Table of Contents |
---|
Create our Docker Container
Create a nginx reverse proxy by issuing the following command:
Code Block |
---|
...
docker run -d \ --net host \ --restart=always \ -p 80:80 \ --name proxy \ -v |
...
$PWD/conf:/etc/nginx/ |
...
sites-enabled \ -v $PWD/letsencrypt:/etc/letsencrypt \ -v $PWD/conf.d:/etc/nginx/ |
...
conf.d \ lerenn/nginx-reverse-proxy |
This will create a reverse proxy running on the host network. We specify a SITES_CONFIG_DIR where we will add our site config files (see below).
We also specify a folder for our certificates that we will reference for our SSL enabled sites.
Define our Nginx Configuration Files
In the config folder conf folder(mapped to sites-enabled) we defined in our docker command we will add a configuration like the following:
Code Block | ||
---|---|---|
| ||
server {
listen 80;
server_name wiki wiki.jmehan.com;
location / {
proxy_pass http://192.168.1.60:8090/;
}
}
|
Adding SSL Support (not certbot)
If we want to terminate an SSL connection at our proxy, we can generate an SSL cert and configure it in nginx.
Generate the SSL certificate using the following command:
> openssl req -nodes -new -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 7300
This command will generate a self signed SSL certificate valid for 10 years.
Configure the endpoint to use the certificates. Here we are defining the docker location for the certs.
Code Block | ||
---|---|---|
| ||
server { listen 8443 ssl; #server_name svn svn.jmehan.com; ssl_certificate /etc/nginx/certificates/svn/cert.pem; ssl_certificate_key /etc/nginx/certificates/svn/key.pem; location / { proxy_redirectpass off; http://192.168.1.60:9080/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; } } |
Adding
...
If we want to terminate an SSL connection at our proxy, we can generate an SSL cert and configure it in nginx.
Generate the SSL certificate using the following command:
> openssl req -nodes -new -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 7300
This command will generate a self signed SSL certificate valid for 10 years.
Configure the endpoint to use the certificates. Here we are defining the docker location for the certs.
Basic Authentication
You may need to add apache2-utils to your nginx docker container using the following cmd:
> sudo apt-get install apache2-utils
Login to the docker container and create the password file
> docker exec -it <nginx_container> bash
Create a password file
> htpasswd -c /etc/nginx/conf.d/htpasswd <username>
Update the configuration
Code Block |
---|
Code Block | title | mysite.conf
server { listenserver_name kibana kibana.jmehan.com; location 8443/ ssl;{ #server_name proxy_pass svn svn.jmehan.com http://192.168.1.60:5601/; ssl_certificate auth_basic "Administrator's Area"; auth_basic_user_file /etc/nginx/certificates/svn/cert.pemconf.d/htpasswd; } } |
Supporting Sites that use websockets
Code Block |
---|
server { server_name homebridge homebridge.jmehan.com;ssl_certificate_key /etc/nginx/certificates/svn/key.pem; location / { proxy_pass http://192.168.1.60:9080/8089/; proxy_http_version 1.1; proxy_buffering off; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; $host proxy_set_header Connection "Upgrade"; proxy_set_header X-Real-IP X-Real-IP $remote_addr; proxy_set_header X-ForwardedForward-For $proxy_add_x_forwarded_for; } } |
Redirecting all traffic to SSL
Code Block |
---|
server { server_name www.server.com server.com; client_max_body_sizelisten 443 ssl; location / { proxy_pass 10mhttp://192.168.1.60:12345/; } ssl_certificate /etc/letsencrypt/live/www.server.com-0001/fullchain.pem; # client_body_buffer_size 128kmanaged by Certbot ssl_certificate_key /etc/letsencrypt/live/www.server.com-0001/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { server_name www.server.com server.com; listen 80; return proxy_connect_timeout301 https://www.diabetease.com$request_uri; } |
Forwarding Real IP Address
Add X-Real-IP and X-Forwarded-For headers using the proxy_set_header instruction by adding it to the /etc/nginx/conf.d/proxy.conf file.
Code Block |
---|
proxy_redirect 90off; proxy_set_header Host $host; proxy_send_timeout set_header X-Real-IP 90$remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 10m; client_body_buffer_size 500m; client_header_buffer_size 500m; proxy_readconnect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 16k; proxy_buffers 32 16k; proxy_busy_buffers_size 64k; |
Restricting Access to IP Range
In the following example, we restrict access to a login page in confluence to internal ip addresses between: 192.168.1.100-255
See https://www.ipaddressguide.com/cidr for creating ip range.
Code Block |
---|
# restrict access to login to 192.168.1.100-255 buffer_size 4klocation /login.action { allow 192.168.1.100/30; proxy_buffers allow 192.168.1.104/29; 4 32kallow 192.168.1.112/28; proxy_busy_buffers_sizeallow 192.168.1.128/25; deny 64kall; proxy_temp_file_write_size 64kpass http://192.168.1.50:8090/login.action; } } |
Customized Dockerfile
The following Dockerfile adds certbot and apache2-utils to our nginx-reverse-proxy image.
Code Block | ||||
---|---|---|---|---|
| ||||
FROM lerenn/nginx-reverse-proxy
RUN apt-get update
RUN apt-get install -y wget
RUN apt-get install -y apache2-utils
RUN wget https://dl.eff.org/certbot-auto
RUN chmod +x certbot-auto
RUN ./certbot-auto -n --install-only |
References
Reference | URL |
---|---|
Let's Encrypt | CertBot and Let's Encrypt |
Restricting Access with HTTP Basic Authentication | https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ |