Configuring NGINX for Proxy SSL

IAP Storefront for Atavism MMO Engine

Objective

By the end of this lesson, you will learn how to configure Nginx to listen on a new HTTPS port (5051) and forward all traffic to an HTTP service running on port 5000.

Prerequisites

Basic understanding of Nginx configuration.
Access to Nginx configuration files.
An active HTTP service running on port 5000.

Lesson Content

Introduction to Port Forwarding and Nginx Configuration

Understanding Port Forwarding
Port forwarding allows external devices to access services on a local network by mapping an external port to an internal port. This is useful for directing traffic to a specific service within a server, especially when multiple services are running.
Nginx as a Web Server and Reverse Proxy
Nginx is a high-performance web server that can also function as a reverse proxy. As a reverse proxy, Nginx forwards client requests to backend servers, enabling load balancing, SSL termination, and caching, which enhances performance and scalability.

Step 1: Configure Nginx to Listen on a New Port (5051)

Edit the Nginx Configuration File
Open the Nginx configuration file using a text editor. The main configuration file is typically located at /etc/nginx/nginx.conf, or you might edit a site-specific configuration in /etc/nginx/sites-available/.

sudo nano /etc/nginx/sites-available/yourdomain.conf
Add a New Server Block for Port 5051
Insert the following server block into your Nginx configuration file:
```
server {
    listen 5051 ssl;
    server_name www.yourdomain.com;

    ssl_certificate /path/to/your/certificate.crt;
    ssl_certificate_key /path/to/your/private.key;

    location / {
        proxy_pass http://localhost:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
```
Notes:
- Replace Paths: Update /path/to/your/certificate.crt and /path/to/your/private.key with the actual paths to your SSL certificate and private key.
- Server Name: Ensure the server_name directive matches your domain (www.yourdomain.com).
- SSL Configuration: The ssl_certificate and ssl_certificate_key directives specify the SSL certificate and key for HTTPS.
- Proxy Settings: The location block configures Nginx to forward all requests to the service running on port 5000.
Save and Close the File
- Press Ctrl + X, then Y, and Enter to save the changes.
Test the Nginx Configuration
Before restarting Nginx, test the configuration for syntax errors:

sudo nginx -t
- If the configuration is correct, you will see:
  
  nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
- If there are errors, the output will indicate what needs to be fixed.

Step 2: Restart Nginx to Apply Changes

Restart the Nginx service to apply your new configuration:

sudo systemctl restart nginx

This command reloads Nginx with the updated settings.
Nginx will now listen on port 5051 and forward requests to the service on port 5000.

Step 3: Testing the Configuration

Open a Web Browser
Navigate to:

https://www.yourdomain.com:5051
Verify the Content
- Ensure that the content served is from the HTTP service running on port 5000.
- If you encounter a security warning, it may be because the SSL certificate is self-signed or not recognized by the browser. Ensure your SSL certificate is valid.

Step 4: Adjust Firewall Settings (If Necessary)

Ensure that your server’s firewall allows traffic on port 5051.

For UFW Firewall (Ubuntu/Debian):

sudo ufw allow 5051/tcp
For FirewallD (CentOS/RHEL):

sudo firewall-cmd --permanent --add-port=5051/tcp sudo firewall-cmd --reload
Verify Open Ports:

sudo ufw status # For UFW sudo firewall-cmd --list-all # For FirewallD

Conclusion and Troubleshooting Tips

Summarize Key Points

Configured Nginx to listen on a new HTTPS port (5051).
Set up a server block to forward HTTPS traffic to an HTTP service on port 5000.
Restarted Nginx and tested the configuration successfully.
Adjusted firewall settings to allow traffic on the new port.

Common Troubleshooting Tips

Nginx Not Restarting
- Check Configuration Syntax:
  
  sudo nginx -t
  
  Fix any syntax errors indicated.
- Review Error Logs:
  
  sudo tail /var/log/nginx/error.log
Service Not Accessible
- Verify Backend Service:
  Ensure the service on port 5000 is running and accessible.
- Firewall Settings:
  Confirm that port 5051 is open and not blocked by the firewall.
- DNS Configuration:
  Ensure www.yourdomain.com points to your server’s IP address.
SSL Certificate Issues
- Correct Paths:
  Verify the paths to your SSL certificate and key are correct.
- Certificate Validity:
  Ensure your SSL certificate is valid and not expired.
- Permissions:
  Check that Nginx has permission to read the certificate and key files.
Proxy Errors
- Proxy Pass Directive:
  Ensure the proxy_pass URL is correct (http://localhost:5000).
- Headers Configuration:
  Verify the proxy_set_header directives are properly set.

Assignment

Implement This Port Forwarding Setup on Your Nginx Server
- Follow the steps outlined to configure Nginx and set up the reverse proxy.
Test the Setup by Accessing https://www.yourdomain.com:5051
- Confirm that requests are correctly proxied to the service on port 5000.
Document Any Challenges and Solutions
- Keep a log of any issues encountered and how you resolved them.
- Reflect on the learning process and any key takeaways.

Additional Resources

Nginx Documentation on Reverse Proxy:
NGINX Reverse Proxy
Nginx Beginner’s Guide:
NGINX Beginner’s Guide

Feedback and Support

Nginx Community Forums:
NGINX Forum
Official Nginx Documentation:
NGINX Documentation
Seek Assistance from a Network Administrator
If you encounter persistent issues, consider reaching out to a professional for help.

Happy Configuring!