Best practices for Nginx across multiple devices

Vengeance · July 23, 2021, 3:42pm

Hey guys, maybe this is a bit of a noob question, but I can’t seem to find an answer anywhere online that goes into this and I’m trying to learn.

Anyway, I have several servers running across multiple machines, and in various jails (not as fancy as it sounds). I’m trying to set up a reverse proxy for each using nginx so I can access them with a subdirectory, rather than needing to use a port. I also have a domain that I want to be able to use to access remotely.
For example:
mydomain.com/server1
mydomain.com/server2

Firstly, is it best to install and configure nginx in each jail and on each machine I need a reverse proxy for? Or is there a way I can install it in its own jail or container and use that to configure all the other devices on my network?

Secondly, what’s the best practice with the port configuration of nginx? If I have a dozen instances running, can I point them all at port 443, or will that cause conflicts?

Lastly, if I have a dozen instances of nginx, do I need to set up any special local routing on my network to accommodate that? Or will requesting a particular subdomain on 443 automatically be handled by the right instance of nginx?

Thanks in advance for any help!

judahnator · July 23, 2021, 4:45pm

You should only need one instance of nginx. I would also recommend using subdomains instead of subdirectories, some web applications dont play as nice if they are hosted in a subdirectory (hard-coded // paths and the like).

Your Nginx config would look something like this:

# server1
server {
        listen 80;
        server_name server1.yourdomain.com;
        include /your/ssl/config;
        location / {
                proxy_pass http://server1-ip;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header HOST $http_host;
        }
}

# server2
server {
        listen 80;
        server_name server2.yourdomain.com;
        include /your/ssl/config;
        location / {
                proxy_pass http://server2-ip;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header HOST $http_host;
        }
}

If you were really determined to use subdirectories, it could look like this:

server {
        listen 80;
        server_name yourdomain.com;
        include /your/ssl/config;
        location /server1 {
                proxy_pass http://server1-ip;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header HOST $http_host;
        }
        location /server2 {
                proxy_pass http://server2-ip;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header HOST $http_host;
        }
}

(I hit post too early, continuing on)

Then for each for the various applications hosted on the various servers, you would still need a web application (Nginx works) for each of these. The reverse proxy will then proxy pass to the internal URL of the applications.

Luckily, the reverse proxy can be in charge of SSL so you can keep that headache contained to just one machine.

risk · July 23, 2021, 5:55pm

Agree with @judahnator

This is also better for browser based security. (each gets their own cookies and origin and so on).

Wildcard DNS pointing to IP that nginx is listening on works.

vhns · July 23, 2021, 6:18pm

Depending on what you’re hosting, you can setup SRV records.

Best regards,

vhns

Vengeance · July 23, 2021, 8:44pm

I posted this and went straight to bed. Wasn’t expecting such quick replies! Thanks for be tips!

@judahnator I was also initially thinking of using subdomains, but playing around with one server, subdirectories looked a bit easier. Particularly on the side of the DNS record. But I’ll look into that a bit more.

What do you mean by this exactly? Above, you said that I should only need one instance on nginx. Are you saying that I need one instance to manage all the reverse proxy stuff, and then an instance on every server to manage everything else nginx does?

Sounds way simpler than some elaborate NAT rules! I’ll read up on that and see what I can figure out.

That was my initial thought too, however I couldn’t get it working for some reason. It doesn’t really matter anyway though. The point of this is to make my network a bit more secure by not opening heaps of ports. A bit redundant with SRV records .

judahnator · July 23, 2021, 10:46pm

If you have a bunch of servers running web applications and want to put them all behind a reverse proxy, then all of the servers running web applications will need a web server of their own. This web server does not have to be Nginx, but typically web applications need web servers.

Vengeance · July 24, 2021, 12:26am

Ah, right my bad. Yeah, all the servers I’m talking about already have webservers. Graphana, transmission and the like.