User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
sailing:nginx [2023/12/01 07:46] willysailing:nginx [2024/02/01 07:00] (current) – removed willy
Line 1: Line 1:
-Prev  to: [[sailing:networksetup|Network setup]] 
  
-Next to: [[sailing:organizers|The *Arr's setup]] 
- 
----- 
-====== The Reverse Proxy concept ====== 
- 
-Most of the tools described in these pages have web-based interfaces. It is **not** a good idea to access them directly for quite many reasons: 
-  * Scalability, since the tools don't come with a fully featured web server 
-  * Security, since the tools don't come with a fully featured web server 
-  * Access control, since the tools don't come with a fully featured web server 
-  * Configuration, since you might want to provide specific URL's for each service 
-  * Organization, since you will want to have a centralized dashboard to manage all the links to the tools 
- 
-In other words, you want a reverse-proxy even if you are going to use this setup only from inside your home. More so, if you plan to have remote access, a reverse-proxy is a must. But what is a reverse-proxy? Basically a front-end web server that is capable to wrap a series or services together adding login, security, SSL and a common access point for them all. 
- 
-There are lots of possible software to use. Basically any web server can act as a reverse proxy. Some are more suited than others, and my choice is on NGINX for a few reasons: 
-  * Much easier than [[https://www.apache.org|Apache]] to setup as a reverse-proxy 
-  * Much lighter and less features full than Apache 
-  * More complex and more features than [[https://caddyserver.com/|Caddy]]  
-  * Fully integrated in [[https://letsencrypt.org|Let's Encrypt]] SSL infrastructure / CertBot script 
-  * I don't personally know how to setup other similar tools 
- 
-In general NGINX is fully featured but still very lightweight and secure HTTP server that shines as reverse-proxy. If you need to add more features, like [[https://www.php.net|PHP]] support or FastCGI, NGINX will support you without the need for an additional service on your server.  
- 
- 
-===== Installing NGINX ===== 
-NGINX installation on the home server is pretty straightforward, but we need to enable one specific authentication module, the //pam// authentication module, because i will show you how to link NGINX authentication to your home server users directly, without the need to create more users and passwords. If you prefer to use a different authentication, like basic_auth, i leave this out to you. 
- 
-So create the file **/etc/portage/package.use/nginx** with the following lines: 
-<code> 
-app-misc/mime-types nginx 
-www-servers/nginx NGINX_MODULES_HTTP: auth_pam gunzip sub 
-</code> 
- 
-(the first line is needed at the time of writing this page, YMMV) 
- 
-Note: you might want to tweak the second line to your needs, see the [[https://wiki.gentoo.org/wiki/Nginx|flags for nginx]] and adapt. 
- 
-A brief explanation of the above USE flags: 
-  * //auth_pam// is used to enable PAM based authentication 
-  * //sub// is used to allow substitutions inside the pages proxied, to fix web applications that don't play well with reverse-proxies 
-  * //gunzip// is used to unzip the requests and let the //sub// module works also on compressed requests 
- 
-Now install nginx: 
-<code bash> 
- > emerge -v nginx 
-</code> 
- 
-==== NGINX pam_auth ==== 
- 
-I think it's nice that with NGINX you can authenticate your users directly with your home server users. This means you don't need to add a second set of users, and that the users will only need one password, and no sync is required between HTTP users and server users. This is achieved using the **pam_auth** module on Linux. You have already built nginx with pam_auth support, but you need to configure it. 
- 
-Create the file **/etc/pam.d/nginx** with these lines: 
-<code> 
-auth required pam_unix.so 
-account required pam_unix.so 
-</code> 
- 
- 
-==== NGINX main configuration ==== 
- 
- 
- 
-==== Generate SSL certificates for HTTPS ==== 
- 
- 
- 
----- 
-Next to: [[sailing:organizers|The *Arr's setup]] 
- 
-Prev  to: [[sailing:networksetup|Network setup]] 

This website uses technical cookies only. No information is shared with anybody or used in any way but provide the website in your browser.

More information