This is my home nginx reverse proxy setup. A lot of tutorials go over how to run nginx and apache on the same server. However, in this setup nginx will be running on it’s own dedicated server. WordPress and OwnCloud are running on separate servers as well.

If this is a home lab setup you will need to forward port 443 and 80 on your router to the nginx IP. Additionally, you’ll need to add any public DNS entries for your domain. IE..(public IP) forwards to wordpress.your_domain.com

Make sure you’re up-to-date & install EPEL repository

sudo yum -y update install epel-release sudo yum -y install nginx

Enable nginx to start on boot

sudo systemctl enable nginx

Make a backup of the configuration file and then edit the configuration

cd /etc/nginx sudo cp nginx.conf nginx.conf.backup #just in case. sudo vi nginx.conf

Remove the example server block config in the default nginx.conf file (lines 38 – 57) and add the http example blocks snippet. (You will not be able to access the public IP from the same local LAN)

For example: browsing wordpress.example.com on the nginx server will not work

You’ll need to add entries to /etc/hosts for resolution to work & test nginx redirection

sudo vi /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 # Add the below lines where 1.1.1.1 is the local IP of the nginx server 1.1.1.1 owncloud.example.com 1.1.1.1 wordpress.example.com # Be sure to remove these if you're going to be using SSL.

Add the “http example blocks” snippet on line 38 of the nginx.conf file

# http example blocks # WordPress redirect example server { listen 80; server_name wordpress.example.com; access_log off; error_log off; location / { # Put the local IP of the targeted web server example: 192.168.1.5 proxy_pass http://Local IP:80; # Sets the header to wordpress.example.com proxy_set_header Host wordpress.example.com; } } # OwnCloud redirect example server { listen 80; server_name owncloud.example.com; access_log off; error_log off; # OwnCloud's default URL points to the root directory, you still need to click on the OwnCloud directory # to get to the log-on page. Here's a simple re-direct I use to solve that issue. # (This could be done in Apache as well) Lines 30-32 # redirect the default url of http://owncloud.example.com to http://owncloud.example.com/owncloud location / { return 301 http://owncloud.example.com/owncloud; } #Put the local IP of the targeted web server example: 192.168.1.6 location /owncloud { # Specify the directory location proxy_pass http://(Local IP)/owncloud; # Sets the header to owncloud.example.com proxy_set_header Host owncloud.example.com; } }

Remember to restart nginx for changes to take affect (see below for command).

Now lets add our https example right under the last http server block to line 76 of the nginx.conf file

# https example block server { listen 443; server_name owncloud.example.com; # nginx handles our SSL so the local apache server doesn't have to # The SSL lines are pretty much default aside from the cert and key entries ssl_certificate /etc/ssl/your_cert.crt; ssl_certificate_key /etc/ssl/your_key.key; ssl on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; access_log off; error_log off; # We use the same redirect in the http example location / { return 301 https://owncloud.example.com/owncloud; } location /owncloud { #Put the local IP of the targeted web server example: 192.168.1.6 proxy_pass http://Local IP/owncloud; # Notice we're using http/80 locally # Sets the header to owncloud.example.com proxy_set_header Host owncloud.example.com; } }

restart nginx for changes to take affect.

sudo systemctl restart nginx

just a reminder that these commands leave the nginx server http/https ports open to the internet.

sudo firewall-cmd --permanent --zone=public --add-service=http sudo firewall-cmd --permanent --zone=public --add-service=https

Alternatively, you can allow only a specific IP or IP’s.

firewall-cmd --permanent --zone=public --add-rich-rule=' rule family="ipv4" source address="Public IP" port protocol="tcp" port="443" accept'

Run this command for your changes to take affect. That’s it!

sudo firewall-cmd --reload