Nginx Reverse Proxy

Steps to Configure the Nginx Reverse Proxy

Scripted Build for Installing and Configuring the Nginx Reverse Proxy

There are now 2 scripts available for both CentOS and Ubuntu to automate the proxy build, use the commands below for the desired distribution:

CentOS:

wget https://raw.githubusercontent.com/rubrikinc/rubrik-extension-for-vcd/master/reverse-proxy-builds/centos.sh

Before running the script we need to add our Rubrik Cluster IP and DNS for the Reverse Proxy, find and replace the following placeholders in the file (Using VIM or Notepad):

<Reverse Proxy DNS/IP Addresds e.g. rproxy.rubrikdemo.com>: This will be the DNS or IP Address of the Proxy Server

<Upstream Server Placeholder>: This will be the DNS or IP or the Rubrik Cluster

Save the updated script and and run with:

sudo chmod +x ./centos.sh
./centos.sh

During the install you will be asked to provide information regarding the self signed certificates used on the proxy.

Using Signed Certificates

After the proxy is built, you can reconfigure the Certificates, by replacing the following files with your signed certificate and private key:

/etc/tls/crt/STAR_wildcard.crt
/etc/tls/key/STAR_wildcard.key

Ubuntu:

wget https://raw.githubusercontent.com/rubrikinc/rubrik-extension-for-vcd/master/reverse-proxy-builds/ubuntu_proxy.sh

Before running the script we need to add our Rubrik Cluster IP and DNS for the Reverse Proxy, find and replace the following placeholders (Using VIM or Notepad):

<Reverse Proxy DNS/IP Addresds e.g. rproxy.rubrikdemo.com>: This will be the DNS or IP Address of the Proxy Server

<Upstream Server Placeholder>: This will be the DNS or IP or the Rubrik Cluster

During the install you will be asked to provide information regarding the self signed certificates used on the proxy.

Save the updated script and and run with:

sudo chmod +x ./ubuntu_proxy.sh
./ubunutu_proxy.sh

After the proxy is built, you can reconfigure the Certificates, by replacing the following files with your signed certificate and private key:

/etc/tls/crt/STAR_wildcard.crt
/etc/tls/key/STAR_wildcard.key

Manually Installing and Configuring Nginx Reverse Proxy

The steps below can be used to install and configure Nginx on an RPM-based linux distribution, e.g. RHEL or CentOS. If you are starting from scratch on a new server, configure the network settings, then install and configure Nginx based on the following steps.

Create the Nginx yum repository

vi /etc/yum.repos.d/nginx.repo

Add the following to the nginx.repo file

CentOS:

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/
gpgcheck=0
enabled=1

RHEL:

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/rhel/7/$basearch/
gpgcheck=0
enabled=1

Install the packages

sudo yum update -y
sudo yum install -y nginx policycoreutils-python-2.5-29.el7.x86_64

You should have confirmation that the packages installed successfully.

Navigate to the Nginx Directory

cd /etc/nginx

We need to remove the default nginx config and replace it with the reverse proxy config:

sudo rm /etc/nginx/nginx.conf
sudo vi /etc/nginx/nginx.conf

Paste the following config (press i first to allow vi to write):

user nginx;
worker_processes 1;
worker_rlimit_nofile 1024;

pid        /var/run/nginx.pid;
error_log  /var/log/nginx/error.log error;

events {
  accept_mutex on;
  accept_mutex_delay 500ms;
  worker_connections 1024;
}

http {

  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;

  access_log  /var/log/nginx/access.log;

  sendfile    on;
  server_tokens off;

  types_hash_max_size 1024;
  types_hash_bucket_size 512;

  server_names_hash_bucket_size 64;
  server_names_hash_max_size 512;

  keepalive_timeout   65s;
  keepalive_requests  256;
  client_body_timeout 60s;
  send_timeout        60s;
  lingering_timeout   5s;
  tcp_nodelay         on;
  reset_timedout_connection on;

  gzip              on;
  gzip_comp_level   1;
  gzip_disable      msie6;
  gzip_min_length   1000;
  gzip_http_version 1.1;
  gzip_proxied      off;
  gzip_vary         off;

  open_file_cache max=50000 inactive=20s;
  open_file_cache_valid 30s;
  open_file_cache_min_uses 2;

  client_body_temp_path   /var/nginx/client_body_temp;
  client_max_body_size    512m;
  client_body_buffer_size 128k;
  proxy_temp_path         /var/nginx/proxy_temp;
  proxy_connect_timeout   90s;
  proxy_send_timeout      90s;
  proxy_read_timeout      90s;
  proxy_buffers           32 4k;
  proxy_buffer_size       8k;
  proxy_set_header        Host $host;
  proxy_set_header        X-Real-IP $remote_addr;
  proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header        Proxy "";
  proxy_headers_hash_bucket_size 64;

