Configure NGINX as a Reverse Proxy

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey how's it going my name is jay in this video we're going to have a quick look at how you can configure nginx as a reverse proxy reverse proxy being one of the most widely used use case for nginx instance let's get straight into it so what we're going to look at is of course we'll have a quick look at a high level understanding of a forward proxy and reverse proxy we'd look at the proxy pass directive which nginx utilizes to forward the request to a upstream or a backend server and then we'll also look at redefining the request headers essentially to try and capture all the details of the original requester or the original original client and how to forward that details to the actual backend server via the proxy so before we jump in and talk about reverse proxy in particular i just like to highlight the fact that nginx uh extremely lightweight resilient very very popular as a web server but the functionality of nginx does not act as does not stop at reverse proxy or a web server the green boxes you see on the screen uh right now these are all the functionalities you can achieve with a single instance of nginx also on top of that you can run nginx wherever you want i've pasted a few logos of a few cloud providers here however you can run nginx on any cloud as far as you've got a supported linux operating system with that let's get started so the focus on this video is of reverse proxy so let's jump straight into it so what what exactly is a reverse proxy so generally there are two ways to think about a proxy one is a forward proxy which is essentially a client-side proxy which conceals the identity or acts in place of the clients and the second one is reverse proxy which is a server-side proxy which consists which conceals the identity of the actual back-end application service or at times acts in place of these back-end application servers organizations generally deploy nginx as a reverse proxy and as i mentioned earlier this is the worst one of the most common use cases for nginx instance now how does nginx does that nginx does proxy by utilizing the proxy pass directive so the proxy pass directive moves an incoming request to a replacement destination at the back end so address can be a domain name an ip address port unix socket upstream name or even a set of variables syntax for this directive or the proxy bus direct you is very simple it's proxy pass followed by a destination and it's only generally utilized in a server and location context in the example you see on the screen right now what we have is https.example.com nginx matches this specific request against the slash and forwards the request of the destination with which in this case is 10.1.1.4 so the destination ip address is most likely a web server or an application server sitting behind a firewall and perhaps the ip address of the nginx plus instance or nginx instance which you see here would only be the ip address which would which would have access to the back-end application server so the clients connect to this reverse proxy and the reverse proxy which is your nginx instance has access to the back-end application server sounds easy and it definitely is and we'll have a look at uh look at how easy it is to configure reverse proxy in the demo after however one thing we need to understand is the behavior of nginx and nginx's default behavior is to close the connection uh before it goes out and initiates a new connection to the back end so in this process some of the original request information will be lost so for example when an original request is made from a client or a browser from your laptop hits the reverse proxy and that information goes gets sent to the backend servers nginx terminates that connection at that reverse proxy point so you want to try and ensure that you capture some of the details like the actual ip address of the original client uh the host details what you are writing the request you want to try and capture it and you want to forward that to the back end or the upstream application server the reason for this task is because the log files of the backend application server captures the request coming from nginx instance and now if every single request has originated from the nginx reverse proxy to try and make sense of the data which you've collected at the back end gets abs it's an impossible task because every single request from that application server perspective comes from the reverse proxy and you don't want that you want to try and capture the original ip address and forward that back so how do we do that in the example what we see right now what we can use is a directive called proxy set header and essentially what this directive does is it enables nginx to redefine or rewrite the request header which which comes in so essentially in this case what happens is nginx replaces the host header with the variable which is dollar host when it sends a request to the backend server in the second example what we have here is a proxy set header captures the original ip address of the requester and forwards that to the backend application server so essentially telling the backend application server that this is the ip of the original requester for this request and the final proxy set header what you see over here creates a list of various addresses that the ip uh and the request has actually traversed through before it hits the backend application server so in some of the cases you probably have uh a couple of web servers a couple of proxies before the actual request hits the backend replica application server so in a scenario like that nginx would go out and collate all those ips and send that information to the actual backend application server so from a slider perspective this is all i had so this just sets the scene gives you a high level understanding of what a reverse proxy does so with that let's quickly jump into a demo so i'll show you how that actually works in action what i have here on my local computer is a virtual machine and in this virtual machine screens that's right worst most secure password and i've got a vm running so i've got nginx installed on it so we'll do engine x v and you'd see that i've got nginx r24 installed on it let's jump in here and have a look at the configuration so if we do cat nginx.conf it's a stock standard configuration is what i have uh nothing fancy over here if i cd to config directory that excuse me that is where i have my configuration files do a ls on it you see that i've got a default.conf which essentially is acting as a reverse proxy in my case my back-end application is still running on the same host in your case this application would be perhaps somewhere in the back end or it could be a different ip address in in my scenario it that application is running on the local host by the