Instalar Nginx como proxy inverso en CentOS 7

Actualizado el miércoles, 8 noviembre, 2017

Hoy vamos a instalar Nginx y configurarlo como un proxy inverso. En este ejemplo de configuracion lo haremos exclusivamente como servidor web SSL.

Lo ejecutaremos con el usuario nginx.

Deshabilitaremos SELinux y configuraremos firewalld para que permita únicamente el tráfico entrante de los puertos 22 y 443.

 

Instalamos los requisitos previos:

sed -i /etc/selinux/config -r -e 's/^SELINUX=.*/SELINUX=disabled/g'   # Disabled SELinux
yum -y install epel-release   # Install EPEL repo
yum -y update && systemctl reboot   # Run all updates before starting, and apply new SELinux settings

 

Instalamos y configuramos nginx:

#Instalamos
yum -y install nginx   # Install nginx
mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.orig   # Create backup of nginx.conf


# Configuramos
nano /etc/nginx/nginx.conf
---
user  nginx;
worker_processes  2;   # Set to number of CPU cores

error_log  /var/log/nginx/error.log;

pid  /run/nginx.pid;

events {
    worker_connections  1024;
}

http {
  include  /etc/nginx/mime.types;
  default_type  application/octet-stream;

  log_format  main '$remote_addr - $remote_user [$time_local] "$request" '
              '$status $body_bytes_sent "$http_referer" '
              '"$http_user_agent" "$http_x_forwarded_for"';

  access_log  /var/log/nginx/access.log  main;

  sendfile  on;

  keepalive_timeout  65;

  include /etc/nginx/conf.d/*.conf;

  index  index.html index.htm;
}
---

 

Una vez instalado procedemos a configurar los sitios:

Como ejemplos usamos: Guacamole, SABnzbd/SickBeard/CouchPotatoServer/Headphones, SubSonic, Plex Media Server, y Owncloud.

nano /etc/nginx/conf.d/reverseproxy.conf
---
ssl_certificate  ssl/domain.crt;   # Replace with your cert info (I generate my own self-signed certs with openssl)
ssl_certificate_key  ssl/domain.key;   # Replace with your cert info (I generate my own self-signed certs with openssl)
ssl_dhparam  ssl/domain.pem;   # Replace with your cert info (I generate my own self-signed certs with openssl)
ssl_session_timeout  5m;
ssl_prefer_server_ciphers  on;
ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers  AES256+EECDH:AES256+EDH:!aNULL;

server  {

  listen  80;   # Redirect any port http/80 requests, to https/443 -- generally only matters for internal requests
  server_name  *.domain.com;
  return 301 https://$host$request_uri;
}

server  {
  listen  443 ssl;   # Return 404 page if requesting the root url; can set this to whatever you want, but I just leave this at a 404
  server_name domain.com;
  ssl  on;
  location  / {
    return  404;
  }
}

server  {
  listen  443 ssl;   # Example config for SubSonic, browsable at 
  server_name  subsonic.domain.com;
  ssl  on;
  location  / {
    proxy_pass  http://interal_ip_to_subsonic:4040/;
  }
}

server  {
  listen  443 ssl;   # Example config for OwnCloud, browsable at 
  server_name  owncloud.domain.com;
  client_max_body_size  0;
  ssl  on;
  location  / {
    proxy_pass  http://internal_ip_to_owncloud/;
  }
}

server  {
  listen  443 ssl;   # Example config for SABnzbd, browsable at 
  server_name  sab.domain.com;
  ssl  on;
  location  / {
    proxy_pass  http://internal_ip_to_sabnzbd:8080/;
  }
}

server  {
  listen  443 ssl;   # Example config for SickRage, browsable at 
  server_name  sr.domain.com;
  ssl  on;
  location  / {
    proxy_pass  http://interal_ip_to_sickrage:8081/;
  }
}

server  {
  listen  443 ssl;   # Example config for CouchPotatoServer, browsable 
  server_name  cps.domain.com;
  ssl  on;
  location  / {
    proxy_pass  http://internal_ip_to_sickbeard:5050/;
  }
}

server  {
  listen  443 ssl;   # Example config for Headphones, browsable at 
  server_name  hp.domain.com;
  ssl  on;
  location  / {
    proxy_pass  http://internal_ip_to_headphones:9090/;
  }
}

server  {
  listen  443 ssl;   # Example config for Guacamole, browsable at 
  server_name  guac.domain.com;
  ssl  on;
  location  / {
    proxy_buffering  off;
    proxy_pass  http://interl_ip_to_guacamole:8080/;
    proxy_http_version  1.1;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header  Upgrade $http_upgrade;
    proxy_set_header  Connection $http_connection;
    access_log  off;
  }
}

server  {
  listen  443 ssl;   # Example config for Plex Media Server, browsable at 
  server_name  pms.domain.com;
  ssl  on;
  location  / {
    proxy_pass  http://internal_ip_to_plex:32400/;
  }
}

server {
  listen  443 ssl;    # Example config for Stash, browsable at 
  server_name  git.domain.com;
  ssl  on;
  client_max_body_size  256m;
  location  / {
    proxy_pass  http://internal_ip_to_stash:7990;
    proxy_set_header  X-Forwarded-Host $host;
    proxy_set_header  X-Forwarded-Server $host;
    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}
---

systemctl enable nginx.service   # Start nginx as system boot

 

Modificamos el firewalld:

systemctl enable firewalld.service   # Start firewalld
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https

 

Reiniciamos:

systemctl reboot

Y una vez reiniciado ya estará listo para producción.

 

 

Agregar comentario