Reverse Proxy. 

I’ve been implementing reverse-proxy solutions in lab and in production for some time now, but I always come across the same problem; It’s not the easiest type of a system to manage, especially when there are SSL certificates involved.

Now, before I started looking for an easy-to-manage SSL solution, I figured I’d find some sort of web interface for the NGINX config files and other basic server management. After some searching and testing, I decided on Ajenti. Ajenti is a python-based linux control panel that makes installing packages and managing services very easy.

Here’s an overview, followed by a detailed guide of how to set up your own perfect Reverse Proxy.

  1. Prepare server: Install NGINX and fail2ban, anything else you want.
  2. Install Ajenti Control Panel (version 1)
  3. Create site configs in NGINX via Ajenti CP.
  4. Obtain free SSL certificate for the site(s)

1. Preparing your server:

I’m using Ubuntu 16.04.3 and will be installing some packages before installing the control panel.

 

2. Installing Ajenti

Run these commands as root (or sudo -i from your user account)

Next open up your panel at https://your-ip:8000 and log in.

It should tell you the default user and password like below.

The default is either root / admin or admin / admin

Once you’re in, you’ll notice that there are already sections in the navigation for both NGINX and fail2ban.

Any time you install a new package and want the corresponding navigation to appear in the control panel, you must restart the agent service. You can do this inside the panel too.

3. Configuring NGINX sites

Scroll down and navigate to the NGINX page.

  • Here you can create the configuration files via WebUI for each proxy you would like the reverse proxy to handle.

Go ahead and click + Add at the bottom and fill in the details. Your domain or subdomain should already be pointing to the public IP of this server, or your home IP with ports 80 and 443 forwarded to this server’s LAN IP.

 

Here is a simple proxy-pass config to get you started. Any time someone visits sub.domain.com, their request will be sent to 192.168.0.100 on port 8080. This can be reproduced countless times.

Make sure to enable the config, save your changes, and then restart the NGINX service.

As of now, you should be able to reach your server through the reverse proxy, but it is not a secure endpoint until we encrypt communications. Let’s do that now.

4. Free SSL with LetsEncrypt + Certbot

First, add the repository:

You’ll need to press ENTER to accept. Afterwards, update the package list to pick up the new repository’s package information:

The certbot Let’s Encrypt client is now ready to use.

Claim your free cert:

Remember the config file you created, resembling sub.domain.com?

Certbot will find the config file, validate your server, install your certificate, and even modify the config to force redirection to HTTPS. Just enter the following in a shell, filling in your domain or subdomain.

It will first ask you for an email address to send renewal notices to.

You will have to agree to terms, and then you can opt in or out of sharing your email address.

It will then verify your server.

As long as your domain’s DNS is set to the public IP of your server and ports 80 and 443 are open, this should pass and ask if you would like to redirect all traffic to HTTPS.

I usually do this, and there is a notable addition to the config done automatically:

 

This can be reversed if you find the need.

Now, visit your website via domain name and you should already have a valid HTTPS!

5. You’re done!

I continue to use Ajenti and NGINX for my reverse proxy solution, and all of my subdomains have their own valid SSL certificates this way. I can spin up a project on a docker host or spin up a micro service like Transmission downloader and configure an HTTPS-secured endpoint on the reverse proxy in minutes.


11 Comments

jaericho · July 10, 2018 at 7:59 pm

Excellent tutorial. I had one snag: site2.domain.com would complain that it had site1.domain.com’s cert (I had not ran certbot for site2 yet.) But once I ran certbot for site2 everything is working. Fantastic!

Tony · June 23, 2018 at 4:13 am

Superb tutorial! Everything worked as expected. I had issues trying to get Traefik to work, so I was happy when I came across your site! This setup works perfectly for what we need to do.

    Tyler Woods · June 26, 2018 at 12:11 pm

    Thank you so much for your feedback! I’m really happy it helped you.

werni · June 6, 2018 at 2:39 am

Hi, looking very nice… is this config already available as a Docker image?

    Tyler Woods · June 12, 2018 at 5:23 pm

    Unfortunately it’s not. Maybe for a future project on a rainy day. Thanks for the suggestion though.

      algonrey · July 17, 2018 at 3:32 pm

      Hi Tyler! i just made a docker image with your implementation of the reverse-proxy solution 🙂 i hope you don’t mind 😛

      The only step i change was the use of certbot-auto instead of cerbot.

      The docker image is fully funcional, but i would make some changes in order to save the config to a volume (e.g.)

      Well, the docker image is this:

      https://hub.docker.com/r/algonrey/prp/

      prp as Perfect Reverse Proxy as you name it 😉

      Regards!!

Scott Yannitell · April 29, 2018 at 5:56 am

Super tutorial, man!

prog · January 26, 2018 at 5:21 am

certBot give me an error:
Failed authorization procedure. .com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from .com/.well-known/acme-challenge/HKDDKXqB2GEUXRonAUWMBqtPkTDpl7iHeKrkjTty_V8:

Vic · September 14, 2017 at 1:22 pm

Nice!

Reverse web proxy (with certs) – Halo's Protest · July 10, 2018 at 8:19 pm

[…] Here is a great tutorial for setting up a reverse proxy for webservers. (Kudos Tyler and the Ajenti project.) […]

Leave a Reply