Nginx reverse proxy apache on centos 7, configuring both http and https

2
votes

I am configuring nginx at port 80 as proxy server to Apache server on port 8080, using Centos 7.

I successfully configure both for http, but after installing lets encrypt certificate for Apache, I see Apache is directly receiving traffic for https. I tried to make nginx receive traffic for all HTTP and HTTPS, but face issue,

I do a lot of changes like disable apache to listen on port 443, and only listen to 8080. I configure nginx to listen both at 80 and 443, additionally I remove certificate for apache and add to nginx configuration files. currently.

nginx configuration is as follow:

server {
     listen       80;
     listen       [::]:80 default_server;
    #server_name  _;
     server_name www.example.com;

     root         /usr/share/nginx/html;

     # Load configuration files for the default server block.
     include /etc/nginx/default.d/*.conf;

    location / {

         proxy_pass http://my.server.ip.add:8080;
         root   /usr/share/nginx/html;
         proxy_redirect off;
         proxy_set_header X-Forwarded-Host $host;
         proxy_set_header X-Forwarded-Server $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;   
    }
    error_page 404 /404.html;
         location = /40x.html {
    }
    error_page 500 502 503 504 /50x.html;
         location = /50x.html {
    }
}

server {
     listen 443 default_server;
     server_name www.example.com;

     root   /usr/share/nginx/html;

     ssl                  on;
     ssl_certificate      /etc/letsencrypt/live/www.example.com/cert.pem;
     ssl_certificate_key  /etc/letsencrypt/live/www.example.com/privkey.pem;

     ssl_prefer_server_ciphers on;
     ssl_session_timeout 1d;
     ssl_session_cache shared:SSL:50m;
     ssl_session_tickets off;

     # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
     #ssl_dhparam /etc/pki/nginx/dh2048.pem;

     # intermediate configuration. tweak to your needs.
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_ciphers 'ECDHE-RSA--REMOVED-SOME-HERE-SHA';

     location / {
         proxy_pass http://127.0.0.1:8080;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto https;
     } 
}

Note: I am using php 7.0

currently site is working on both https and http with 1 known issue i.e. User images are not loading. but I am not sure it is served by apache or nginx, in RESPONSE I can see "nginx/1.10.2"

What I was actually going to implement: I was trying to run both node.js and apache using nginx. I donot start node yet.

My questions:

  1. Is it really beneficial to use nginx in front and apache at the backend? (I read it protect from dDos attacks).
  2. Where should we put certificate at nginx or apache?
  3. How can I add node.js in nginx configuration? I already installed node js.
  4. What can be best configuration of using both nginx and apache?
1
apachesslnginxreverse-proxylets-encrypt

1 Answers

1
votes

Good evening, First of all all the considerations you have made at the infrastructure level are very good and in my opinion the proxy configuration despite the difficulties of implementation at this time is the best.

I've been using it for some time now and the benefits are enormous. However, I would like to ask you what type of cloud infrastructure you are using because there are so many things that change depending on the technical infrastructure. For example, I use only Google Cloud Platform that is completely different from CloudFlare or Other AWS.

The configuration made is too articulated and unclear from the point of view of the structure. You should try this way:First, enter the http context with the upstream domain name directive and inside the server IP address with Apache, and then make declarations for server and location contexts by including the parameters of the proxy_params file and snippet ssl.

If you want and help me understand the infrastructure we adopt, we can see how to make the configuration together but so it is imminent because each infrastructure responds to a different configuration.

It also applies to php7.0. For example, configuring PrestaShop 1.7.1.1 with php7.0 I had to make a lot of changes to the php.ini code of the CMS as I did not use CGI in FPM but this as I said was very varied.

see https://www.webfoobar.com/node/35