catweb.conf this is the actual application which we are trying to run so in this scenario as you can see nginx is acting as a web server posting the application and also acting as a reverse proxy for for this case so as simple as that i can go out and do curl localhost you can see that it's wrapping that request to application one at the back end so if i do curl localhost 9001 this is the actual application this is in a way the back end application which nginx is routing through so nginx is acting as reverse proxy listening to port 80 and every time that request comes in it it it proxy passes that request to the back end of the upstream server in our case which is the port 9001. so in a scenario like this if i still try and access this box from my local computer so let's jump up here do this and what i have is open a terminal window and so what i'm doing is accessing my vm from my local machine i'll just make a call and the ip address for this virtual machine is 192.168.153.187 and hit enter on there you'd get the response back that this is what it is actually doing let's see if i can actually access the actual application on port 9001 as well hopefully i should be able to access but if i can nothing to worry but let's give it a test and yes the ports open in my case so if you do this and go hit 9001 you're still able to access the backend application in your production environments this should be stopped because only the the local host of the reverse proxy or the ip address of the reverse proxy would be allowed to access the backend application but a simple test however the point i'm trying to make here is to try and show you what information gets captured in the logs so let's just jump in and have a look at the logs so if you access the logs over here you can see that these logs it's not really giving you a lot of information so you can see the past command is actually a curl request in fact every single request is a call request so let's just go and make a browser-based request and hit refresh a couple of times sorry i'm just accessing a browser out here in fact let me just do that here as well example.com hit refresh a couple of times and let's look at the cat log right now and see what there we go we've captured some information however you can see it is not relevant information which we can utilize and you want to try and capture the actual requester the uri which was requested and you want to forward that to the back end application server so for that let's go out and edit our config file to try and capture those specific details using uh using the variable using the directory we talked about earlier so let's just jump in type in my words most secure password and what i have is i have configured a few files over here which just came out here hit enter essentially just to ensure that my fat fingers don't steal the show and i'm typing in correctly i've got this pre-prepared so leave it there so essentially what we're doing is we're setting proxy set header and grabbing the host and we're replacing the value with a variable so the entire list of nginx variables is available on nginx.org where you can capture those values from uh by defining a variable itself and i've been a little cheeky and i've just added a sample header so when we go out access the browser we just want to try and see that we've injected a response header which we should be able to see perfect i'm just going to save this over here close this and go sudo engine access so we've reloaded the configuration everything works fine and if i was to try and do a curl on localhost and now this is port 9000 and i'm going to try and do a v to try and get more information let's hit enter and hey there we go so the cheeky little header which i inserted test header has made it true in the response header so essentially it goes to show that all the information which we provided it is actually going out and capturing that however to try and test it let's just try and write a custom log file so that we can actually view the specific uh proxy set header values which we have set so for that we need to create a new log format to try and capture the specific values we have inserted so for that edit the file again added the nginx con file again just make this full screen so life's a little easier and what i'm going to do once again is to save myself from embarrassment i'll just copy and paste the front text over here and also out here what we need is access log so essentially for this specific server we are writing that to a separate log file and this is also a very good practice so if you've got a few different servers running you want to try and create separate access files for capturing locks for each separate server so essentially it's just very neat if something was to go wrong if you wanted to try and dig through some data very very easy if you're writing a separate file and out here i've just written a customized log format i've called it custom log and that's what i'm utilizing up here and i've just gone out and type in some requests which i am capturing let's save that uh also i'll share the link to all these details in my github repo which you can look from the links down below perfect now that we've reloaded that let's go out and do cd ng-max and see what file and we've got the custom access log files let's just scale that file file and see what we get so now that we've done this at this stage i'm just accessing it from the box itself so you'd see that the ip addresses and the host ip would all look very similar because everything's running from my local computer so let's just go out and hit enter here hit refresh and there we go it's captured all the details out here as you can see that this is a firefox browser so the user client it's captured all the details of the user client the proxy host name uh it's routed so this request is routed to this specific backend the proxy ip address is is what we've requested the client ip address is exactly the same because i'm trying to access it from the same box itself so as you can see it has captured all the information for us and uh it's populated right here so in short this is all i wanted to show you in terms of engine configuring nginx as reverse proxy uh setting proxy set header values to ensure that you capture all the values and pass it to the actual backend application server and you can go out and make configuration changes in your log files to try and capture relevant information perfect guys so thanks for watching this video i'll see you guys very soon thank you very much bye you

Info

Channel: NGINX, Inc

Views: 14,064

Rating: 4.9221792 out of 5

Keywords: NGINX, NGINX Plus, NGINX Controller, NGINX Load Balancer, Load Balancer, NGINX API Management, NGINX Unit, NGINX Open Source, NGINX OSS

Id: lZVAI3PqgHc

Channel Id: undefined

Length: 16min 42sec (1002 seconds)

Published: Tue Jun 08 2021