Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Ask a Question
Welcome To Ask or Share your Answers For Others

Categories

NGinx Reverse Proxy Multi-Server Config

0 votes
70 views
in Technique[技术] by (71.8m points)

NGinx Reverse Proxy Multi-Server Config

I need your help correcting my nginx reverse-proxy configuration. Most resolutions work out, while some (equal configuration, different port) fail:

# custom code for hop by hop headers
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

# DNS Update
resolver kube-dns.kube-system.svc.cluster.local;

# Shared memory zone
limit_req_zone $binary_remote_addr zone=limit:10m rate=2000r/m; # requests / min
limit_conn_zone $binary_remote_addr zone=addr:10m;              # Connection limit

# Upgrade connection
server {
    listen 8080 default_server;
    listen [::]:8080 default_server;
    server_name _;
    
    # Security Limits (Connection slow-down)
    client_body_timeout 3s;
    client_header_timeout 3s;
    
    return 301 https://$host$request_uri;
}

# Landing Page
server {
    listen 8443 ssl;
    
    ssl_certificate      /certs/server.crt;
    ssl_certificate_key  /certs/server.key;
    
    server_name example.de portal.example.de;
    access_log /opt/bitnami/nginx/logs/access.log;
    error_log /opt/bitnami/nginx/logs/error.log;
    
    # Security Limits (Connection slow-down)
    client_body_timeout 3s;
    client_header_timeout 3s;
    
    location / {
    
    # Security Limits
    limit_req zone=limit burst=20 nodelay; # or delay=15;
    limit_conn addr 100;
    
        proxy_set_header     X-Real-IP $remote_addr;
        proxy_set_header     HOST $http_host;
        proxy_set_header     X-NginX-Proxy true;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade; 
        proxy_set_header Connection $connection_upgrade;
    
    set $upstream example.de;
        proxy_pass https://$upstream:9443;
        proxy_redirect off;
    }
}

# Blog
server {
    listen 8443 ssl;
    
    ssl_certificate      /certs/server.crt;
    ssl_certificate_key  /certs/server.key;
    
    server_name blog.example.de;
    access_log /opt/bitnami/nginx/logs/access.log;
    error_log /opt/bitnami/nginx/logs/error.log;
    
    # Security Limits (Connection slow-down)
    client_body_timeout 3s;
    client_header_timeout 3s;
    
    location / {
    
    # Security Limits
    limit_req zone=limit burst=20 nodelay; # or delay=15;
    limit_conn addr 100;
    
        proxy_set_header     X-Real-IP $remote_addr;
        proxy_set_header     HOST $http_host;
        proxy_set_header     X-NginX-Proxy true;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade; 
        proxy_set_header Connection $connection_upgrade;
 
    set $upstream example.de;
        proxy_pass https://$upstream:9443;
        proxy_redirect off;
    }
}

# Bastillion
server {
    listen 8443 ssl;
    
    ssl_certificate      /certs/server.crt;
    ssl_certificate_key  /certs/server.key;
    
    server_name bastillion.example.de;
    access_log /opt/bitnami/nginx/logs/access.log;
    error_log /opt/bitnami/nginx/logs/error.log;
    
    # Security Limits (Connection slow-down)
    client_body_timeout 3s;
    client_header_timeout 3s;
    
    location / {
    
    # Security Limits
    limit_req zone=limit burst=20 nodelay;
    limit_conn addr 100;
    
        proxy_set_header     X-Real-IP $remote_addr;
        proxy_set_header     HOST $http_host;
        proxy_set_header     X-NginX-Proxy true;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade; 
        proxy_set_header Connection $connection_upgrade;
 
    set $upstream example.de;
        proxy_pass https://$upstream:30900;
        proxy_redirect off;
    }
}

# Landscape
server {
    listen 8443 ssl;
    
    ssl_certificate      /certs/server.crt;
    ssl_certificate_key  /certs/server.key;
    
    server_name landscape.example.de;
    access_log /opt/bitnami/nginx/logs/access.log;
    error_log /opt/bitnami/nginx/logs/error.log;
    
    # Security Limits (Connection slow-down)
    client_body_timeout 3s;
    client_header_timeout 3s;
    
    location / {
    
    # Security Limits
    limit_req zone=limit burst=20 nodelay; # or delay=15;
    limit_conn addr 100;
    
        proxy_set_header     X-Real-IP $remote_addr;
        proxy_set_header     HOST $http_host;
        proxy_set_header     X-NginX-Proxy true;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade; 
        proxy_set_header Connection $connection_upgrade;
 
    set $upstream example.de;
        proxy_pass https://$upstream:50080;
        proxy_redirect off;
    }
}

