Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
Nginx Reverse Proxy Tutorial (Centos 6)
New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

Nginx Reverse Proxy Tutorial (Centos 6)

nexmarknexmark Member
edited July 2014 in Tutorials

Why Nginx (Engine X)?




Sorry for the layout, I'm a noob at writing tutorials, A video tutorial with voice naration will be uploaded soon




We recommend getting a DDoS Protected VPS/Server to defend yourself against Layer 4




Nginx Will pass true HTTP Request's and will drop the bad requests (Floods)




Prerequisites


64MB Ram Minimum


Centos 6 32-64 Bit will do


EPEL repository


Apache Uninstalled to free port 80



Step One


This step isn't really needed however it's good to keep stuff updated


Run Yum update -y

Also by default, Centos Installs Apache, So we're going to need to uninstall that to free port 80 to be used for Nginx

Run the following to get rid of Apache

Yum remove httpd -y




Step Two


We're going to need to install the EPEL repo as you won't find the Nginx package with your current default repo's




So visit this page https://fedoraproject.org/wiki/EPEL




Then copy the direct url of the package and do something like this


rpm -Uvh insert repo package direct link here




However I've done this for you already so just run the following


rpm -Uvh http://mirror.ancl.hawaii.edu/linux/epel/6/i386/epel-release-6-8.noarch.rpm




Step Three


We're now going to install Nginx, To do that run the following command


yum install nginx -y




Now we're going to adjust the Nginx configuration


Run the following command
cd /etc/nginx/conf.d




Now we're going to delete the default configuration, As we're not going to need it.
You can delete it with rm default.conf or move it with mv default.conf default.conf.disabled


Either way works



Step Four


We're now going to setup the actual reverse proxy, Using your favorite text editor, Mine is Nano, We're going to add the configuration




To install nano do the following yum install nano -y


In my case of using nano, I'll do the following command


Nano testproxy.conf Feel free to name your configuration file anything you want


Then i'll edit these values to my own domain and IP Address


Then I'll paste it in


server { listen 80; server_name YourDomain.com; access_log off; error_log off; location / { proxy_pass http://Source IP/; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_max_temp_file_size 0; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; } }




Make sure you adjust the YourDomain.com in the server_name are and the Source IP for the Proxy_Pass Area




Then you'll save the configuration


Add the IP Tables rule to allow Port 80


iptables -I INPUT 5 -m state --state NEW -p tcp --dport 80 -j ACCEPT


service iptables save


service iptables restart




We'll start Nginx with the following command
service nginx start


And make sure Nginx starts on a reboot, With the following command
chkconfig nginx on

If all goes Well, Your VPS IP can be used as an A Record for your Website




Congratulations, You're now using a Reverse Proxy for your website!




Here's some adjustment's for Cloudflare usage and Additional Flood Protection




Adjust the Main Nginx configuration by editing /etc/nginx/nginx.conf




To restore your visitor's IP, Add this little snippet of code into the HTTP Block


set_real_ip_from 199.27.128.0/21; set_real_ip_from 173.245.48.0/20; set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 108.162.192.0/18; set_real_ip_from 190.93.240.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; set_real_ip_from 162.158.0.0/15; set_real_ip_from 104.16.0.0/12; real_ip_header CF-Connecting-IP;




For HTTP Flood based Attacks add this into the HTTP Block


limit_req_zone $binary_remote_addr zone=slimitss:10m rate=1r/s; limit_req zone=slimitss burst=10;




Save the config file and restart nginx

Life is better when you're smiling

Comments

  • tommytommy Member

    nice tutorial.
    btw yum != Yum

    Let's bet which dot-name will collapse first ;)

  • AndreiAndrei Member
    edited December 2014

    @nexmark Very good tutorial, however with "iptables -I INPUT 5 -m state --state NEW -p tcp --dport 80 -j ACCEPT"

    This happens: iptables: Index of insertion too big

  • what is proxying without caching... add a bit to include caching and the tutorial is complete ;)

  • You should add some code to block wordpress user agent, i see a lot of http flood like this!

  • nexmarknexmark Member
    edited December 2014

    @linuxthefish said:
    You should add some code to block wordpress user agent, i see a lot of http flood like this!

    Will add

    But its this little snippet

    WordPress

    if ($http_user_agent ~* (wordpress) ) {
    return 444;
    }

    Joomla

    if ($http_user_agent = "") { return 444; }

    Thanked by 2linuxthefish upfreak

    Life is better when you're smiling

  • Nice Tutorial! I really like it.

  • maybe you can add config for remote(source) server

  • Noob here, what is the use of this?

  • @nexmark said:
    if ($http_user_agent = "") { return 444; }

    IFs are evil.

    A mind that is stretched by a new experience can never go back to its old dimensions.

