NGINX Configuration
Centos:
yum install nginx
setsebool -P httpd_can_network_connect 1
Ubuntu:
apt install nginx
Nginx config for reverse proxy:
You should name it a name such as xtam.conf or something similar and put it in /etc/nginx/conf.d/
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
server_name xtam.yourdomain.com;
# redirect all HTTP requests to HTTPS
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
server_name xtam.yourdomain.com;
ssl_certificate /etc/pki/tls/certs/cert.crt;
ssl_certificate_key /etc/pki/tls/private/private_key.key;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://xtam.yourdomain.com:6443;
proxy_buffering off;
}
# Websocket configuration
location /xtam/websocket-tunnel {
proxy_pass https://xtam.yourdomain.com:6443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
}
On SELinux-enabled systems you can get "502 Bad gateway error" when trying to access your reverse-proxied address with followed errors in /var/log/nginx/error.log: "connect() to <some_ip_here:6443> failed (13: Permission denied) while connecting to upstream"
You need to check if such port is allowed http_port_t:
semanage port -l | grep http_port_t
If it's not, allow it by issuing the followed command:
semanage port -a -t http_port_t -p tcp 6443
Nginx config for web load balancer
You should name it a name such as xtam_lb.conf or something similar and put it in /etc/nginx/conf.d/
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream backend_web {
hash $remote_addr;
server xtamcentoshosta:6443;
server xtamcentoshostb:6443;
}
server {
listen 80;
server_name xtam-farm.yourdomain.com;
# redirect all HTTP requests to HTTPS
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2;
server_name xtam-farm.yourdomain.com;
ssl_certificate /etc/pki/tls/certs/cert.crt;
ssl_certificate_key /etc/pki/tls/private/private_key.key;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://backend_web;
}
# Websocket configuration
location /xtam/websocket-tunnel {
proxy_pass https://backend_web;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
}
}
Nginx additional config for tcp load balancer for proxies:
On Centos distributions streams section does not exists in /etc/nginx/nginx.conf.
To continue with this manual you should add following to the end of /etc/nginx/nginx.conf :
stream {
include /etc/nginx/conf.d/*.tcp;
}
Place xtam.tcp file to /etc/nginx/conf.d/:
upstream http_proxy {
hash $remote_addr;
server xtamcentoshosta:8081;
server xtamcentoshostb:8081;
}
upstream ssh_proxy {
hash $remote_addr;
server xtamcentoshosta:2022;
server xtamcentoshostb:2022;
}
upstream rdp_proxy {
hash $remote_addr;
server xtamcentoshosta:3388;
server xtamcentoshostb:3388;
}
server {
listen 8081;
proxy_pass http_proxy;
}
server {
listen 2022;
proxy_pass ssh_proxy;
}
server {
listen 3388;
proxy_pass rdp_proxy;
}
On SELinux-enabled systems, by default, the SELinux configuration does not allow NGINX to listen (bind()) to TCP or UDP ports other than the default ones that are allow-listed in the http_port_t type.
You can check this by running the following command:
semanage port -l | grep http_port_t
So you'll need to add proxy ports to this type:
semanage port -a -t http_port_t -p tcp 2022
semanage port -a -t http_port_t -p tcp 3388
semanage port -a -t http_port_t -p tcp 8081
You can get the following error: "ValueError: Port tcp/8081 already defined", in such case you should use slightly modified command for that port:
semanage port -m -t http_port_t -p tcp 8081