Among many infrastructure services that form a unified corporate system there is Proxy. Its main purpose is to become an intermediate node in traffic transmission and to fulfil the pre-established functionality of modifying/sniffing connections.
There are two types of such solutions forward and reverse-proxy, where the first redirects traffic to the outside through a single point, and the second vice versa from the external segment to the internal. In this article we will consider the second variant of its implementation and configure the service to work.
What is Reverse Proxy?
As we mentioned earlier, Reverse Proxy is an intermediate node through which external traffic passes to the servers, respectively from clients.
In such cases, this solution is due to the need to balance the load on the nodes, as the processing of the packets themselves can be quite load, then different approaches to balancing them can reduce it. It can also be a node for controlling the passing traffic, for example, a local WAF or a redirection node to ICAP servers.
If you don't have sufficient resources than you can perform actions on powerful cloud servers. Serverspace provides isolated VPS / VDS servers for common and virtualize usage.
Deployment and configuration
First of all, let's choose a software package that performs such proxying functions, usually simple web servers have this functionality, so let's use the Nginx package:
After we move on to the configuration of our service by the standard directory /etc/nginx, inside we are interested in two files that are responsible for the global configuration of the service and virtual hosts, let's go to the second one:
cd /etc/nginx/sites-available && nano 000-default.confIf your virtual hosts file is named differently, then go into that particular one with nano. Let's look at the basic syntax for a virtual host, which is determined by the SNI field in the incoming network packet:
server {
listen ip:port;
server_name domain_name;
root /path/to/site-file;
index /index.html;
..
location / {}
..
} Fill in the basic fields with your web server metadata, what port your web will be available on, what domain name will be handled, etc. Note that the location field will be responsible for acting on the packet that arrived at the specified path. Now this is a normal web server, to make it a reverse-proxy you need to add directives to location:
location /date {
proxy_pass http://192.168.1.10:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
} 
To understand the difference between reverse-proxy and web server compare the directives of the two paths /hello and /cats, in the latter case we specify the path where our data resides and in the former we proxy the connection. Note that the proxy_pass directive allows us to establish a connection to a resource and, as a client, transmit packets by modifying them with the proxy_set_header directive.
Each of them also has its own functionality:
- HOST will specify the hosts to be reached;
- X-Real-IP will specify the real address of the client before proxying;
- X-Forwarded-For will specify to whom it proxies;
- X-Forwarded-Proto will specify which scheme/protocol to use.
The modified packets will then be sent to the Upstream or Backend, where they will be further processed by the web application. Let's save the file and create a link to the config to autoload it:
ln -s /etc/nginx/sites-available/000-default.conf /etc/nginx/sites-enabled/000-default.confOr replace the file name with your own and create a link to the enabled part as well. After that restart nginx or make it re-read the config:
sudo systemctl restart nginx && sudo systemctl status nginx Since the nginx server listens on all interfaces by default, traffic coming to the device will be proxied and sent to the back. If there is a need to pre-terminate SSL traffic, add directives for its processing:
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
After that the traffic will be transmitted in the open, where further solutions will be able to process the incoming packets. Also in our knowledge base you can find materials on how you can configure WAF based on such Reverse Proxy solution!