  • xaitmixaitmi Member
    edited April 2015

    Got it all working. Thank you for the helpful guide!

  • sleddogsleddog Member
    edited April 2015

    Hi @nexmark!

    A question: what happens with nginx gzipped output from the source when proxied?

    I have one of your NAT VMs, with a website configured in your reverse proxy. My Nginx is configured to send gzip output. It listens on one of my assigned ports (say 1234) and port 80.

    When I browse directly to mydomain.com:1234, the return headers from my nginx are:

    HTTP/1.1 200 OK
    Server: nginx
    Date: Sun, 26 Apr 2015 15:54:04 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    X-Powered-By: PHP/5.4.39-0+deb7u2
    Content-Encoding: gzip

    Gzipped output.

    But when I browse to mydomain.com via your reverse proxy the headers from your nginx are:

    HTTP/1.1 200 OK
    Server: nginx/1.0.15
    Date: Sun, 26 Apr 2015 15:55:56 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    X-Powered-By: PHP/5.4.39-0+deb7u2

    No gzipped output.

    Not vital, just curious!

  • xaitmixaitmi Member
    edited April 2015

    Would also be cool if you could provide information on how to do caching of static content on the reverse proxy, to speed everything up more.

    Right now I'm using

    Cloudflare --> Reverse Proxy --> Web Server

    Everything loads super fast as if I wasan't using CF and Reverse proxy at all.

    When I disable CF, pages take some time to load.

    One of the reasons I will have to disable CF is because I will be installing an SSL cert on my site.

  • proxy_pass http://Source IP/;

    Is this the IP of the VPS or the website that needs to be protected?

  • @funyuns_are_awesome said:
    proxy_pass http://Source IP/;

    Is this the IP of the VPS or the website that needs to be protected?

    The website.. ;)

  • Has anyone gotten this tutorial working with SSL?

  • JonchunJonchun Member, Provider
    edited April 2015

    @xaitmi said:
    Has anyone gotten this tutorial working with SSL?

    Add

    listen 443 ssl spdy;
    listen [::]:443 ssl spdy;
    ssl_certificate /path/ssl/cert.crt;
    ssl_certificate_key /path/ssl/cert.key;
    proxy_set_header X-Forwarded-SSL on;
    proxy_set_header X-Forwarded-Proto $scheme;

    That (should) work. PM me if you're having trouble.

    Thanked by 1xaitmi
  • Finally got SSL working.

    Thanks Jonchun

  • JonchunJonchun Member, Provider
    edited April 2015

    @xaitmi said:
    Finally got SSL working.

    Thanks Jonchun

    Not a problem!

    I'd also like to mention on this note, that you can modify this tutorial just a little bit to use a single ssl certificate while hosting applications on different servers.

    For example, a ssl ceritficate for www.domain.com wouldn't be signed for blog.domain.com. However, you can add a location /blog block and proxy to blog.domain.com, and you will have signed SSL and your blog would be accessible at: www.domain.com/blog

    This is really good for people using OV/EV certificates, and have reasons to not want to host certain things on the same server.

  • rokokrokok Member

    looking for debian/ubuntu, anyone?

    CEO of PT. Rokok Kopi Internet Tidur Tbk.

  • xaitmixaitmi Member
    edited April 2015

    @rokok said:
    looking for debian/ubuntu, anyone?

    There wouldn't be much of a difference.

    apt-get update -y
    apt-get upgrade -y
    apt-get install nginx -y
    

    The config files are the same.

  • ATHKATHK Member
    edited April 2015

    @xaitmi said:

    Conf files are in different locations

    /etc/nginx/nginx.conf

    /etc/nginx/sites-available

    Then to enable a conf you need to symlink it from /etc/nginx/sites-available or just create the file in /etc/nginx/sites-enabled

  • Is it possible to proxy Gmail? Any solutions?

    VMLink.cc -==- vDS in China Mobile/HK, vLink TCP/UDP Accelerator,China VPN

  • JonchunJonchun Member, Provider

    @catding said:
    Is it possible to proxy Gmail? Any solutions?

    What are you trying to accomplish? While not possible with just nginx, this can be achieved using PHP.

  • Because Gmail is blocked here in our country, we have to use VPN to login, and is very unstable. I want to build a private proxy for gmail, which can check/send email like proxy for google search. Is there any tutorials to make it? :)

    @Jonchun said:
    What are you trying to accomplish? While not possible with just nginx, this can be achieved using PHP.

    VMLink.cc -==- vDS in China Mobile/HK, vLink TCP/UDP Accelerator,China VPN

  • JonchunJonchun Member, Provider

    @catding said:
    Because Gmail is blocked here in our country, we have to use VPN to login, and is very unstable. I want to build a private proxy for gmail, which can check/send email like proxy for google search. Is there any tutorials to make it? :)

    Why not host a webmail client that connects to gmail using smtp/imap? That would be much better.

