Reverse Proxy. 

I’ve been implementing reverse-proxy solutions in lab and in production for some time now, but I always come across the same problem; It’s not the easiest type of a system to manage, especially when there are SSL certificates involved.

Now, before I started looking for an easy-to-manage SSL solution, I figured I’d find some sort of web interface for the NGINX config files and other basic server management. After some searching and testing, I decided on Ajenti. Ajenti is a python-based linux control panel that makes installing packages and managing services very easy.

Here’s an overview, followed by a detailed guide of how to set up your own perfect Reverse Proxy.

  1. Prepare server: Install NGINX and fail2ban, anything else you want.
  2. Install Ajenti Control Panel (version 1)
  3. Create site configs in NGINX via Ajenti CP.
  4. Obtain free SSL certificate for the site(s)

1. Preparing your server:

I’m using Ubuntu 16.04.3 and will be installing some packages before installing the control panel.

 

2. Installing Ajenti

Run these commands as root (or sudo -i from your user account)

Next open up your panel at https://your-ip:8000 and log in.

It should tell you the default user and password like below.

The default is either root / admin or admin / admin

Once you’re in, you’ll notice that there are already sections in the navigation for both NGINX and fail2ban.

Any time you install a new package and want the corresponding navigation to appear in the control panel, you must restart the agent service. You can do this inside the panel too.

3. Configuring NGINX sites

Scroll down and navigate to the NGINX page.

  • Here you can create the configuration files via WebUI for each proxy you would like the reverse proxy to handle.

Go ahead and click + Add at the bottom and fill in the details. Your domain or subdomain should already be pointing to the public IP of this server, or your home IP with ports 80 and 443 forwarded to this server’s LAN IP.

 

Here is a simple proxy-pass config to get you started. Any time someone visits sub.domain.com, their request will be sent to 192.168.0.100 on port 8080. This can be reproduced countless times.

Make sure to enable the config, save your changes, and then restart the NGINX service.

As of now, you should be able to reach your server through the reverse proxy, but it is not a secure endpoint until we encrypt communications. Let’s do that now.

4. Free SSL with LetsEncrypt + Certbot

First, add the repository:

You’ll need to press ENTER to accept. Afterwards, update the package list to pick up the new repository’s package information:

The certbot Let’s Encrypt client is now ready to use.

Claim your free cert:

Remember the config file you created, resembling sub.domain.com?

Certbot will find the config file, validate your server, install your certificate, and even modify the config to force redirection to HTTPS. Just enter the following in a shell, filling in your domain or subdomain.

It will first ask you for an email address to send renewal notices to.

You will have to agree to terms, and then you can opt in or out of sharing your email address.

It will then verify your server.

As long as your domain’s DNS is set to the public IP of your server and ports 80 and 443 are open, this should pass and ask if you would like to redirect all traffic to HTTPS.

I usually do this, and there is a notable addition to the config done automatically:

 

This can be reversed if you find the need.

Now, visit your website via domain name and you should already have a valid HTTPS!

5. You’re done!

I continue to use Ajenti and NGINX for my reverse proxy solution, and all of my subdomains have their own valid SSL certificates this way. I can spin up a project on a docker host or spin up a micro service like Transmission downloader and configure an HTTPS-secured endpoint on the reverse proxy in minutes.


1 Comment

Vic · September 14, 2017 at 1:22 pm

Nice!

Leave a Reply