This page show how to install Nginx with a view to using it as a reverse proxy server.
You must have a CentOS machine already set up in accordance with the the “Install CentOS 6” guide.
For CentOS 6.6 I resorted to disabling SELinux as I couldn't get the reverse proxy working with SELinux enabled
In order to get https://internet.nl/ to give this site a clean bill of health, I had to regenerate the DH Param file.
openssl genpkey -genparam -algorithm DH -pkeyopt dh_param:ffdhe4096 -out /etc/nginx/certs/cersdhparam.pem
cat << EOF > /etc/yum.repos.d/nginx.repo [nginx] name=nginx repo baseurl=http://nginx.org/packages/centos/$releasever/$basearch/ gpgcheck=0 enabled=1 EOF
yum -y install nginx
chkconfig nginx on service nginx start
iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT service iptables save service iptables restart
cp /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.original vi /etc/nginx/conf.d/default.conf
upstream tomcatbackend {
server 127.0.0.1:8080;
}
# Force all http requests to be redirected to https
server {
listen 80;
server_name webserver.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443;
server_name webserver.example.com;
ssl on;
ssl_certificate /etc/nginx/conf.d/server.crt;
ssl_certificate_key /etc/nginx/conf.d/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# DHE-RSA-AES128-SHA needed so Java 1.6 clients can use SSLv2Hello handshake to connect.
#ssl_ciphers 'AES256+EECDH:AES256+EDH:DHE-RSA-AES128-SHA';
ssl_ciphers 'AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
#charset koi8-r;
access_log /var/log/nginx/log/host.access.log main;
location /app1/ {
proxy_pass http://127.0.0.1:9090/app1/;
}
location /app2/ {
proxy_pass http://127.0.0.1:9090/app2/;
}
location / {
proxy_pass http://tomcatbackend;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
proxy_set_header Host $host;
}
# Allow only localhost and one IP to access https://webserver.example.com/manager and https://webserver.example.com/logs
location ~ ^/(manager|logs) {
allow 127.0.0.1;
allow 172.16.20.1;
deny all;
proxy_pass http://tomcatbackend;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
openssl dhparam -out /etc/nginx/certs/certsdhparam.pem 4096
''/etc/nginx/snippits/ssl-params.confg
ssl_protocols TLSv1.3; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/certs/certsdhparam.pem; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384; #:ECDHE-RSA-AES256-SHA384; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0