×
Community Blog How to Configure a Nginx HTTPs Reverse Proxy?

How to Configure a Nginx HTTPs Reverse Proxy?

Nginx HTTPS Reverse Proxy refers to a proxy server to accept connection requests on the Internet, and then forward the request to the server on the internal network.

NGINX was initially designed as a reverse proxy server. However, with continuous development, NGINX also serves as one of the options to implement the forward proxy. The forward proxy itself is not complex, the key issue it addresses is how to encrypt HTTPS traffic. This article describes two methods for using NGINX as the forward proxy for HTTPS traffic, as well as their application scenarios and principal problems.

Classification of HTTP/HTTPS Forward Proxy

To begin with, let's take a closer look at the classification of the forward proxy.

Classification Basis: Whether the Proxy is Transparent to the Client

  1. Common Proxy: Here, the proxy address and port are manually configured in the browser or system environment variables on the client. For example, when you specify the IP address and port 3128 of the Squid server on the client.
  2. Transparent Proxy: There is no need for the proxy settings on the client. The "proxy" role is transparent to the client. For example, a Web Gateway device on an enterprise network is a transparent proxy.

Classification Basis: Whether the Proxy Encrypts HTTPS

  1. Tunnel Proxy: This is a proxy that transparently transmits traffic. The proxy server specifically transmits the HTTPS traffic over TCP transparently. It does not decrypt or perceive the specific content of its proxy traffic. The client performs direct TLS/SSL interaction with the target server. This article describes the NGINX proxy mode pertaining to this type.
  2. Man-in-the-Middle (MITM) Proxy: The proxy server decrypts HTTPS traffic, uses a self-signed certificate to complete the TLS/SSL handshake with the client, and completes normal TLS interaction with the target server. Two TLS/SSL sessions are set up on the client-proxy-server link.

Note: In this case, the client actually obtains the self-signed certificate of the proxy server in the TLS handshake process, and verification of the certificate chain is unsuccessful by default. The Root CA certificate among the proxy self-signed certificates must be trusted on the client. Therefore, the client is aware of the proxy in this process. A transparent proxy is achieved if the self-signed Root CA certificate is pushed to the client, which is implemented in the internal environment of an enterprise.

The Need For Special Processing When the Forward Proxy Processes HTTPS Traffic

While serving as a reverse proxy, the proxy server usually terminates HTTPS encrypted traffic and forwards it to the backend instance. Encryption, decryption, and authentication of HTTPS traffic occur between the client and the reverse proxy server.

On the other hand, when acting as a forward proxy and processing the traffic sent by the client, the proxy server doesn't see the target domain name in the URL requested by the client since the HTTP traffic is encrypted and encapsulated in TLS/SSL, as shown in the following figure. Therefore, unlike HTTP traffic, HTTPS traffic requires some special processing during proxy implementation.

HTTP traffic

You can refer to How to Use NGINX as an HTTPS Forward Proxy Server, and get more NGINX solution

Related Blogs

How to Secure Nginx with NAXSI Firewall on Ubuntu 16.04

In this tutorial, we will be installing a NAXSI firewall with Nginx on an Alibaba Cloud ECS Ubuntu 16.04 instance.

Naxsi (Nginx Anti XSS & SQL Injection) is a free, open source and high-performance web application firewall for Nginx. Naxsi is a third party Nginx module that comes with a small subset of rules containing 99% of known patterns involved in website vulnerabilities. The main difference between Naxsi and other firewalls is that it filters only GET and POST requests. You will also need to add a whitelist for the target website to work properly.

If you want to protect your web application from SQL Injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery, then Naxsi is the best choice for you.

In this tutorial, we will be installing a NAXSI firewall with Nginx on an Alibaba Cloud Elastic Compute Service (ECS) Ubuntu 16.04 instance.

Prerequisites

  1. A fresh Alibaba cloud instance with Ubuntu 16.04 server installed.
  2. A static IP address 192.168.0.103 is configured on the instance.
  3. A root password is setup on the server.
  4. Launch an Alibaba Cloud ECS Instance
  5. First, login to your Alibaba Cloud ECS Console. Create a new ECS instance, with Ubuntu 16.04 as the operating system with at least 2GB RAM. Connect to your ECS instance and log in as the root user.