# DMS
server {
    listen 8443 ssl;
    
    ssl_certificate      /certs/server.crt;
    ssl_certificate_key  /certs/server.key;
    
    server_name dsm.example.de example.synology.me;
    access_log /opt/bitnami/nginx/logs/access.log;
    error_log /opt/bitnami/nginx/logs/error.log;
    
    # Security Limits (Connection slow-down)
    client_body_timeout 3s;
    client_header_timeout 3s;
    
    location / {
    
    # Security Limits
    limit_req zone=limit burst=20 nodelay; # or delay=15;
    limit_conn addr 100;
    
        proxy_set_header     X-Real-IP $remote_addr;
        proxy_set_header     HOST $http_host;
        proxy_set_header     X-NginX-Proxy true;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade; 
        proxy_set_header Connection $connection_upgrade;
 
    set $upstream example.de;
        proxy_pass https://$upstream:5011;
        proxy_redirect off;
    }
}

# DMS TomCat 7
server {
    listen 8443 ssl;
    
    ssl_certificate      /certs/server.crt;
    ssl_certificate_key  /certs/server.key;
    
    server_name tomcat.example.de;
    access_log /opt/bitnami/nginx/logs/access.log;
    error_log /opt/bitnami/nginx/logs/error.log;
    
    # Security Limits (Connection slow-down)
    client_body_timeout 3s;
    client_header_timeout 3s;
    
    location / {
    
    # Security Limits
    limit_req zone=limit burst=20 nodelay; # or delay=15;
    limit_conn addr 100;
    
        proxy_set_header     X-Real-IP $remote_addr;
        proxy_set_header     HOST $http_host;
        proxy_set_header     X-NginX-Proxy true;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade; 
        proxy_set_header Connection $connection_upgrade;
 
    set $upstream example.de;
        proxy_pass https://$upstream:7070;
        proxy_redirect off;
    }
}

# Redirect Subdomains (incl. Web-Socket)
server {
    listen 8443 ssl;
    
    ssl_certificate      /certs/server.crt;
    ssl_certificate_key  /certs/server.key;
    
    server_name ~^(.*).example.de;
    access_log /opt/bitnami/nginx/logs/access.log;
    error_log /opt/bitnami/nginx/logs/error.log;
    
    # Security Limits (Connection slow-down)
    client_body_timeout 3s;
    client_header_timeout 3s;
    
    location / {
    
    # Security Limits
    limit_req zone=limit burst=1000 nodelay; # or delay=15;
    limit_conn addr 100;
    
        proxy_set_header     X-Real-IP $remote_addr;
        proxy_set_header     HOST $http_host;
        proxy_set_header     X-NginX-Proxy true;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade; 
        proxy_set_header Connection $connection_upgrade;
        
        # Buffer Limits
        # https://www.getpagespeed.com/server-setup/nginx/tuning-proxy_buffer_size-in-nginx
        proxy_buffer_size          16k; # Default: 4k
    proxy_buffers              64 16k;  # Default 8 4k
    proxy_busy_buffers_size    32k;
    #proxy_read_timeout    30;
        
        # Keycloak
    #proxy_set_header X-Forwarded-Host  $http_host;

        proxy_set_header Referer $http_referer;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port 443;
 
    set $upstream example.de;
        proxy_pass https://$upstream:30000;
        proxy_redirect off;
    }
}

# Catch malicious requests
server {
   listen 8443 default_server;
   listen [::]:8443 default_server;
   
   ssl_certificate      /certs/server.crt;
   ssl_certificate_key  /certs/server.key;
   
   server_name _;

   # Security Limits (Connection slow-down)
   client_body_timeout 3s;
   client_header_timeout 30;

   return 444;
}
  1. Connections are upgraded from HTTP to HTTPS
  2. Landing Page reachable
  3. blog is not resolved correctly. I want blog.example.de within the users browser bar, which resolves at blog.example.de:9443/drupal.
  4. Bastillion is reachable
  5. Landscape is not in scope here
  6. DSM is reachable
  7. TomCat is reachable
  8. Wildcard is fine
  9. malicious requests are catched

Question

  • How is blog.example.de/drupal reduced to blog.example.de?
  • Is there a notation for reducing redundant data from location?
  • Any other best practice you noticed, which I do not follow?

Big thanks!

question from:https://stackoverflow.com/questions/65900911/nginx-reverse-proxy-multi-server-config

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)
Waitting for answers

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

Just Browsing Browsing

2.1m questions

2.1m answers

60 comments

56.9k users

Most popular tags

Powered by Question2Answer
Donate
Theme by Q2A Market&&OStack.cn
...