Table of Contents |
---|
Create our Docker Container
Create a nginx reverse proxy by issuing the following command:> docker
Code Block |
---|
docker run -d \ --net host \ --restart=always \ -p 80:80 \ --name proxy \ -v |
...
$PWD/conf:/etc/nginx |
...
/sites-enabled \ -v $PWD/letsencrypt:/etc/letsencrypt \ -v $PWD/conf.d:/etc/nginx/ |
...
conf.d \ lerenn/nginx-reverse-proxy |
This will create a reverse proxy running on the host network. We specify a SITES_CONFIG_DIR where we will add our site config files (see below).We also specify a folder for our certificates that we will reference for our SSL enabled sites.
Define our Nginx Configuration Files
In the config folder conf folder(mapped to sites-enabled) we defined in our docker command we will add a configuration like the following:
Code Block | ||
---|---|---|
| ||
server {
listen 80;
server_name wiki wiki.jmehan.com;
location / {
proxy_pass http://192.168.1.60:8090/;
}
}
|
Adding SSL Support (not certbot)
If we want to terminate an SSL connection at our proxy, we can generate an SSL cert and configure it in nginx.
Generate the SSL certificate using the following command:
> openssl req -nodes -new -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 7300
This command will generate a self signed SSL certificate valid for 10 years.
Configure the endpoint to use the certificates. Here we are defining the docker location for the certs.
Code Block | ||
---|---|---|
| ||
server { listen 8443 ssl; #server_name svn svn.jmehan.com; proxy_redirectssl_certificate /etc/nginx/certificates/svn/cert.pem; ssl_certificate_key /etc/nginx/certificates/svn/key.pem; location / { proxy_pass offhttp://192.168.1.60:9080/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; } } |
Adding
...
If we want to terminate an SSL connection at our proxy, we can generate an SSL cert and configure it in nginx.
Generate the SSL certificate using the following command:
> openssl req -nodes -new -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 7300
This command will generate a self signed SSL certificate valid for 10 years.
Configure the endpoint to use the certificates. Here we are defining the docker location for the certs.
Basic Authentication
You may need to add apache2-utils to your nginx docker container using the following cmd:
> sudo apt-get install apache2-utils
Login to the docker container and create the password file
> docker exec -it <nginx_container> bash
Create a password file
> htpasswd -c /etc/nginx/conf.d/htpasswd <username>
Update the configuration
Code Block |
---|
Code Block | title | mysite.conf
server { server_name kibana kibana.jmehan.com; listen location 8443/ ssl;{ #server_name proxy_pass svn svn.jmehan.com http://192.168.1.60:5601/; ssl_certificate auth_basic "Administrator's Area"; auth_basic_user_file /etc/nginx/conf.d/htpasswd; } } |
Supporting Sites that use websockets
Code Block |
---|
server {certificates/svn/cert.pem; ssl_certificate_key /etc/nginx/certificates/svn/key.pem; server_name homebridge homebridge.jmehan.com; location / { proxy_pass http://192.168.1.60:90808089/; proxy_set_headerhttp_version 1.1; Hostproxy_buffering $hostoff; proxy_set_header X-Real-IP Host $remote_addr$host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; clientproxy_max_body_sizeset_header 10mX-Real-IP $remote_addr; clientproxy_body_buffer_sizeset_header 128kX-Forward-For $proxy_add_x_forwarded_for; } } |
Redirecting all traffic to SSL
Code Block |
---|
server { proxy_connect_timeoutserver_name www.server.com server.com; listen 443 90ssl; location / { proxy_send_timeoutpass 90http://192.168.1.60:12345/; } ssl_certificate /etc/letsencrypt/live/www.server.com-0001/fullchain.pem; # managed by Certbot proxyssl_read_timeout certificate_key /etc/letsencrypt/live/www.server.com-0001/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot 90; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { server_name www.server.com server.com; listen 80; return 301 https://www.diabetease.com$request_uri; } |
Forwarding Real IP Address
Add X-Real-IP and X-Forwarded-For headers using the proxy_set_header instruction by adding it to the /etc/nginx/conf.d/proxy.conf file.
Code Block |
---|
proxy_redirect_buffer_size 4koff; proxy_set_header Host $host; proxy_set_buffersheader X-Real-IP 4 32k$remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size proxy_busy_buffers10m; client_body_buffer_size 500m; client_header_buffer_size 500m; proxy_connect_timeout 64k90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_temp_file_writebuffer_size 64k16k; proxy_buffers 32 } } |
Adding Basic Authentication
You may need to add apache2-utils to your nginx docker container using the following cmd:
> sudo apt-get install apache2-utils
Login to the docker container and create the password file
> docker exec -it <nginx_container> bash
Create a password file
> htpasswd -c /etc/nginx/conf.d/htpasswd <username>
Update the configuration
16k;
proxy_busy_buffers_size 64k; |
Restricting Access to IP Range
In the following example, we restrict access to a login page in confluence to internal ip addresses between: 192.168.1.100-255
See https://www.ipaddressguide.com/cidr for creating ip range.
Code Block |
---|
|
Code Block |
server { # restrict access server_nameto login kibanato kibana192.168.jmehan.com;1.100-255 location /login.action { allow 192.168.1.100/30; proxy_pass http://allow 192.168.1.104/29; allow 192.168.1.112/28; allow 192.168.1.60:5601128/25; auth_basic "Administrator's Area"deny all; auth_basic_user_file /etc/nginx/conf.d/htpasswdproxy_pass http://192.168.1.50:8090/login.action; } } |
Customized Dockerfile
The following Dockerfile adds certbot and apache2-utils to our nginx-reverse-proxy image.
Code Block | ||||
---|---|---|---|---|
| ||||
FROM lerenn/nginx-reverse-proxy
RUN apt-get update
RUN apt-get install -y wget
RUN apt-get install -y apache2-utils
RUN wget https://dl.eff.org/certbot-auto
RUN chmod +x certbot-auto
RUN ./certbot-auto -n --install-only |
References
Reference | URL |
---|---|
Let's Encrypt | CertBot and Let's Encrypt |
Restricting Access with HTTP Basic Authentication | https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/ |