Once you are logged into your Ubuntu 16.04 instance, run the following command to update your base system with the latest available packages.

apt-get update -y

How to Install Nginx with RTMP Module on CentOS 7

In this article, we will be installing Nginx with RTMP for media streaming on an Alibaba Cloud ECS CentOS 7.

RTMP (Real Time Messaging Protocol) is a high-performance protocol for streaming of data, audio, and video through the internet. In this guide, we will be installing Nginx with RTMP module which is a media streamer based on Nginx. It provides RTMP, HLS, and MPEG-DASH live streaming capabilities. Nginx RTMP module has a lot of features some of them are listed below:

  1. H264/AAC support
  2. Online transcoding with FFmpeg
  3. Running external programs on certain events (exec)
  4. HTTP control module for recording audio/video and dropping clients
  5. Advanced buffering techniques to keep memory allocations at a minimum level for faster streaming
  6. Stream relay support for distributed streaming: push & pull models

Prerequisites

  1. You must have Alibaba Cloud Elastic Compute Service (ECS) activated and verified your valid payment method. If you are a new user, you can get a free account in your Alibaba Cloud account. If you don't know about how to set up your ECS instance, you can refer to this tutorial or quick-start guide. Your ECS instance must have at least 1GB RAM and 1 Core processor.
  2. A domain name registered from Alibaba Cloud. If you have already registered a domain from Alibaba Cloud or any other host, you can update its domain nameserver records.
  3. Root user

Update the System

It is recommended that you should install any new packages on a freshly updated server.

First of all, upgrade all the available packages and update the system using the following command.

Related Products

Elastic Compute Service

Elastic and secure virtual cloud servers to cater all your cloud hosting needs.

Simple Application Server

A single server-based service for application deployment, security management, O&M monitoring, and more

Related Courses

Cloud Platform Security Overview

Learn about Alibaba Cloud's security products line and their design strategy. So this course aims to help you better understand the transition from traditional IT infrastructure to cloud infrastructure including current information security best practices and trends. You will get a clear understanding of how to use cloud platform to reduce security risks.

Cloud Servers Security Strengthening

For the security measures of the host on the cloud, we need to consider more factors, such as the configuration of the firewall inside the host, as well as various settings related to operating system user management and privilege management. Only by understanding and correctly configuring the security settings inside these hosts you can better cooperate with various cloud security products. This course is designed to help you better understand these security setup and learn how to properly configure them to maximize the security hardening of hosts on the cloud.

Related Documentation

Analyze NGINX monitoring logs

NGINX provides a built-in status page to help you monitor the status of NGINX, similar to PHP-FPM, Docker, and Apache. This topic describes how to use the Logtail feature of Log Service to collect NGINX status information. The topic also describes how to query and analyze the collected status information, create dashboards, and customize alerts to monitor your NGINX cluster.

Use Nginx + FPM in Container Service

To use Nginx + FPM in Container Service, we recommend that you use the image https://github.com/ngineered/nginx-php-fpm as the base image, which has both Nginx and FPM in one image.

This image can be used to create a container for Nginx and PHP-FPM. The created container can pull website codes from Git, and push or pull the code changes to or from Git. The container can also update the orchestration file by using the variables passed to Docker so as to update your codes and settings.

This image also supports Let’s Encrypt SSL configurations, customizing Nginx configurations, modifying Nginx/PHP configurations, X-Forwarded-For headers, and UID mapping (support local data volumes).

Related Market Products

WordPress on LEMP Ubuntu16.04

This image is built with Ubuntu16.04 64bit and bundled with following popular software for web service solution. In order to display web pages to our site visitors, we employ Nginx, a modern, efficient web server. Optimized to add your security concern.

LabEx Credits for Alibabacloud labs

LabEx delivers Alibabacloud labs using live Alibabacloud accounts and resources that help to learn Cloud Computing and how to work with Alibabacloud services. https://labex.io/alibaba

0 0 0
Share on

Alibaba Clouder

2,599 posts | 764 followers

You may also like

Comments