  • i am using Outlook app for iOS and it is excellent, but sometimes deal mails maybe much easier with webmail, and prefer their original interface which easy to handle the mass emails.

    @Jonchun said:

    VMLink.cc -==- vDS in China Mobile/HK, vLink TCP/UDP Accelerator,China VPN

  • JonchunJonchun Member, Provider

    @catding said:
    i am using Outlook app for iOS and it is excellent, but sometimes deal mails maybe much easier with webmail, and prefer their original interface which easy to handle the mass emails.

    https://code.google.com/p/php-proxy/

    Host that on apache and it should work fine for your uses then.

  • Jonchun said: @catding said: Because Gmail is blocked here in our country, we have to use VPN to login, and is very unstable. I want to build a private proxy for gmail, which can check/send email like proxy for google search. Is there any tutorials to make it? :)

    Why not host a webmail client that connects to gmail using smtp/imap? That would be much better.

    @Jonchun that was simple and great idea that will do :)

    Make your choice on your own But i can help you to make them right.

  • @catding said:
    i am using Outlook app for iOS and it is excellent, but sometimes deal mails maybe much easier with webmail, and prefer their original interface which easy to handle the mass emails.

    i think u can use SSH socks5 Proxy

    http://straightedgelinux.com/blog/howto/socks.html

    https://vpnreviewer.com/ssh-socks5-tunnel-howto

    Make your choice on your own But i can help you to make them right.

  • thanks for your share, I've tried that, SSH and ShadowSocks are great for Socks5.
    but it is not very great if I want to use in public place. Proxy for gmail may be great because I don't need to carry any file/password to use.

    VMLink.cc -==- vDS in China Mobile/HK, vLink TCP/UDP Accelerator,China VPN

  • rokokrokok Member

    @sleddog said:

    And how can i decompress respond request?

    CEO of PT. Rokok Kopi Internet Tidur Tbk.

  • PzeaPzea Member, Provider

    [code]rpm -Uvh http://mirror.ancl.hawaii.edu/linux/epel/6/uname -i/epel-release-6-8.noarch.rpm [/code]

    i386 not is only.

    Pzea.com - jp/SG/HK| VPS & Dedicated Servers
  • PzeaPzea Member, Provider

    update

    rpm -Uvh http://mirror.ancl.hawaii.edu/linux/epel/6/`uname -i`/epel-release-6-8.noarch.rpm 

    i386 not is only.

    Pzea.com - jp/SG/HK| VPS & Dedicated Servers
  • rokokrokok Member

    not bad, my first try reverse proxy: lowendtalk with SSL https://lowendtalk.me/

    lol

    CEO of PT. Rokok Kopi Internet Tidur Tbk.

  • For HTTP Flood based Attacks add this into the HTTP Block
    limit_req_zone $binary_remote_addr zone=slimitss:10m rate=1r/s;
    limit_req zone=slimitss burst=10;

    1r/s, and burst up to 10, i'm not sure... + Cloudflare...
    Anyone have a real experience with http flood ddos attack to cloudflare free plan?

  • xaitmixaitmi Member

    Does anyone have any recommended iptables for using a vps as just a reverse proxy

  • wychwych Member

    @xaitmi said:
    Does anyone have any recommended iptables for using a vps as just a reverse proxy

    GRE Tnnel?

    Taking a hiatus.

  • I am using this method to hide my website IP which is hosted on a shared Cpanel. The problem is Cpanel can not detect the real visitor IP and "Awstat" and "Visitors" both display the vps IP only, for all the visits. Is there any way to fix this on shared cpanels?

    Thanked by 1WSS
  • FalzoFalzo Member

    @jikjik said:

    yes, please use this to get your answer from @nexmark:

    Thanked by 2ehab raindog308

    UltraVPS.eu KVM in US/UK/NL/DE: 15% off first 6 month | Netcup VPS/rootDS - 5€ off: 36nc15279180197 (ref)

  • r0xzr0xz Member

    Just wtf is going on wt all this grave digger...

  • @jikjik said:
    I am using this method to hide my website IP which is hosted on a shared Cpanel. The problem is Cpanel can not detect the real visitor IP and "Awstat" and "Visitors" both display the vps IP only, for all the visits. Is there any way to fix this on shared cpanels?

    Need 'proxy_set_header X-Real-IP $remote_addr;' and 'proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;'

    ..:: Kloxo-MR - hosting and forum ::..

  • jikjikjikjik Member
    edited March 2017

    @r0xz said:
    Just wtf is going on wt all this grave digger...

    Do you expect opening a new case for the same matter?!

  • bapbap Member

    nice tuts..

This discussion has been closed.