NGINX Proxy Manager FREE SSL Offloading Complete Setup | Three AWS EC2s | Route53 | Docker

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back to my channel in this tutorial we will go over nginx proxy manager now what is nginx proxy manager and what will it do for you in this tutorial i will go over a complete configuration using nginx proxy manager in front of a couple aws ec2 instances that will be running wordpress all of these ec2s will be running docker and docker compose inside it's just the fastest way to get things going so i recommend that you follow along have a few tabs open for example install docker compose you want to have your nginx proxy manager website open your aws management console open and we will go step by step we'll take our time we won't skip any steps here we go so first we want to go through the process of installing or creating several ec2 instances and we could just use the free tier ones the uh these ec2s and we will select three that's what we want to build three and they will all have the same configuration and they will all have the standard software that we need for all of them and here we're creating a security group because we need http we need https and we need ssh we also need another port that we will use exclusively for nginx proxy manager so if we go to their website here which is one of the tabs you want to have open and we take a look at the setup instructions it will tell us what ports we need open doesn't specifically say but if you look inside the docker compose file you see that it's port 80 443 and 81 are needed just for our instance that will be running nginx proxy manager so we will put that in here and we want to allow from anywhere for now and as you saw we're going to build three of these instances and we click on launch we create a new key pair we're starting from scratch so nothing's available right now we're not skipping any steps and we'll call this key pair nginx you can call it whatever you want just remember to download it and save it in a good place now we take a look at our instances and we could see that they are all running and in order to not get lost and you could see right off the bat three instances one can get lost like what does what okay so the best thing to do is give a name to each one we'll call this one nginx proxy the second one will since we'll be running wordpress we'll call it something like test wp1 is what we can name this then the next one we'll call it test wp2 and now that we name all of our ec2 instances it's easier to see what each one will do because when you're looking at the the summary the number that's there the ip address it can get very difficult to understand what each one is doing and we will ssh into each one so i recommend that you also have a your command prompts open whether you're using a linux device or a windows pc or a mac you copy the command that's here and you need to make sure that you're in the directory where you are where you download the key for your device and just follow the information that's here you do sudo yum update we've done that before in other videos and we'll go step by step here we won't leave anything behind and we'll let it run the installation and while it's running the installation if you don't want to wait you can actually go and start grabbing information from other ec2s or open up another command prompt window and do these things simultaneously and actually the best way to do this is to have a script that you could add to your ec2 when you're bringing them up when you launch them and then it'll take care of all these updates for you and like i said all of these we want to do the same way so in your other tab you should have this amazon docker basic website and we'll just follow the steps we'll just copy and paste copy and paste all the commands to all three of them so that we have the same setup nothing will be missing so now that it's installed we go to back to the page what do we need to do we need to run the sudo service docker start and we'll do that go back to the page copy the next command what do we need to do we need to make sure that our ec2 dash user can run as sudo so you don't have to keep typing in sudo and then that is it and we have to log out in order for it to take effect and now let's go to the tab that has our ec2 information and here is the second one and this will be one of our wordpress sites but like i mentioned they will all be running docker and docker compose and we ssh into this device using the key pair that we downloaded same process do the pseudo yum update make sure everything's up to date get it all installed we'll follow up and install the aws docker packages and we will also install docker compose and here we go we just copy and paste this is very simple and i like showing it this way because a lot of times it's hard to find the information and you might need three four tabs open from different websites to piece everything together and then you could create your own little file notepad plus plus or you can if you use onenote you can say okay this is the way to get everything working and you put everything step by step for yourself and here we go we're installing everything that's needed and you don't have to wait necessarily have to wait for it to finish installing for you to come to this tab now copy your next command and just be ready to paste it in and with experience and doing this over and over again you you just know you just flow with it but make sure you don't skip any steps because then you just end up troubleshooting for a very long time and don't even know why and you can see docker is installed at docker info and now we will do it this with the third and final ec2 instance and you see why putting a name to it is very important maybe right now it doesn't become so clear but once you start working on these things you might make an update or a change to the wrong device and that's just uh gonna get you fired if you're doing this for work and here we go same process just keep going and you see i copied the command and i'm waiting for it to finish installing here and one of the benefits of ensuring that all three are running the applications you need the standard applications it's so that you don't end up troubleshooting later on because we could set up one ec2 instead of