How to Install and Configure Nginx with Reverse Proxy and Load Balancing on RedHat 8

Installation and Configuration of Nginx Web Server with Reverse Proxy and Load Balancing use SSL Certificate of Active Directory Certificate Service (ADCS) on RedHat 9/Redhat 8/Redhat 7/CentOS 8/CentOS 7

Nginx is an open source Linux base software that use as a web server, load balancing, reverse proxy, caching, etc. Nginx work as reverse proxy and load balancer for websites on protocol http and https, nginx is also work as proxy server for email that work on protocol IMAP, POP3, and SMTP. Nginx as a Web Server support up to large number of concurrent connections that is 10k, this is the main reason nginx as a web server provide better performance and stability as compare to apache web server on Linux base operating system. Nginx Web Server is the fastest web server available due to its lightweight and non-blocking architecture that use less memory and CPU (Central Processing Unit). The main work of nginx that is famous are reverse proxy and load balancer to facilitate the incoming traffic from the client side. In nginx web server reverse proxy is work as when client go to the URL (Uniform Resource Locator) for example (http://www.abc.com) the URL will redirect to the backend URL (https://www.learnitprofession.com), user will see only nginx reverse proxy URL (http://www.abc.com). In nginx web server load balancer is work as when client go to the URL for example (http://www.abc.com) it will for forward the client request to the URLs that work as a cluster of web server (websites) means multiple URL’s have same data of website that are replicating to each other.

Nginx vs Apache: Nginx web server have many advantages and have a better performance as compare to apache web server. Nginx web server manage multiple request in a single thread known as event driven architecture while apache web server create a thread on every request known as process driven architecture. Both nginx and apache web server have their own functionality in their domain. Nginx web server process a web page faster than apache web server while apache web server have multiple powerful modules to fulfill the environment requirement. Nginx web server have better efficiency, high performance and resource efficient as compare to Apache web server while apache web server is scalable web server as compare to nginx web server. Apache web server is simple and easy for developer to add modules in programming while on nginx is require more accurate code to add modules. Nginx web server is almost 3 time faster than apache web server that support 1k concurrent connection on the same time. In terms of content, specially dynamic content both apache web server and nginx web server provide best performance while on static content apache web server performance is slow as compare to nginx web server because nginx use less amount of RAM (Random Access Memory).

Note: The nginx web server is support on operating system Windows and Linux, on Windows base nginx performance not as good as compare to on Linux base operating system   

Here we are installing and configuring nginx web server with secure socket layer (SSL) on Redhat enterprise linux 8 (RHEL 8), you can perform the same steps on Redhat 9/Redhat 7/CentOS 8/CentOS 7.

To install the Nginx web server on Redhat Enterprise Linux 8 operating system, type the below mention command.

dnf install nginx -y

To start, enable and check the status of nginx web server service “nginx”, type the below mention commands.

systemctl start nginx
systemctl enable nginx
systemctl status nginx

The main configuration file of Nginx web server is “nginx.conf” and its directory location is “/etc/nginx/nginx.conf”. To configure the main configuration file of Nginx web server, type the below mention command.

vi /etc/nginx/nginx.conf

For default website configuration go to line number “41” and provide the “server_name”, in our environment the “server_name” is “nginx.abc.org.pk”.

server_name nginx.abc.org.pk;

After the modification of nginx web server main configuration file “nginx.conf”, nginx web server service “nginx” need to be restart. To restart the nginx web server service type the below mention command.

systemctl restart nginx

To allow the webservice port or webservice protocol on firewall in nginx website server, type the below mention command. In Redhat 9/Redhat8/Redhat 7/CentOS 8/CentOS 7 firewalld is use for manage the firewall rules.

firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
or
firewall-cmd --permanent --add-port=80/tcp
firewall-cmd --permanent --add-port=443/tcp

After allow the services or ports on firewall “firewalld” in Redhat 9/Redhat8/Redhat 7/CentOS 8/CentOS 7, must reload the firewall “firewalld” daemon by use of below mention command.

firewall-cmd --reload

Note: Create host entry on DNS Server in a centralize domain environment, if domain environment is not available hostname with IP need to be add on host file of each client machine.

To Verify the web page is working fine on client machine, type the below mention URL (Uniform Resource Locator) on any web browser.

http://ip or http://fqdn
http://nginx.abc.org.pk/

if you want to host your own website on default webserver directory location, the directory location of nginx webserver is “/usr/share/nginx/html”. Here we are only modify file “index.html”, first go to the directory location “/usr/share/nginx/html” by use of command “cd” then modify the file “index.html” by use of editor “vi”.

cd /usr/share/nginx/html
vi index.html

Edit the below mention html code on file “index.html”, in this code the text only is “Nginx-Server” that will display center of the web page in a web browser.

