Setting up Nginx on CentOS 7 as a reverse proxy


  • Service Provider

    This is a pretty straight forward process. I always start with CentOS 7 Minimal as a base install image.

    Update the system
    yum -y update

    Install the epel
    yum -y install epel-release

    Install nginx and nano (because I do not like vi) and utils for selinux
    yum -y install nginx nano policycoreutils-python

    Open the firewall ports, assuming only 80/443 for inbound web traffic
    firewall-cmd --zone=public --add-port=http/tcp --permanent
    firewall-cmd --zone=public --add-port=https/tcp --permanent
    firewall-cmd --reload

    Start nginx and set it to start on boot also
    systemctl start nginx
    systemctl enable nginx

    Make a list of ports that your proxy will need to reach out on to hit the other servers behind it. These ports will need allowed through SELinux
    This is the default list of allowed http/tcp ports.
    http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000

    You can see what is current allowed like this
    semanage port -l | egrep '(^http_port_t)'

    For example I have a nodeBB forum on 4567. This port already has a label, so you need to modify it.
    semanage port -m -t http_port_t -p tcp 4567
    I also have a servers running on ports 8040 and 8090. These have no label so add them..
    semanage port -a -t http_port_t -p tcp 8040
    semanage port -a -t http_port_t -p tcp 8090

    At this point nginx is all setup and running. Now you need to create your domain.conf files for each domain name you will be redirecting. Your will store all your conf files in /etc/nginx/conf.d/ because this location is included by the default configuration as a location for you. Just save everything with a .conf

    Here is a typical set of server blocks for a site with both http and https all on the standard ports.

    #save as file: /etc/nginx/conf.d/domain.conf
    server {
    	client_max_body_size 40M;
    	listen 443 ssl;
    	server_name www.domain.com domain.com;	#change to your domain name
    	ssl          on;
    	ssl_certificate /etc/ssl/cacert.pem;	#this needs to be the path to your certificate information
    	ssl_certificate_key /etc/ssl/privkey.pem;	#this needs to be the path to your certificate information
    
    	location / {
    		proxy_set_header X-Real-IP $remote_addr;
    		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    		proxy_set_header Host $http_host;
    		proxy_set_header X-NginX-Proxy true;
    		proxy_pass https://10.0.0.2:443;	#change to your internal server IP
    		proxy_redirect off;
    	}
    }
    server {
    	client_max_body_size 40M;
    	listen 80;
    	server_name www.domain.com domain.com;	#change to your domain name
    
    	location / {
    		proxy_set_header X-Real-IP $remote_addr;
    		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    		proxy_set_header Host $http_host;
    		proxy_set_header X-NginX-Proxy true;
    		proxy_pass http://10.0.0.2:80;	#change to your internal server IP
    		proxy_redirect off;
    	}
    }
    

    Now restart nginx
    systemctl reload nginx

    Update the port forwarding in your router and you should now be proxying all info through Nginx.


  • Service Provider

    Now for a site on a non standard back end port that is still coming in on port 80 like my nodeBB example above, it is very similar.

    #save as file: /etc/nginx/conf.d/forum.domain.conf
    server {
    	client_max_body_size 40M;
    	listen 80;
    	server_name forum.domain.com;
    
    	location / {
    		proxy_set_header X-Real-IP $remote_addr;
    		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    		proxy_set_header Host $http_host;
    		proxy_set_header X-NginX-Proxy true;
    		proxy_pass http://10.0.0.3:4567;
    		proxy_redirect off;
    	}
    }
    

    Now restart nginx
    systemctl reload nginx


  • Service Provider

    The non standard port redirect also works with SSL. Again you need your proper certificate information in here. This example is used for my helpdesk.

    #save as file: /etc/nginx/conf.d/helpdesk.domain.conf
    server {
    	client_max_body_size 40M;
    	listen 443 ssl;
    	server_name helpdesk.domain.com;
    	ssl          on;
    	ssl_certificate /etc/ssl/cacert.pem;
    	ssl_certificate_key /etc/ssl/privkey.pem;
    
    	location / {
    		proxy_set_header X-Real-IP $remote_addr;
    		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    		proxy_set_header Host $http_host;
    		proxy_set_header X-NginX-Proxy true;
    		proxy_pass https://10.0.0.4:8090;
    		proxy_redirect off;
    	}
    }
    

    Now restart nginx
    systemctl reload nginx



  • @JaredBusch Thanks, with your tutorial it's very easy to set up.



  • This post is deleted!

  • Service Provider

    @anonymous said:

    So I have ScreenConnect setup using the reverse proxy, but the clients can't connect the to relay port. How do I fix this?

    What ports are you using? What is the proxy config?



  • This post is deleted!

  • Service Provider

    @anonymous said:

    I think I will have to port forward the relay port to the ScreenConnect server?

    From the reading I have done, yes. That connection is not SSL, but pre encrypted by ScreenConnect itself.



  • This post is deleted!


Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.