Skip to content

Reverse Proxy with Nginx on RHEL

Introduction

This article introducing a method on reverse proxy with Nginx web server on RHEL.

1. Install Nginx

sudo dnf install nginx

2. Edit Nginx Config File

(1). /etc/nginx/nginx.conf

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
}

(2). Site Config in /etc/nginx/conf.d/*.conf

server {
    server_name WEB.DOMAIN.com;
    location / {
        proxy_ssl_server_name on;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        proxy_pass http://$host:$remote_port;
    }
    listen 443 ssl http2; # DO NOT NEED IF YOU USE NGINX
    ssl_certificate path/to/certificate/fullchain.pem; # DO NOT NEED IF YOU USE NGINX
    ssl_certificate_key path/to/certificate//privkey.pem; # DO NOT NEED IF YOU USE NGINX
}

3. SSL with Let's Encrypt

(1). Install Certbot

sudo dnf install certbot

(2). (Opt.) Install plugin for nginx

sudo dnf install python3-certbot-nginx

(3). (Opt.) Install plugin for dns-cloudflare

sudo dnf install python3-certbot-dns-cloudflare

(4). Applying for SSL Certificate

According to steps above, there are many ways to get certificate. We demonstrate 2 ways matchs steps (2) and (3) before.

  1. Sign with Nginx

    sudo certbot --nginx -d domainname.com

    In this way, Certificates will be configured in *.conf in folder /etc/nginx/conf.d/ automatically.

  2. Sign with dns-cloudflare

    sudo certbot certonly --dns-cloudflare \
    --dns-cloudflare-credentials \
    ~/.secrets/certbot/cloudflare.ini \
    -d example.com

    In this way, you need a cloudflare key file: cat cloudflare.ini 

    # Cloudflare API credentials used by Certbot
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234

4. Set SELinux sebool

sudo setsebool -P httpd_can_network_connect 1

REF

[1]. https://certbot.eff.org/

[2]. https://certbot-dns-cloudflare.readthedocs.io/en/stable/

[3]. https://docs.nginx.com/

[4]. https://stackoverflow.com/questions/23948527/13-permission-denied-while-connecting-to-upstreamnginx

[5]. https://blog.dashdreams.com/blog/SHELL/Let-Encrypt-with-Certbot