nginx reverse proxy to handle the plethora of VM’s that I now have. SO, here’s how I went about it.

I created a separate VM for the nginx proxy, lean on specs, as it really doesn’t need much. I used

  • 20GB HDD space
  • 2GB RAM
  • 1 CPU

Install Ubuntu & nginx

Install Ubuntu, as always. The requirements from an nginx system are quite lean.

Install nginx from the PPA (as the version in the repository is 1.10)

sudo apt-add-repository ppa:nginx/development
sudo apt update && sudo apt upgrade
sudo apt install nginx

Forward all 443 and 80 ports from the router, along with other TCP/UDP ports dealing with HTTP traffic to the new nginx server.

Create the first vhost file.

cd /etc/nginx/sites-available/
sudo vi sodhisnet.conf

Before enabling SSL

server {
    listen 80;
    listen [::]:80;
 
    server_name sodhis.net www.sodhis.net;
    set $upstream <internal ip address of web server>;
 
    location / {
        proxy_pass_header Authorization;
        proxy_pass http://$upstream;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_buffering off;
        client_max_body_size 0;
        proxy_ssl_server_name on;
        proxy_read_timeout 36000s;
        proxy_redirect off;
    }
}

Activate the new vhost in nginix

sudo ln -s /etc/nginx/sites-available/sodhisnet.conf /etc/nginx/sites-enabled/sodhisnet.conf
sudo service nginx restart

Do this for every vhost created.

Enabling SSL

LetsEncrypt
sudo certbot -d sodhis.net -d *.sodhis.net --manual --preferred-challenges "dns"--server https://acme-v02.api.letsencrypt.org/directory certonly
Changes to the vhost
server {
    listen 80;
    listen [::]:80;
 
    server_name sodhis.net www.sodhis.net;
    return 301 https://$server_name$request_uri;
}
 
server {
    # The IP that you forwarded in your router (nginx proxy)
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
 
    ssl_certificate /etc/letsencrypt/live/sodhis.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/sodhis.net/privkey.pem;
 
    # Make site accessible from http://localhost/
    server_name sodhis.net www.sodhis.net;
 
    # The internal IP of the VM that hosts your Apache config
    set $upstream <internal IP of the webhost>;
 
    location / {
        proxy_pass_header Authorization;
        proxy_pass http://$upstream;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_buffering off;
        client_max_body_size 0;
        proxy_ssl_server_name on;
        proxy_read_timeout 36000s;
        proxy_redirect off;
    }
}
sudo service nginx restart

IF one has a WordPress blog on the web host, add the following to wp-config.php

/**
 * Handle SSL reverse proxy
 */
if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')
    $_SERVER['HTTPS']='on';
 
if (isset($_SERVER['HTTP_X_FORWARDED_HOST'])) {
    $_SERVER['HTTP_HOST'] = $_SERVER['HTTP_X_FORWARDED_HOST'];
}

 

 

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.