======Install Nginx======
This page show how to install Nginx with a view to using it as a reverse proxy server.
=====Prerequisites=====
You must have a CentOS machine already set up in accordance with the the "[[Install CentOS 6]]" guide.

For CentOS 6.6 I resorted to disabling SELinux as I couldn't get the reverse proxy working with SELinux enabled

===== SSL =====
In order to get https://internet.nl/ to give this site a clean bill of health, I had to regenerate the DH Param file.
<code>openssl genpkey -genparam -algorithm DH -pkeyopt dh_param:ffdhe4096 -out /etc/nginx/certs/cersdhparam.pem</code>
=====Configure Repository=====
<code>cat << EOF > /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=0
enabled=1
EOF</code>
=====Install Nginx=====
<code>yum -y install nginx</code>
=====Configure Nginx to Start=====
<code>chkconfig nginx on
service nginx start</code>
=====Configure Firewall=====
<code>iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
service iptables save
service iptables restart</code>
=====Configure Nginx=====
<code>cp /etc/nginx/conf.d/default.conf  /etc/nginx/conf.d/default.conf.original
vi /etc/nginx/conf.d/default.conf</code>
<code>upstream tomcatbackend {
    server 127.0.0.1:8080;
}

# Force all http requests to be redirected to https
server {
       listen         80;
       server_name    webserver.example.com;
       return         301 https://$server_name$request_uri;
}

server {
    listen       443;
    server_name  webserver.example.com;
    ssl          on;
    ssl_certificate      /etc/nginx/conf.d/server.crt;
    ssl_certificate_key  /etc/nginx/conf.d/server.key;

    ssl_session_timeout  5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    # DHE-RSA-AES128-SHA needed so Java 1.6 clients can use SSLv2Hello handshake to connect.
    #ssl_ciphers 'AES256+EECDH:AES256+EDH:DHE-RSA-AES128-SHA';

    ssl_ciphers 'AES256+EECDH:AES256+EDH';

    ssl_prefer_server_ciphers   on;
    ssl_session_cache shared:SSL:10m;

    #charset koi8-r;
    access_log  /var/log/nginx/log/host.access.log  main;

    location /app1/ {
        proxy_pass http://127.0.0.1:9090/app1/;
    }

    location /app2/ {
        proxy_pass http://127.0.0.1:9090/app2/;
    }

    location / {
        proxy_pass http://tomcatbackend;
        proxy_set_header    X-Forwarded-Host $host;
        proxy_set_header    X-Forwarded-Server $host;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Real-IP $remote_addr;
        proxy_redirect      off;
        proxy_set_header Host $host;
    }
    # Allow only localhost and one IP to access https://webserver.example.com/manager and https://webserver.example.com/logs
    location ~ ^/(manager|logs) {
        allow 127.0.0.1;
        allow 172.16.20.1;
        deny all;
        proxy_pass http://tomcatbackend;
        proxy_set_header    X-Forwarded-Host $host;
        proxy_set_header    X-Forwarded-Server $host;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    X-Real-IP $remote_addr;
        proxy_redirect      off;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
       root   /usr/share/nginx/html;
    }
}</code>
===== Strong TLS =====
<code>openssl dhparam -out /etc/nginx/certs/certsdhparam.pem 4096</code>
''/etc/nginx/snippits/ssl-params.confg
<code>ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;

ssl_dhparam /etc/nginx/certs/certsdhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
#:ECDHE-RSA-AES256-SHA384;

ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0</code>