<html>
<body>
<div style="width: 100%; font-size: 40px; font-weight: bold; text-align: center;">
Nginx-Server
</div>
</body>
</html>

To verify how the above code is working, type the below mention URL “Uniform Resource Locator” on a web browser.

http://nginx.abc.org.pk/

how to install and configure nginx web server with reverse proxy and load balancing use ssl certificate on redhat 8

Create SSL Certificate: To create a SSL (Secure Socket Layer) Certificate with Certificate template, first need to be create a file with extension “.cnf”. Here we are creating a Certificate template file “openssl-san.cnf” by use of editor “vi”.

vi openssl-san.cnf

Edit the below mention Certificate Template configuration in file “openssl-san.cnf”, you can modify the file as per the requirement.

[ req ]
default_bits           = 2048
distinguished_name     = req_distinguished_name
req_extensions         = req_ext
[ req_distinguished_name ]
countryName            = PK
stateOrProvinceName    = Sindh
localityName           = Karachi
organizationName       = System Team
commonName             = nginx.abc.org.pk
# Optionally, specify some defaults.
countryName_default           = [Pakistan]
stateOrProvinceName_default   = [Sindh]
localityName_default           = [Karachi]
0.organizationName_default     = [System]
organizationalUnitName_default = [IT]
emailAddress_default           = [owais@abc.org.pk]
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = nginx.abc.org.pk
DNS.2   = nginx

To create a CSR (Certificate Signing Request) with Key by use of Rivest Shamir Adleman with key length “2048” and SHA256 (Secure Hash Algorithm 256 bit). This CSR (Certificate Signing Request) is create with Certificate Template configuration file “openssl-san.cnf”.

openssl req -newkey rsa:2048  -nodes -sha256 -keyout nginx.key -out nginx.csr -config openssl-san.cnf

To Create a CSR (Certificate Signing Request) without Certificate Template configuration file.

openssl req -new -newkey rsa:2048 -nodes -keyout nginx.key -out nginx.csr

To list the newly created CSR (Certificate Signing Request) and Key file use command “ll” and for copy the entire content of CSR (Certificate Signing Request) use command “cat” for display all content then select the content from “-----BEGIN CERTIFICATE REQUEST-----” to “-----END CERTIFICATE REQUEST-----” and copy it by mouse left click if you are using putty for SSH (Secure Shell) session.

ll
cat nginx.csr

Put the entire content of CSR (Certificate Signing Request) on Active Directory Certificate Service (ADCS) “Submit a Certificate Request or Renewal Request” page in “Base 64 encoded certificate request” window and select Certificate Template “Web Server”, if you not have Active Directory Certificate Service (ADCS) in your environment you can create a certificate by public Certificate Authority (Comodo, Thawte and etc.). After provide all the details click on submit to create a certificate.

nginx reverse proxy and load balancing with ssl certificate on redhat 8

After click on submit button the certificate has generated in “DER encoded” and “Base 64 encoded”, you should download the certificate in “Base 64 encoded”. Move the downloaded certificate on directory location “/etc/pki/tls/certs”, you can place the certificate on any directory but need to define on configuration file “nginx.conf” or virtual host configuration file.

Configure nginx Reverse Proxy: In nginx web server reverse proxy work as when user type a nginx web URL (Uniform Resource Locator) on a web browser, the URL (Uniform Resource Locator) forward to the backend website URL (Uniform Resource Locator). You can use backend web server on apache, nginx etc.

Create virtual host configuration file “nginx-reverse-proxy.conf” for nginx reverse proxy on the virtual host directory location “/etc/nginx/conf.d/” by use of editor “vi”.

vi /etc/nginx/conf.d/nginx-reverse-proxy.conf

Add the below given code on nginx reverse proxy file “nginx-reverse-proxy.conf”, this configuration is without Secure Socket Layer (SSL) certificate and in this configuration nginx web URL “nginx.abc.org.pk” forward to backend apache server URL “apache1.abc.org.pk”.

    server {
        listen      80 default_server;
        listen      [::]:80 default_server;
        server_name nginx.abc.org.pk;
        proxy_redirect      off;
        proxy_set_header    X-Real-IP $remote_addr;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header    Host $http_host;
        location / {
            proxy_pass http://apache1.abc.org.pk/;
        }
    }

If SELinux is enable, type the below mention command to allow boolean settings for nginx reverse proxy web server. If you want to disable SELinux, it’s a best practice to set SELinux in permissive mode rather then disable it because in SELinux permissive mode warning is generate means logs is generate for related to security perspective.

setsebool -P httpd_can_network_connect on

To Configure backend web server to log X-Forwarded-For header, add the below mention code inside the http parenthesis on main configuration file of nginx web server “/etc/nginx/nginx.conf”.

