New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Nginx SSL+IPv6 Reverse proxy + exim mail relay (hides source IPs)
dmmcintyre3
Member
For a dedicated reverse proxy system:
Install nginx and replace the contents of /etc/nginx/conf.d/default.conf with:
server {
listen [::0]:80 default; #Listen on port 80 on all interfaces as default vhost
listen [::0]:443 ssl default; #Listen on port 443 on all interfaces as default vhost with SSL, Remove if SSL isn't needed
ssl_certificate /etc/nginx/ssl.crt; #Remove if SSL isn't needed
ssl_certificate_key /etc/nginx/ssl.key; #Remove if SSL isn't needed
location / {
proxy_bind 10.0.1.23; # IP you want to use for outgoing connections
proxy_pass http://10.0.2.23/; #IP or hostname of target
proxy_set_header host $http_host;
proxy_set_header X-Real-IP $remote_addr;
}
}
Install exim and add to /etc/exim/exim.conf
received_header_text = Received: from 127.0.0.1
This will hide the source IP in mail headers. Now allow the other server to relay through this exim server by editing the relay_from_hosts line. It should look something like:
hostlist relay_from_hosts = 127.0.0.1 : 10.0.2.23
Then restart nginx and exim.
Note: Only tested on CentOS 6.
Comments
Very cool, will have to test it out, but I love the idea, thanks.
why would you want to hide source ip? doesn't gmail filter that?
mail headers will show something like:
Received: from vm.example.net ([192.168.1.1] helo=vm.example.net) by mail.example.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72) (envelope-from ) id 1SNshs-0004WM-TQ; Fri, 27 Apr 2012 17:28:01 -0400All the DDoSer would need to do to get the real IP is to cause something to send him an email. (such as attempt to register on a forum)
@dmmcintyre3 you can use sendgrid to hide the ip or another mail delivery provider
What do I do if I want NGinx to use another server when passing traffic too, and split the traffic?
so like, pass the traffic to a load balancer or something?
Fran
Yep, thats the word I was looking for.
Hopefully have a load balancing setup that supports virtualhosts?
Francisco
As in, say I have a domain cows.com going to the reverse proxy, 50% of the traffic to server1.cows.com and 50% goes to server2.cows.com
squid
I think nginx supports roundrobin by default so you could do it right at the front
Francisco
You would just do a virtualhost but put the proxy in there I'd guess.
NGinx loads /etc/nginx/conf.d/*.conf
So you can put multiple VirtualHost in one .conf file if you wish, although easier to split them up.
Only if it's defined that way in the nginx.conf, which it is by default.
Even Apache does similar by default.
Is the backend server the same for both sites? If so, you shouldn't have to do anything but configure the vHost on the backend server. But, if it's different, just do this:
server { listen [::0]:80; #Listen on port 80 on all interfaces server_name example.net www.example.net; location / { proxy_bind 10.0.1.23; # IP you want to use for outgoing connections proxy_pass http://10.0.3.24/; #IP or hostname of target proxy_set_header host $http_host; proxy_set_header X-Real-IP $remote_addr; } }@DotVPS replace listen [::0]:80; with listen 80;