NGINX Configuration

Centos:

Copy

1
2
yum install nginx
setsebool -P httpd_can_network_connect 1

Ubuntu:

Copy

1
apt install nginx

Nginx config for reverse proxy:

You should name it a name such as xtam.conf or something similar and put it in /etc/nginx/conf.d/

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
map $http_upgrade $connection_upgrade {
    default     upgrade;
    ''          close;
}
 
server {
    listen 80;
    server_name xtam.yourdomain.com;
    # redirect all HTTP requests to HTTPS
    location / {
        return 301 https://$server_name$request_uri;
    }
}
 
server {
    listen 443 ssl http2;
    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
    server_name xtam.yourdomain.com;
    ssl_certificate     /etc/pki/tls/certs/cert.crt;
    ssl_certificate_key /etc/pki/tls/private/private_key.key;
 
location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass https://xtam.yourdomain.com:6443;
        proxy_buffering off;
    }
 
    # Websocket configuration
    location /xtam/websocket-tunnel {
        proxy_pass https://xtam.yourdomain.com:6443;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

On SELinux-enabled systems you can get "502 Bad gateway error" when trying to access your reverse-proxied address with followed errors in /var/log/nginx/error.log: "connect() to <some_ip_here:6443> failed (13: Permission denied) while connecting to upstream"

You need to check if such port is allowed http_port_t:

Copy

1
semanage port -l | grep http_port_t

If it's not, allow it by issuing the followed command:

Copy

1
semanage port -a -t http_port_t -p tcp 6443

Nginx config for web load balancer

You should name it a name such as xtam_lb.conf or something similar and put it in /etc/nginx/conf.d/

Copy

map $http_upgrade $connection_upgrade {
    default     upgrade;
    ''          close;
}
 
upstream backend_web {
    hash $remote_addr;
    server xtamcentoshosta:6443;
    server xtamcentoshostb:6443;
}
 
server {
    listen 80;
    server_name xtam-farm.yourdomain.com;
    # redirect all HTTP requests to HTTPS
    location / {
        return 301 https://$server_name$request_uri;
    }
}
 
server {
    listen 443 ssl http2;
    server_name xtam-farm.yourdomain.com;
    ssl_certificate     /etc/pki/tls/certs/cert.crt;
    ssl_certificate_key /etc/pki/tls/private/private_key.key;
 
    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass https://backend_web;
    }
 
    # Websocket configuration
    location /xtam/websocket-tunnel {
        proxy_pass https://backend_web;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host $host;
    }
}

Nginx additional config for tcp load balancer for proxies:

On Centos distributions streams section does not exists in /etc/nginx/nginx.conf.

To continue with this manual you should add following to the end of /etc/nginx/nginx.conf :

Copy

1
2
3
stream {
    include /etc/nginx/conf.d/*.tcp;
}

Place xtam.tcp file to /etc/nginx/conf.d/:

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
upstream http_proxy {
    hash $remote_addr;
    server xtamcentoshosta:8081;
    server xtamcentoshostb:8081;
}
 
upstream ssh_proxy {
    hash $remote_addr;
    server xtamcentoshosta:2022;
    server xtamcentoshostb:2022;
}
 
upstream rdp_proxy {
    hash $remote_addr;
    server xtamcentoshosta:3388;
    server xtamcentoshostb:3388;
}
 
server {
    listen 8081;
    proxy_pass http_proxy;
}
 
server {
    listen 2022;
    proxy_pass ssh_proxy;
}
 
server {
    listen 3388;
    proxy_pass rdp_proxy;
}

On SELinux-enabled systems, by default, the SELinux configuration does not allow NGINX to listen (bind()) to TCP or UDP ports other than the default ones that are allow-listed in the http_port_t type.

You can check this by running the following command:

Copy

1
semanage  port -l | grep http_port_t

So you'll need to add proxy ports to this type:

Copy

1
2
3
semanage port -a -t http_port_t -p tcp 2022
semanage port -a -t http_port_t -p tcp 3388
semanage port -a -t http_port_t -p tcp 8081

You can get the following error: "ValueError: Port tcp/8081 already defined", in such case you should use slightly modified command for that port:

Copy

1
semanage port -m -t http_port_t -p tcp 8081