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

how to configure nginx reverse proxy and load balancing with ssl certificate on redhat 8

Comment the “listen”, “server_name” and “root” on nginx web server main configuration file “/etc/nginx/nginx.conf”.

        #listen       80 default_server;
        #listen       [::]:80 default_server;
        #server_name  nginx.abc.org.pk;
        #root         /usr/share/nginx/html;

For SSL: To modify the nginx reverse proxy virtual host configuration file “nginx-reverse-proxy.conf” with Secure Socket Layer “SSL” certificate. Modify the file by use of editor “vi”

vi /etc/nginx/conf.d/nginx-reverse-proxy.conf

Add the below mention code for nginx reverse proxy with Secure Socket Layer “SSL” certificate. In this code port 80 is also redirect to port 443.

server {
    listen 80;
    server_name nginx.abc.org.pk nginx;
    # Redirect HTTP to HTTPS
    return 301 https://$host$request_uri;
}
server {
    listen      443 ssl http2 default_server;
    listen      [::]:443 ssl http2 default_server;
    server_name nginxreverseproxy;
    ssl_certificate "/etc/pki/tls/certs/nginx.cer";
    ssl_certificate_key "/etc/pki/tls/certs/nginx.key";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers PROFILE=SYSTEM;
    ssl_prefer_server_ciphers on;
    proxy_redirect      off;
    proxy_set_header    X-Real-IP $remote_addr;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header    Host $http_host;
    location / {
        proxy_pass https://apache2.abc.org.pk/;
    }
}

Note: Create Host entry on DNS Server if you have in your environment, otherwise create host entry with IP on each client machine where you want to access this nginx reverse proxy web URL.

The main result of nginx web server

http://nginx.abc.org.pk/

how to configure nginx reverse proxy on redhat with ssl certificate

After the configuration of nginx web server reverse proxy, the nginx reverse proxy redirect URL result is mention below. Nginx web URL forward to backend apache website that have only text “Karachi”.

https://nginx.abc.org.pk/

how to configure nginx load balancing on redhat with ssl certificate

How to Install and Configure Apache Web Server On Redhat 9/Redhat 8/Redhat 7/CentOS 8/CentOS 7 with SSL Certificate

Configure Nginx Load Balancing: In nginx web server load balancing is balance the load of backend clustered websites. To configure the nginx load balancing, create virtual host configuration file “nginx-load-balance.conf” on directory location “/etc/nginx/conf.d”.

vi nginx-load-balance.conf

Add the below mention code on nginx load balancing file “nginx-load-balance.conf”, in this file URL also redirect from port 80 to 443.

server {
    listen 80;
    server_name nginx.abc.org.pk nginx;
    # Redirect HTTP to HTTPS
    return 301 https://$host$request_uri;
}
server {
    listen      443 ssl http2 default_server;
    listen      [::]:443 ssl http2 default_server;
    server_name nginxloadbalance 192.168.10.183;
    ssl_certificate "/etc/pki/tls/certs/nginx.cer";
    ssl_certificate_key "/etc/pki/tls/certs/nginx.key";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers PROFILE=SYSTEM;
    ssl_prefer_server_ciphers on;
    proxy_redirect      off;
    proxy_set_header    X-Real-IP $remote_addr;
    proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header    Host $http_host;
    location / {
             proxy_pass https://backends/login.php;
  }
}

Define “backends” configuration of apache web servers on main nginx configuration file “/etc/nginx/nginx.conf” for load balancing. Use editor "vi" to modify file “nginx.conf”.

vi /etc/nginx/nginx.conf

Add the below mention code inside http parenthesis

## Weight=1, 1 server for backup
upstream backends {
        server 192.168.10.11:5555 weight=1;
        server 192.168.10.12:5555;
    }

how to configure nginx reverse proxy and load balancing with ssl certificate of adcs

After the entire configuration restart the nginx web server service “nginx” by type the below mention command. You can also check the status of nginx web server, command is given below.

systemctl restart nginx
systemctl status nginx

Thanks for Read this Article

Comments

Post a Comment