ssh in and out of different instances it's just better get all three up to date and get them where they should be and then we make the configurations or install the packages that are needed for that specific an instance that way we know that we have everything the same everything's working we make this change we log out log back in in order for the change to take effect and one thing that i forgot to do on all three of them is to install docker compose so now i have to take one extra step is ssh into all of them once again no biggie that's what i mentioned that's what happens we we tend to forget things but it's a good thing i forgotten all three of them that way i'm not troubleshooting one that's not working for whatever reason and it's because something was not installed now i just go through all three of them so you do the command that's there and i'll put a link to all these tabs the docker compose installation docker for aws installation and configuration so we did that and now i can up arrow and find my previous sessions and install the same ones and we need docker compose we're running we will install everything using docker compose so and we have to do the change mod to allow it to run to become executable okay so that's two of them and let me see if i could find the previous one and nope i'll have to grab the ip address from the from the aws dashboard and it was the nginx proxy that i did not do yes i could see the previous commands it shows me that i did not run this i did not install docker compose on this one and just a couple commands and we did that downloaded and now we give it executable rights and now we are ready to go we will start by building our nginx proxy manager ec2 instance so we will ssh back into that instance and we will also follow the steps that are mentioned in the website and what we will do is also is we'll make a directory just for this nginx i call an engine xpm and there are a couple files that we have to provide and we already know that we need a docker dash compose.yaml file but for this we also need a config.json file and it gives us all the information and we're not changing a single thing don't use this in production this is just to get it running so we'll create this file config.json file and just copy and paste the information that's there we exit out of there and now we have to build a second file see it's a docker compose file just copied the whole configuration and we have to call it docker dash compose and just paste everything in there just the same way you grabbed it now obviously if you make changes you have to make sure that both files have the changes now what's the next step just as simple as that you run the docker compose up dash d and we get an error message and this one's very easy to fix it talks about the services.app.environment and the reason is that we are not using this so we have to comment that out as soon as i comment that out or you could delete the whole section it won't work and if you notice i didn't put the minus d or dash d i like to run my docker containers the first time that i run it i like to just see what's going on in the background because you see a lot of error messages you see what's going on how it's getting built and and there's just some so many little details that are available there without me having to go looking some log it's just there for me and it helps when i'm troubleshooting it helps to see how the container reacts to certain calls certain user activity and now it should be ready to go and we want to copy the public ip address and it'll be the public address and you have to put a colon 81 81 is the management board and then here you see that the default administrator will be admin at example.com and the password is change me and it will ask you to change the name of the administrator change the email address this was only for you to get in and then it will ask you to change the current password you can put whatever you want just make sure that it is a very strong password and hopefully for you're doing this for testing purposes and you will delete everything you create this time around and now we don't have anything installed we don't have any proxy hosts and now it's when we have to go and start building our other ec2 instances so now we'll start building our two wordpress servers and we will create a directory for wordpress and we will do the same setup on both of them that way we can go step by step and show the real nice process of making this work because a lot of times you'll get up to a certain point and then realize that things are not working and we'll make it very simple just we'll use this config file make everything the same same password same username same everything once again you don't want to leave this expose out on the internet in your instance where everyone can access do not use this in production and it's very simple now that we have everything installed and it's configured we just do doctor dash compose up and we get a little error on line one i i think i saw an extra letter in a spot there okay it's off the screen but i had put an x next to one of the words and that's what happened if i do a docker compose up now we will see it go through the process of installing and we can go on to the next server and same process we will make a wordpress directory we'll go into the directory and we'll create a docker compose file with the same information this is the beautiful thing about running docker once you get your config built you can just keep doing it over and over again on as many ec2 instances as you want and we'll let it run and like i say i always run docker compose up without the minus d or dash d because i like to see what's going on in the background i don't want to have to take a look at the logs or anything i want to see it live while it's happening and now while that's running we can start checking other things and we went to our first and we see that it's running and if you see in the docker compose file you see that we're running the mysql database locally as well it's a volume and it's there locally and we'll just run it that way for now a lot of people run those two things together when you go out there and get one of those uh low-cost uh virtual machine machine providers that's what you're getting you're not getting anything