Configure a reverse proxy with NGINX

What is a reverse proxy (taken from wikipedia):

“In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client like they originated from the proxy server itself”

So why do you want to use a reverse proxy? In my case it’s because I want to hide ports and instead forward request based on domain name. I also want to handle SSL encryption at one place. So even if I have a self signed certificate internally it will still show a green URL if NGINX is setup properly with a SSL CA.

Prerequisites

This config example assumes you have a DNS or DDNS already setup and a existing signed certificate from a CA (chained.pem and domain.key). The ports 80 and 433 on your router also need to forward request to your NGINX instance (in this example running on 192.168.2.1).

What I want to accomplish:

# Setup routing for Nas Management 192.168.1.4 (home.filegott.se)
http://home.filegott.se –(reverse proxy)–> http://192.168.1.4
https://home.filegott.se –(reverse proxy)–> https://192.168.1.4

# Setup routing for UniFi Controller 192.168.2.2 (unifi.filegott.se)
http://unifi.filegott.se –(redirect)–> https://unifi.filegott.se
https://unifi.filegott.se –(reverse proxy)–> https://192.168.2.2:8443

My nginx.config:

user nginx;
worker_processes  1;
events {
    worker_connections  1024;
}

http {
   include       mime.types;
   default_type  application/octet-stream;
   sendfile        on;
   keepalive_timeout  65;	
   server {
      listen 80;
      server_name home.filegott.se;
      location / {
            proxy_set_header   X-Real-IP        $remote_addr;
            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_set_header   Host             $host;
            proxy_pass http://192.168.1.4/;
      }
   }

   server {
      listen 443 ssl;
      server_name home.filegott.se;
      ssl_certificate    /etc/nginx/certs/chained.pem;
      ssl_certificate_key    /etc/nginx/certs/domain.key;
      location / {
         proxy_set_header   X-Real-IP        $remote_addr;
         proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
         proxy_set_header   Host             $host;
         proxy_pass https://192.168.1.4/;
      }
   }
	
   server {
      listen 80;
      server_name unifi.filegott.se;
      return 301 https://unifi.filegott.se$request_uri; 
   }
	
   server {
      listen 443 ssl;
      server_name unifi.filegott.se;
      ssl_certificate    /etc/nginx/certs/chained.pem;
      ssl_certificate_key    /etc/nginx/certs/domain.key;
      location / {
         # redirect all HTTPS traffic to 192.168.2.2:8443
         proxy_set_header   X-Real-IP        $remote_addr;
         proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
         proxy_set_header   Host             $host;
         proxy_pass https://192.168.2.2:8443/;			
         # WebSocket support
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
      }
   }
}

I had to add three extra lines for support of webSockets for my UniFi Controller. Also worth mentioning is that the certificate used is signed for use of both domains: home.filegott.se and unifi.filegott.se.

3 thoughts on “Configure a reverse proxy with NGINX”

  1. Hi does this still work for you? I have also nginx with simillar setup, but I have 404 on reditect to “redirect.html?count=0.xxxx”

    1. I have this exactly today:
      
         server {
              listen 443 ssl;
              server_name unifi.filegott.se;
              ssl_certificate    /etc/nginx/certs/chained.pem;
              ssl_certificate_key    /etc/nginx/certs/domain.key;
              location / {
               # redirect all HTTPS traffic to 192.168.2.2:8443
                  proxy_set_header   X-Real-IP        $remote_addr;
                  proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
                  proxy_set_header   Host             $host;
                  proxy_pass https://192.168.2.2:8443/;
                  proxy_ssl_verify   off;         
               # WebSocket support
               proxy_http_version 1.1;
               proxy_set_header Upgrade $http_upgrade;
               proxy_set_header Connection "upgrade";
              }
         }
      

      As you can see I’ve added the line “proxy_ssl_verify off;”. This is because I want to ignore the self-signed internal certificates.

    2. Also I’ve removed the redirect rows:

         server {
            listen 80;
            server_name unifi.filegott.se;
            return 301 https://unifi.filegott.se$request_uri; 
         }
      

      As I only want Unifi controller to be available over HTTPS

Leave a Reply to admin Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.