NGINX Reverse Proxy

 

In the right side of picture above, we have bunch of webservers running on http and they require  username/password to login (basic http authentication).

The requirement was to have password-less https connection. NGINX is perfect fit for such reverse proxy scenarios. Here is how to install NGINX on centos and configure it. 

Install NGINX on CentOS

# yum install epel-release

# yum install nginx

Verify Installation
# nginx -v
nginx version: nginx/1.16.1

Open Firewall ports in FirewallD

Note: Skip this if firewall is not running in your server

Open the ports on which NGINX should provide its service in the firewall. For example, to open the default ports for HTTP (port 80) and HTTPS (port 443) in firewalld, enter:

# firewall-cmd --permanent --add-port={80/tcp,443/tcp}
# firewall-cmd --reload

Verify

# firewall-cmd --list-ports
80/tcp 443/tcp

Start NGINX

In default settings nginx service runs on port 80. If you already have something running on port 80, nginx will complain and fail.

For example to set port 90, edit nginx.conf server section :

# vi /etc/nginx/nginx.conf server { listen 90 default_server; listen [::]:90 default_server; server_name _; root /usr/share/nginx/html;

start the nginx service
# systemctl start nginx

Enable the nginx service to start automatically when the system boots
# systemctl enable nginx

Set Reverse Proxy

Create /etc/nginx/conf.d/reverse-proxy.conf
Edit file and add entry for each webserver redirection as follows: (ex: port 1053)

server { listen 1053; location / { proxy_pass http://192.168.1.110; } } server { listen 1044; location / { proxy_pass http://192.168.1.111; } } server { listen 1028; location / { proxy_pass http://192.168.1.112; } }

and restart nginx
# systemctl restart nginx

At this stage http reverse proxy is configured and http://192.168.1.100:1053 should open webpage from http://192.168.1.110

Configure https

Make directory for storing certificate
# sudo mkdir /etc/ssl/private
# sudo chmod 700 /etc/ssl/private

Generate certificate (Note:Use hostname in common Name field)

[root@liems01 private]# openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt Generating a 2048 bit RSA private key ............................................+++ ........................+++ writing new private key to '/etc/ssl/private/nginx-selfsigned.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:test Locality Name (eg, city) [Default City]:test Organization Name (eg, company) [Default Company Ltd]:test Organizational Unit Name (eg, section) []:test Common Name (eg, your name or your server's hostname) []:liems01 Email Address []:test@test.com

Add ssl certificate in config

# cat /etc/nginx/conf.d/reverse-proxy.conf server { listen 1053 ssl; ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; error_page 497 https://$host:1053$request_uri; location / { proxy_pass http://192.168.1.110; } } server { listen 1044 ssl; ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; error_page 497 https://$host:1044$request_uri; location / { proxy_pass http://192.168.1.111; } } server { listen 1028 ssl; ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; error_page 497 https://$host:1028$request_uri; location / { proxy_pass http://192.168.1.112; } }

Following line in config redirects http request from client to https
error_page 497 https://$host:6443$request_uri;

Restart nginx
# sudo nginx -t

# systemctl restart nginx

Configure Auto webserver Authentication by NGINX

So far we see that client is sending https request to NGINX, who then forwards this request to webserver on http. As my server needs authentication, it presents a webpage to client asking username/password.

If we add "proxy_set_header Authorization" in config, nginx will include username:password in all requests to webserver. The username:password should be base64 encoded. You can use online services like https://www.base64encode.org/ to encode in base64.

username=myuser
password=mypassword

Go to  https://www.base64encode.org/  and encode myuser:mypassword
we get "bXl1c2VyOm15cGFzc3dvcmQ="

Add following line in reverse-proxy.conf
proxy_set_header Authorization "Basic bXl1c2VyOm15cGFzc3dvcmQ=";

# cat /etc/nginx/conf.d/reverse-proxy.conf server { listen 1053 ssl; ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; error_page 497 https://$host:1053$request_uri; location / { proxy_pass http://192.168.1.110; proxy_set_header Authorization "Basic bXl1c2VyOm15cGFzc3dvcmQ="; } } server { listen 1044 ssl; ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; error_page 497 https://$host:1044$request_uri; location / { proxy_pass http://192.168.1.111; proxy_set_header Authorization "Basic bXl1c2VyOm15cGFzc3dvcmQ="; } } server { listen 1028 ssl; ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; error_page 497 https://$host:1028$request_uri; location / { proxy_pass http://192.168.1.112; proxy_set_header Authorization "Basic bXl1c2VyOm15cGFzc3dvcmQ="; } }

Restart nginx
# sudo nginx -t

# systemctl restart nginx

Now our NGINX reverse proxy setup is ready to handle traffic.