Install Nginx as a Reverse Proxy on Fedora 27

JaredBusch

@momurda said in Install Nginx as a Reverse Proxy on Fedora 27:

It is http://server.domain.com

Why did LE give me .pem files? edit: dont know

Why cant i convert these pem files to .crt and .key? edit: somehow all these .pem files now have 0 size which doesnt make sense. Worked fine yesterday.

openssl x509 -outform der -in cert.pem -out cert.crt
unable to load certificate
140515541610688:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:691:Expecting: TRUSTED CERTIFICATE

You are supposed to have .pem files, always. That tells you the encoding type of the key and certificate. If you did not know pem files mean you have a DER encoded certificate and key file.

JaredBusch

@momurda I setup this server the day I made those instructions. Here is one of the conf files.

[jbusch@proxy ~]$ sudo cat /etc/nginx/conf.d/nextcloud.conf 
[sudo] password for jbusch: 
server {
    client_max_body_size 40M;
    server_name nc.jj.com;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;
    proxy_redirect off;
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://10.201.1.17;
        proxy_redirect off;
        # Socket.IO Support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
    ssl_stapling on;
    ssl_stapling_verify on;
#    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
#    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
#    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/nc.jj.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/nc.jj.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    client_max_body_size 40M;
    listen 80;
    server_name nc.jj.com;
    rewrite        ^ https://$server_name$request_uri? permanent;
}

momurda

Ok i am on a short vacation starting now. Ill try getting this fixed up on Tuesday when i am back.

wirestyle22

@jaredbusch take out the real domain

JaredBusch

@wirestyle22 said in Install Nginx as a Reverse Proxy on Fedora 27:

@jaredbusch take out the real domain

missed 1 of 4. /slacker

travisdh1

@momurda said in Install Nginx as a Reverse Proxy on Fedora 27:

I am trying to copy this setup but using wildcard cert instead.
So, i have an http server setup with mediawiki. It has no https.
I have this nginx proxy setup so that the http site is redirected correctly.
edit:well it isnt doing http now either Not sure what i did, was working yesterday just fine.
However it wont seem to proxy https.
I think this is probably because my server.domain.conf in /etc/nginx/conf.d/server.domain.conf proxy_pass parameter is trying to redirect to https of this server which doesnt have https.
What to do in this type of situation?
I asked about this earlier in thread, seems it can work. Ive just messed something up.
I have not messed about with nginx.conf.
Not really sure how it can be used unmodified to proxy https as nothing is defined for https by default.

server.domain.conf file in /etc/nginx/conf.d/ :

server {
        client_max_body_size 40M;
        listen 443 ssl;
        server_name server.domain.com;
        ssl          on;
        ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-NginX-Proxy true;
                proxy_pass https://10.1.0.247:443; # HERE IS ISSUE I THINK
                proxy_redirect off;
        }
}
server {
        client_max_body_size 40M;
        listen 80;
        server_name server.domain.com;

        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-NginX-Proxy true;
                proxy_pass http://10.1.0.247:80;
                proxy_redirect off;
        }
}

If you have a wildcard cert, could you put all the ssl settings into their own ssl.conf file? I won't have time to answer my own question till the middle of next week

EddieJennings

This guide has worked perfectly for me -- great for learning as well, as I had a chance to take pieces and look them up.

Just to make sure my thinking is right, tell me if this is what's happening if I try to reach my site using HTTP.

URL for the example is http://testweb1.ejsllc.com

1. Request gets to the reverseproxy.
2. Request does not match the first server block, as it is specifically listening on port 443.
3. Request does match the second server block since server_name matches and it's listening on port 80.
4. The second server block rewrites the URL to use https.
5. The reverse proxy now evaluates the request again, which is now written as https://testweb1.ejsllc.com.
6. Since no port was specified in the request, reverse proxy assumes the port will be 443, which will match the first server block, which is specifically listening on 443 and matches the server_name.
7. The reverse proxy unencrypts the request and follows theproxy_pass directive to send it to http://SERVER_IP.
8. SERVER_IPis listening on port 80, receives the unencrypted request, processes it, and sends the response back to the reverse proxy.
9. The reverse proxy encrypts the response and send its back to the original requester.

JaredBusch

@eddiejennings Correct.

wirestyle22

@JaredBusch This is from the Nginx website under pitfalls and common mistakes. I read that return's are much faster than rewrites due to not needing to evaluate RegEx(?) which is why you see return listed as a better option. I know you use rewrite and there's a lot you know that I don't so I was just wondering why that is your preference

Alex Sage

@jaredbusch said in Install Nginx as a Reverse Proxy on Fedora 27:

certbot --nginx -n --email [email protected] --agree-tos --domains nc.domain.com

Adding --redirect tells certbot to redirect http to https.

wirestyle22

@aaronstuder said in Install Nginx as a Reverse Proxy on Fedora 27:

@jaredbusch said in Install Nginx as a Reverse Proxy on Fedora 27:

certbot --nginx -n --email [email protected] --agree-tos --domains nc.domain.com

Adding --redirect tells certbot to redirect http to https.

I had no idea you could do this

Alex Sage

@wirestyle22 You learn something new everyday! This is what I learned

wirestyle22

@aaronstuder Can you paste the edit to the server block? I'd like to see what it looks like after --redirect is run

Alex Sage

@wirestyle22

server {
        client_max_body_size 40M;
        server_name domain.com;

        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-NginX-Proxy true;
                proxy_pass http://10.157.95.208:80;
                proxy_redirect off;
        }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # m$
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; #$
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

server {
    if ($host = domain.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        server_name domain.com;
    return 404; # managed by Certbot


}

Obsolesce

@aaronstuder Hmm, looks like mine but I didn't use the --redirect.

Alex Sage

@obsolesce Maybe you adding it manually?

wirestyle22

It's standard. Only part you shouldn't have is the commented out parts.

JaredBusch

@wirestyle22 said in Install Nginx as a Reverse Proxy on Fedora 27:

@JaredBusch This is from the Nginx website under pitfalls and common mistakes. I read that return's are much faster than rewrites due to not needing to evaluate RegEx(?) which is why you see return listed as a better option. I know you use rewrite and there's a lot you know that I don't so I was just wondering why that is your preference

I updated the OP to reflect this.

Using the return 301 https://$host$request_uri; style.

brandon220

What is a good "size" for a VM that is strictly a reverse proxy? Would 20Gb be sufficient as it is not storing any data other than log files?

wirestyle22

@brandon220 said in Install Nginx as a Reverse Proxy on Fedora 27:

What is a good "size" for a VM that is strictly a reverse proxy? Would 20Gb be sufficient as it is not storing any data other than log files?

Yes. 15-20 GB is enough to run with a minimal install.