You’ve been to 43 tutorials. You’ve been to 17 youtube videos. Heck, you’ve been to Reddit and they’re so smart over their in their wonderful /r/Nginx subreddit, they forgot how to explain it to us beginners. How the crap is it that nobody can figure out how to explain a frigg’n reverse proxy (using Nginx) in plain, dumb-ol English? I mean seriously.
Let’s begin the tutorial for dummies. I’m your dummy captain.
-
Presumptions:
You know enough to be dangerous. That’s good. You’ve also installed Linux Mint on something. Nice. We’re using Linux Mint 19 (which is bleeding edge at the time of writing), installed as a VM on VMware ESXI 6.7 (not relevant, don’t run away; I don’t care what you installed it on).
2. The Goal:
You want to type in “Ombi.YourDomainName.com” and have it show you the Ombi login so you can tell your friends to request movies using an easy URL, and not YourDomainName.com:65445 or whatever. Your friends and family can’t memorize that port number – and you don’t blame them.
Ombi happens to use port 5000 by default. Substitute your web application’s port number when I mention 5000.
3. Actual Step 1; Get it working locally first:
sudo apt-get update && sudo apt-get install nginx
This will install nginx on your Linux Mint 19 server/VM/hardboiled egg.
/etc/nginx/sites-available/
See this folder here? Go there. You’ll see a file called “default”. Dump it in the garbage. Don’t have permissions to do that? Well, this my friends is where Linux Mint is better than everyone else; Go back one folder so you can see the “sites-available” folder. Right click that bad boy, and scroll down to “Open as Administrator”. Heck yeah, root access. Now tell that default file to suck it (delete).
Make a new file. Call it something awesome (like the name of your service/app). I’m going to call mine ombi.conf so I remember what service I’m forwarding. You’ll be making a .conf file for each reverse proxy forward. Don’t give me that look. You’ll do it and you’ll like it!
In this file let’s put some stuff (I’ve bolded what you’ll be modifying):
server {
#The port that hits this server is port 80. Like normal non-HTTPS websites do. Let's have Nginx listen to it.
listen 80;
#This line asks "what is the end user typing into the address bar to get to this website? Easy.
server_name plexrequests.themillers.club;
#That name above should be easy enough for the family to remember. It's not short, but oh well. No port number to memorize - yay!
#This next part is interesting. To be honest I don't know what any of it does myself, I just know it works. I'll highlight the things you need to change for yourself.
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://192.168.3.111:5000; #check it out, this is the IP of the machine you have Ombi (or whatever application you're setting up) on. On my local network, going to that address + port means I land on the website it provides.
proxy_read_timeout 90;
proxy_redirect http://192.168.3.111:5000 http://plexrequester.themillers.club;
}
}
Guess what? Some of that code isn’t even needed. Which part? No idea. Just stick to the plan. Save that file to /etc/nginx/sites-available/ folder.
3. DNS. The part nobody freaking explains. Ever. In Any Tutorial.
In a normal home, your computer has an IP address, a subnet mask, a default gateway,…. and a DNS setting. In Linux Mint 19, it looks like this when you choose to “edit” the Wired Connection:
Notice the only thing I’ve done is used manual settings. This was so I could statically assign the 192.168.3.250 IP address. See that DNS Server entry? That’s our home router’s IP address. Does your home router know where plexrequests.themillers.club is? No. Not yet. We’re still focusing on getting this working inside your network first.
Because we’re trying to get this working right on the Linux Mint server also, lets modify the “hosts” file (located in /etc/ folder). The hosts file is what the computer checks first for address lookups. Even before DNS.
It may look something like this:
127.0.0.1 localhost 127.0.1.1 Nginx-ReverseProxy2
… along with some ip6 crap nobody cares about. Neat.
Lets add something.
127.0.0.1 localhost 127.0.1.1 Nginx-ReverseProxy2 127.0.0.1 plexrequester.themillers.club
This says “oh, you typed plexrequester.themillers.club into the browser? I’ll attempt to load that right here, right now on this server” because 127.0.0.1 means localhost (aka, right HERE). Nginx will take the request at this stage, loading our .conf files to see if there’s a subdomain.domain.club matching the browser.
Save the modified hosts file to your documents folder, and then paste it into the /etc/ folder by right clicking the /etc/ folder and opening as administrator, then pasting (yes, annoying security, blah blah blah).
Optional Note: On a domain? Have a Microsoft DNS server? Cool. Add a host entry like this one (make sure it points to the Nginx VM; My Nginx VM is on 192.168.3.236). This makes it so if a computer in your house has its DNS servers set to your Microsoft DNS servers, it will look at plexrequests.[domainname].club and return 192.168.3.236 for you, and Nginx will say “hey cool, looks like you actually want 192.168.3.111:5000, here you go”).
4. Activate this thing.
Notice we put our .conf into the “etc/nginx/sites-available” folder? Well, nginx actually looks at the “/etc/nginx/sites-enabled” folder to activate the .conf you put in there. We need to use a symbolic link (translation: if it looks in the sites-enabled folder, it’s going to magically point back to the sites-available folder).
sudo ln -s /etc/nginx/sites-available/[name of file].conf /etc/nginx/sites-enabled/[name of file].conf
Boom. Symbolic link created. Nice work.
Now lets restart the nginx service and give this baby a whirl.
sudo service nginx restart
5. Test Time.
Now, at this point, it’s good practice to turn off your wired network, and turn it back on. This makes sure the DNS and host files are using the absolute latest settings we’ve got.
Open a new terminal window, and try pinging your subdomain.
ping plexrequester.themillers.club
Did it reply? :O I hope so. That’s a good sign if it did.
Open firefox (you haven’t had time to install Chrome[ium] yet – you’ve been busy pulling your hair out) and navigate to your subdomain address… success! (I hope)
If it didn’t work… does your website load up when you put in “localhost” into firefox and push enter? It should. Nginx grabs the first .conf file it can see, and sets it as the default address.
6. Ok, you’re almost done. Let’s get it working outside the network too.
Cool. it works on your Nginx server. I’m so happy for you. To get it working outside, it’s pretty simple:
- You need to forward port 80 from your router… to the NginxServer port 80.
- On a PFSENSE router, it looks like this:
- You need to create a “host record” on the domain registrar’s website. For example, on namecheap.com, it looks like this:
That’s it.
7. Here’s How It Works!
Now, when you are outside of your network (or on a computer that has their DNS setting set to automatic) you’ll get the following to happen:
- Browser Requests http://plexrequests.themillers.club
- Namecheap says “That belongs to me. Your host records indicate themillers.club is xxx.xxx.xxx.xxx (my home public IP address)”.
- The request hits my public IP address (my router at home). The router says “hey someone just requested some website on port 80”.
- Port 80 is forwarded, so it shoots the request to 192.168.3.236 (our Nginx server) which says “hey Router, thanks for the port 80 request — what the heck was the full address they wanted?”
- After the router gives it’s answer, Nginx pilfers through your .conf files, looking for that address (plexrequests.themillers.club). It finds it, and checks out the proxy address (192.168.3.111:5000). It then dishes out that website.
Cool huh?
Please, PLEASE drop a comment if this helped you. I’m just a normal Joe trying to explain things. 🙂
Everywhere you see 192.168.3.250, I meant 192.168.3.236. 🙂
Really nice guide. You explained it really well. I am about to do this in a FreeNAS jail, but it looks like the process is pretty similar. Have you done it on FreeNAS?
Also wondering about security. Is this “best practice”?
This was super helpful, thanks so much!