Recommended Nginx Config As Single Proxy For Multiple Web Servers



  • As the subject states, as I've become more familiar with Linix over the last few months, I started with simple Apache servers, then included SSL through Let's Encrypt for a single server, then found myself running multiple servers in this config. I then began incorporating Nginx along with SSL which brings me to now.

    I'd like to setup a single Nginx VM to serve as proxy and manage all of the SSL certs for all web servers (currently running 7). They're all low traffic for internal team or a few clients and I'm likely to introduce other servers in the future as I find more and more things I want to test/try.

    Are there any gotchas when setting up this way? Are there well known applications that will require SSL certs on both the proxy and the web server? Should I protect the connection between Nginx and all web servers anyway? They're all running on the same Hyper-V host so there's no concern for traffic going between Hyper-V hosts or to other services. Assuming it'll be easier to manage individual vhost files instead of one large one since each can be setup for one web server.

    Really just looking for best practices here and/or any hints you might have that might simplify my life.


  • Service Provider

    That's very standard and how lots of large hosting companies do it. We run all of our systems with a common Nginx SSL proxy out front and whatever application server behind it. Works really well.


  • Service Provider

    I dunno about best practice, but here is what I do.

    I use an individual conf file per domain in/etc/nginx/conf.d/

    Then with Let's Encrypt I run it with the standalone and cert only switches. I also use the pre and post hook options to stop and start nginx.
    I run LE twice. Once for personal domains and once for work domains just to keep the SAN clean on the certs.

    I can post some samples tomorrow if I see this thread again and remember.



  • @jaredbusch said in Recommended Nginx Config As Single Proxy For Multiple Web Servers:

    I dunno about best practice, but here is what I do.

    I use an individual conf file per domain in/etc/nginx/conf.d/

    Then with Let's Encrypt I run it with the standalone and cert only switches. I also use the pre and post hook options to stop and start nginx.
    I run LE twice. Once for personal domains and once for work domains just to keep the SAN clean on the certs.

    I can post some samples tomorrow if I see this thread again and remember.

    it's practically tomorrow - this is is a reminder


  • Service Provider

    This is what my Nginx conf.d directory looks like.

    [[email protected] ~]$ ls -l /etc/nginx/conf.d/
    total 64
    -rw-r--r--. 1 root root 1334 May 12 14:37 AAAA.bundystl.com.conf
    -rw-r--r--. 1 root root  446 Nov 16  2015 BBBB.com.conf
    -rw-r--r--. 1 root root 1306 May 12 14:25 community.bundystl.com.conf
    -rw-r--r--. 1 root root 1289 May 12 22:56 CCCC.bundystl.com.conf
    -rw-r--r--. 1 root root 1092 May 26 14:02 daerma.com.conf
    -rw-r--r--. 1 root root 1253 May 12 14:27 helpdesk.bundystl.com.conf
    -rw-r--r--. 1 root root 1087 May 29 13:18 DDDDDD.daerma.com.conf
    -rw-r--r--. 1 root root 1226 May 12 14:28 EEEEEE.com.conf
    -rw-r--r--. 1 root root 1235 May 12 14:29 nc.bundystl.com.conf
    -rw-r--r--. 1 root root 1362 May 12 14:29 nc.daerma.com.conf
    -rw-r--r--. 1 root root 1237 May 12 14:29 obelisk.daerma.com.conf
    -rw-r--r--. 1 root root 1066 May 12 14:29 oc.daerma.com.conf
    -rw-r--r--. 1 root root 1110 May 12 14:30 FFFFF.com.conf
    -rw-r--r--. 1 root root 1273 May 12 14:31 support.bundystl.com.conf
    -rw-r--r--. 1 root root 1257 May 12 14:31 GGGGGG.bundystl.com.conf
    -rw-r--r--. 1 root root 1247 May 12 14:31 unifi.bundystl.com.conf
    

  • Service Provider

    Here is what certbot looks like when I run it to add a new domain.

    certbot certonly -n --standalone --agree-tos --email [email protected] --expand --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" --domains support.bundystl.com,unifi.bundystl.com,helpdesk.bundystl.com,community.bundystl.com,GGGGGG.bundystl.com,nc.bundystl.com,AAAA.bundystl.com,CCCC.bundystl.com
    

    There is a similar one that I execute for personal domains.


  • Service Provider

    This is what is in crontab to keep the certs up to date

    [[email protected] ~]# crontab -l
    13 5 * * * certbot renew --standalone  --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"
    

  • Service Provider

    This is the conf file for my unifi controller.

    [[email protected] ~]$ cat /etc/nginx/conf.d/unifi.bundystl.com.conf 
    server {
        client_max_body_size 40M;
        listen 443 ssl;
        server_name unifi.bundystl.com;
        ssl          on;
        ssl_certificate /etc/letsencrypt/live/support.bundystl.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/support.bundystl.com/privkey.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_pass https://10.254.0.32:8444/;
            proxy_redirect off;
    
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    
        }
    }
    server {
        client_max_body_size 40M;
        listen 80;
        server_name unifi.bundystl.com;
        rewrite        ^ https://$server_name$request_uri? permanent;
    }
    

    And this is the conf for our underused nodebb instance.

    [[email protected] ~]$ cat /etc/nginx/conf.d/community.bundystl.com.conf 
    server {
        client_max_body_size 40M;
        listen 443 ssl;
        server_name community.bundystl.com;
        ssl          on;
        ssl_certificate /etc/letsencrypt/live/support.bundystl.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/support.bundystl.com/privkey.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_pass http://10.254.0.35:4567;
            proxy_redirect off;
    
            # Socket.IO Support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    
        }
    }
    server {
        client_max_body_size 40M;
        listen 80;
        server_name community.bundystl.com;
        rewrite        ^ https://$server_name$request_uri? permanent;
    }
    


  • Thanks @JaredBusch this will be a huge help! I'll give this a try later this evening when I'm back.


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.