Page 2 of 4
Re: How to run a reverse proxy VM on your BI...
Posted: Sat Jan 18, 2020 11:22 pm
by HeneryH
Next up us updating your OS using the command line tools and installing Nginx and setting it up as a reverse proxy. I'll paste the commands here so that will be easy to do.
Re: How to run a reverse proxy VM on your BI...
Posted: Sun Jan 19, 2020 5:27 pm
by HeneryH
Upgrade the core operating system. As far as noting the differences between Fedora and Ubuntu, one of the most visible is that Fedora uses
yum or
dnf while Ubuntu uses
apt-get. So any package install or update will be different.
We want to update the OS and install the nginx package as well as the http-tools package that will help with adding authenticated users.
Fedora
https://docs.fedoraproject.org/en-US/qu ... m-upgrade/
Code: Select all
$ su # switch to a root shell, otherwise put "sudo" in front of every command below.
dnf update -y --refresh
dnf install -y nginx httpd-tools # https://fedoraproject.org/wiki/Nginx
systemctl enable nginx.service
systemctl stop nginx.service # stop/start/restart the process with these commands
systemctl start nginx.service
systemctl restart nginx.service
nginx -s reload # reload the config without restarting the process
Ubuntu
https://itsfoss.com/update-ubuntu/
Code: Select all
sudo ls # I like to do a simple command such as ls with root to get the password question out of they way, then you can paste the following commands with multiple lines in one paste.
sudo apt update
sudo apt upgrade -y
sudo apt install -y nginx apache2-utils # https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-18-04
sudo systemctl start nginx # stop/start/restart the process with these commands
sudo systemctl stop nginx
sudo systemctl restart nginx
sudo systemctl reload nginx # reload the config without restarting the process
This gets us a running web server with a sample web page BUT... we might need to tweak the security settings for each distribution to allow connections from outside the server itself (kind of like Windows Firewall).
SELinux is the aspect of Linux that is controlling extra security which is very important in commercial deployments. I know that Fedora has this turned on by default, not sure about Ubuntu. I will experiment with Ubuntu today and report back.
Re: How to run a reverse proxy VM on your BI...
Posted: Sun Jan 19, 2020 5:35 pm
by HeneryH
Relax some of the Fedora SELinux controls and let http and https through the firewall...
Fedora
Code: Select all
# while still under the su root shell or put "sudo" in front of every command below.
# THIS IS AN EDITOR COMMAND, get used to your to-be favorite command line editor. If you use vi or emacs you have entered geek zone. Embrace it!!!
vi /etc/selinux/config # edit this file and set protection level to "permissive"
dnf install -y setroubleshoot-server policycoreutils-python-utils
sealert -a /var/log/audit/audit.log
#This was for a connect error when doing proxy-pass
setsebool -P httpd_can_network_connect 1
firewall-cmd --get-active-zones
# FedoraServer <-- output of active zones. Note this response and fill in below.
# interfaces: enp0s3
firewall-cmd --permanent --zone=FedoraServer --add-service=http
firewall-cmd --permanent --zone=FedoraServer --add-service=https
systemctl restart firewalld.service
No extra steps were needed for Ubuntu
Re: How to run a reverse proxy VM on your BI...
Posted: Sun Jan 19, 2020 7:11 pm
by HeneryH
This seems like a lot, but if you have the commands queued up, it really only takes a very little amount of effort to spin one up.
Next step is to set the configuration of Nginx to act as a reverse proxy and route any incoming connections to the appropriate server (ie BI).
Re: How to run a reverse proxy VM on your BI...
Posted: Tue Jan 21, 2020 12:46 am
by mr2u53
HeneryH wrote: ↑Sun Jan 19, 2020 5:27 pm
Upgrade the core operating system. As far as noting the differences between Fedora and Ubuntu, one of the most visible is that Fedora uses
yum or
dnf while Ubuntu uses
apt-get. So any package install or update will be different.
We want to update the OS and install the nginx package as well as the http-tools package that will help with adding authenticated users.
Fedora
https://docs.fedoraproject.org/en-US/qu ... m-upgrade/
Code: Select all
$ su # switch to a root shell, otherwise put "sudo" in front of every command below.
dnf update -y --refresh
dnf install -y nginx httpd-tools # https://fedoraproject.org/wiki/Nginx
systemctl enable nginx.service
systemctl stop nginx.service # stop/start/restart the process with these commands
systemctl start nginx.service
systemctl restart nginx.service
nginx -s reload # reload the config without restarting the process
So this is the error I am getting when I upgrade
Re: How to run a reverse proxy VM on your BI...
Posted: Tue Jan 21, 2020 1:50 pm
by HeneryH
Do the su command first and by itself because you need to enter your password to get the root shell.
Maybe you pasted the other commands right behind it and the su didn't work.
Re: How to run a reverse proxy VM on your BI...
Posted: Tue Jan 21, 2020 4:28 pm
by mr2u53
HeneryH wrote: ↑Tue Jan 21, 2020 1:50 pm
Do the su command first and by itself because you need to enter your password to get the root shell.
Maybe you pasted the other commands right behind it and the su didn't work.
Success
Re: How to run a reverse proxy VM on your BI...
Posted: Tue Jan 21, 2020 4:38 pm
by HeneryH
Awesome, next is configuring the Nginx to act as a reverse proxy. I'll paste those steps in just a few minutes.
Do you have a domain name that you have control over? If so, you can use free Let'sEncrypt certificates to secure your web traffic.
Re: How to run a reverse proxy VM on your BI...
Posted: Tue Jan 21, 2020 4:46 pm
by HeneryH
Nginx works by matching patterns in the URL to figure out the desired destination. If you don't have multiple web servers or domain names then you can just put the configs below in the default config.
FYI on Nginx Install Warns - You may see these warnings and can edit the main config file.
Code: Select all
[warn] 21183#0: could not build optimal types_hash, you should increase either types_hash_max_size: 2048 or types_hash_bucket_size: 64; ignoring types_hash_bucket_size
cd /etc/nginx
vi nginx.conf # add an include for the sites-enabled directory (if you are using them), fix the warns
# server_names_hash_bucket_size 64;
I have multiple domain names I like to route separately
Code: Select all
mkdir /etc/nginx/sites-enabled
vi /etc/nginxsites-enabled/domain1.com.conf
vi /etc/nginxsites-enabled/domain2.com.conf
## you most likely don't need this #htpasswd -c /etc/nginx/.htpasswd jjflynn22 # the -c only for first time # this is for passwords in Nginx
nginx -s reload # after changes force a reload of configs
Put this relevant line in either you default or specific config.
Code: Select all
location / {
proxy_pass http://192.168.1.10:81; # <--- where this is your BI instance
}
Re: How to run a reverse proxy VM on your BI...
Posted: Tue Jan 21, 2020 4:53 pm
by HeneryH
Here is my full config in the sites-enabled directory, but I am using Let's Encrypt which takes much of the http config and moves it to the https config then reroutes incoming http to https. :
Code: Select all
server {
server_name video.[mydomain].org;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
# proxy_pass http://i9-9900k:81; #lately I was getting errors on start on boot due to hostname not found.
proxy_pass http://192.168.1.151:81;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/flynnhome.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/flynnhome.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = video.[mydomain].org) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name video.[mydomain].org;
return 404; # managed by Certbot
}