fancy so even this setup will be way better than probably anything you can purchase out there from any of the providers and i mean low end providers and here we are going to configure both of our wordpress instances i'm jumping back and forth between them and we'll just call one test wp1 and the other one test wp2 and here i'm looking at the engine nginx proxy and the ip address because we also want to configure certain settings so i just copied that and now that this is we're installing wordpress on these two devices these two instances and don't use weak passwords make sure you use something very secure and they are both set up already which is good okay going back to the engine proxy engine x proxy copy the ip address and the reason we're copying this ip address is because now we're going into route 53 and we're going to create a couple records and this is i run the tuffnetworks.com dns entries in route 53. i really like to use root 53 because it gives you options that you don't get anywhere else and here we go test wp 1 and it'll be an ip address our a record and see that ip address that's the ip address of nginx okay and we're going to define another one test wp2 and same thing ip address and we will use the same ip address and you see both dns entries are using the same ip address now in a normal situation you would only hit one server so one server one vm instance would be on the side doing absolutely nothing and we don't want to have two wordpress servers doing the same thing this example is of us running two different wordpress servers for two distinct clients but we want to proxy their connection we want to provide the ssl certificates and here is the ip address here's the setup that we're doing for the first one so you put in test wp1 the ip address of the server the instance you want to get to and then we want to request a new ssl certificate and we want to force ssl we want to agree to the let's encrypt terms of service and you say okay and after a few seconds you will have a certificate but there is one step that we have to go through if you look at this for whatever reason force ssl is removed so you always have to go back and verify that it's there and then when we click on it you get this so things are starting to work but we do have to go into the wordpress admin in order to change some settings because right now it's still pointing to the ip address and now we changed it to test wp1 network and you would have to use your own domain and use a subdomain so now you can't reach it through the ip address and what's the destination it's that first ip address first test wp1 and when we click on it now we get into our wordpress site test wp1 is one server and later on in this video i will demonstrate um have two distinct servers completely because right now they look the same the only thing that's different is it will be the test wp one or two but we actually want to demonstrate having different aws instances and you can do this on gcp as well this is us just doing it on aws at the moment and once again we put in the ip address this is the second w the second wordpress server excuse me test wp2 tuffnetworks.com and we don't need a custom location and we will request an ssl certificate we request a new one we force ssl we agree to the terms of service and you save it verify that everything's correct so what this is saying is that any request that comes in on that sub domain will go to that ip address and that port now as we all know ssl works on port 443 when you see http that's port 80. so we're forwarding http to the appropriate port which is 80. but in order to have ssl it has to respond or reply on 443. well that's what the engine x proxy manager is doing for us it is offloading your ssl encryption it is providing the certificate so yes you have an extra server but that server is providing a function and it's offloading it from your wordpress server and once again we have to go in here and change the wordpress address so that it is pointing to now the subdomain and once we save it we get kicked out because we can't use the ip address anymore and we have to confirm that it's pointing to the right device and there we go so when you first look at it unless you look at the top left corner you won't it looks just the same as the other one and yes this is what we want to do we just want two names to be different but we could see that our connection is secure on both of them different ip addresses but it's nginx proxy manager that is responding now nginx proxy manager is just the front end to basically the configuration that you would have in the back as a config file but it makes it so easy to be able to do this now when we do an ns lookup we will see which ip address replies so if you're not familiar ns lookup is the opposite of putting in an ip address it gives you the name that is in dns so if you want to find out who cisco.com is you do nslookupcisco.com and it gives you an ip address and it's look up amazon.com and it gives you the ip address for that or multiple ip addresses and as you can see nginx proxy is this 3.86 that 45.17 ip address that was what we saw in nslookup and really this is just one of many ways that we could provide an ssl certificate to a website but now we're going to review our security groups because we want to do something different we don't want to allow any direct access to our wordpress instances so what we will do is we'll create a new security group and we'll just give it a name to identify what it does so this is nginx only what does this mean this security group will only allow the nginx proxy manager to talk to the wordpress server so in essence this means that there is no way to access the wordpress servers from the outside you have to go through the proxy server or instance and as you can see i'm allowing port 80 from 3.86 45 17 which is our nginx instance and i removed the other and now we'll we will go into our ec2s and change the security groups so that it only has this one security group and let's put a description in here it's good practice to always put it because we tend to forget why we have that ip address in there and something i like about this aws dashboard it allows us to add these things okay so now we will go into our instances and once we go here we'll select them and then we'll change