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;
}

Change directories to the Sites Enabled*

cd /etc/nginx/sites-enabled

*if sites-enabled doesn't exists, create the directory with:

sudo mkdir /etc/nginx/sites-enabled

Create a new nginx site with a name of the linux host

sudo touch rbk-rproxy.domain.com.conf

Open the file for editing:

sudo vi rbk-rproxy.domain.com.conf

Update the the placeholder in the config below<reverse proxy FQDN> with the FQDN you will be using for this Reverses Proxy e.g. rbk-proxy.rubrik.com.

Paste the following config (press i first to allow vi to write):

proxy_cache_path /var/cache/nginx/RBK levels=1:2 keys_zone=RBK:1m inactive=24h  max_size=1g;

server {
  listen       *:443 ssl;
  server_name  <reverse proxy FQDN>;

  ssl on;
  ssl_certificate           /etc/tls/crt/STAR_wildcard_cert.crt;
  ssl_certificate_key       /etc/tls/key/STAR_wildcard_cert.key;
  ssl_session_cache         shared:SSL:50m;
  ssl_session_timeout       5m;
  ssl_protocols             TLSv1.2;
  ssl_ciphers               ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
  ssl_prefer_server_ciphers on;

  location / {
  if ($request_method ~* "(GET|POST|PATCH|DELETE)") {
    add_header "Access-Control-Allow-Origin" "$http_origin" always;
    add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept";
    }
    # Preflighted requests
    if ($request_method = OPTIONS ) {
      add_header "Access-Control-Allow-Origin" "$http_origin" always;
      add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS, HEAD,, PATCH, DELETE";
      add_header "Access-Control-Allow-Headers" "Authorization, Origin, X-Requested-With, Content-Type, Accept, x-vcloud-authorization";
      return 200;
    }
  proxy_pass https://proxy;
  proxy_redirect     off;
  proxy_set_header   Host $host;
  proxy_set_header   X-Real-IP $remote_addr;
  proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header   X-Forwarded-Host $server_name;
  proxy_buffering        on;
  proxy_cache            RBK;
  proxy_cache_valid      200  1m;
  proxy_cache_use_stale  error timeout invalid_header updating http_500 http_502 http_503 http_504;
  proxy_ignore_headers Set-Cookie Cache-Control;
  proxy_connect_timeout       300;
  proxy_send_timeout          300;
  proxy_read_timeout          90m;
  send_timeout                300;
  }
}

Save the file and exit (in vi hit esc to leave insert mode and type :wq! followed by return to save and quit)

Change to the conf.d directory

cd ../conf.d

Create the proxy configuration file

sudo touch proxy-upstream.conf

Edit this file with sudo vi proxy-upstream.conf, and add the following content targeting the Rubrik cluster DNS name or IP; update the placeholder <Rubrik DNS Name> with you

upstream proxy {
     server     <Rubrik DNS Name>:443 fail_timeout=10s;
   }

Finally, we need to create our Cache directory and Configure SELinux, use the following commands:

sudo mkdir /var/nginx
sudo mkdir /var/cache/nginx/
semanage permissive -a httpd_t
setsebool -P httpd_setrlimit 1

Manually Create a Self-Signed Certificate for Nginx Reverse Proxy

If you already have a public/private certificate pair for the certificate you will be using we can create our TLS folder and add the files:

sudo mkdir /etc/tls
sudo mkdir /etc/tls/crt
sudo mkdir /etc/tls/key

Inside of the crt and key folder create the file as labelled in the proxy config e.g.

  ssl_certificate           /etc/tls/crt/STAR_wildcard_cert.crt;
  ssl_certificate_key       /etc/tls/key/STAR_wildcard_cert.key;

If you do not have a certificate, use this guide below to create a self-signed certificate:

https://www.humankode.com/ssl/create-a-selfsigned-certificate-for-nginx-in-5-minutes.

Once complete, restart the Nginx services sudo nginx -s reload. This completes the Reverse Proxy Configuration.