the security groups for whatever reason that the dashboard refreshed and here i am trying to select two and change the security group on two instances but it will not let me it's grayed out i didn't see that coming but now we'll just do them one at a time and still know so even after refresh can't do it so we'll do one at a time networking i mean security change security groups and we have to add one which is the the one that we just created and we have to remove the other one so as you see it only allows the engine x and same thing for the second one we change security groups we add the new one nginx only and we removed the the previous one we created when we did the when we launched these instances okay so now that is set up and it might take a few seconds for it to become active but it's rather quick and we go to test wp1 and we tried to refresh and it is still working now remember i'm trying to get to this website from the office from an external site this is hosted on aws and it's still refreshing it's still working fine but what happens is that port 80 or http is only allowed from the nginx server my dns entries in route 53 point test wp1 to the nginx proxy manager server which then forwards this as a secure connection right it receives it it offloads the ssl certificate and it provides that encryption and as you can see i could still install anything i want just picked a a random plugin and that's because by default the security groups allow all outbound access it's the inbound that we were concerned with and we're blocking all inbound and if i come here to my ssh window you can't tell but i'm hitting enter and i can't go anywhere because my ssh is timing will timeout eventually because ssh is not allowed remember only port 80 is allowed from the proxy manager and by default there's a implicit deny all so if you don't specify a port it's everything else is blocked so this is a good test to run to make sure that your security groups are working and we want to test wp2 as well and we want to go into the ad admin interface and it's got its ssl certificate so it's a secure website people can go to your website with confidence and enter their username and password i really don't understand how there are providers out there that don't offer an ssl certificate by default there is no reason not to have this and it's absolutely free which is the other thing i mean ssl certificates yeah several years ago you had to pay for them and depending on the level of security it would cost money every year and depending on the level of security you wanted you had to mail in documentation you had to prove who you were you had to do jump through so many hoops just to get an ssl certificate for your website and because of that many people just let it be at http and the information from users was just sent in clear text so if you ever see http or you get a warning that the website is not secure it's because it isn't secure and as you could see here i tried to ssh back into the wp2 or test wp2 and unsuccessful because ssh is not allowed at all only port 80. so basically that access list means that there is no external access to your test wp1 and wp2 instances you have to route or go through the nginx server and now we'll continue configuring our wordpress instances and now we will make them different just to you show you an example of how you could have multiple customers routing through your nginx proxy and you're offering them the security that they deserve like i said there is no reason to have a website running on http only absolutely no reason and that's why google firefox and safari will alert you and let you know that the website is not secure okay so here we are on both of our websites test wp1 and test wp2 and we'll activate different themes for them so that there is a clear distinction so even though it's the same ip address and these are different servers but once again we're going through the nginx proxy and we'll install this theme we'll activate it and on wp1 we'll install something else and there's the test wp2 with one theme and wp1 will install a little something maybe a little bit better looking let's put this one and see what this looks like and we actually have to activate another little feature on this we'll import a one of their already made websites and one thing that i notice right off the bat is the speed with which this flows there is no lag there is no slowdown actually it runs faster on this setup than if you were to run your sql your wordpress and your nginx docker containers on the same machine so right now as you saw each vm is running two docker containers nginx proxy manager runs two it runs the nginx proxy manager and the database the two wordpress servers run two containers the wordpress container and your my sql container but in certain setups and i think i did a video about this where you have nginx one container and you have wordpress and you have my sequel you could start offloading things from your websites it could be that i just run the wordpress container in one and then just point to like a rds sql and then in that way you're offloading so you don't need a a stronger or faster or beefier vm instance you just need to offload certain things and and that's when we get into the area of micro services you start separating everything and i really like this setup and just running nginx on its own server having this nice proxy manager this nice front end just helps and speeds up the process of everything well i hope you've enjoyed this tutorial it's a bit lengthy but you achieved a lot and if you get stuck anywhere please let me know in the comments and you could pause the video in certain parts and and try it again and like i always say and i recommend build it destroy it build it destroy it it's the only way to continue to learn maybe not the only way but it's one of the best ways to learn reading a book reading websites is not the way to go you have to build it please subscribe give me a thumbs up ask me any questions you want in the comments down below

Info

Channel: TUFF NETWORKS

Views: 10,195

Rating: undefined out of 5

Keywords: aws, docker, nginx, nginx proxy, EC2, AWS, Kubernetes, gcp, azure, rancher, tuffnetworks

Id: dFnQvnVWEGY

Channel Id: undefined

Length: 43min 27sec (2607 seconds)

Published: Thu Nov 05 2020