Reverse-proxy¶

The reverse-proxy server hides the internal structure of the network, in particular, the IP addresses of where the actual web servers are located. It also offloads SSL negotiations away from the actual web service as well as cache frequently requested content.

A cluster of nginx servers is used as a reverse-proxy for hosted applications in the home lab. A main frontend server sends traffic to one of two backend servers. The backend servers are configured for redundancy. By default, traffic is directed to one of the first server listed in the upstream block shown below. If this server is down, traffic is automatically directed to the other server.

Frontend Server Configuration¶

The main server's /etc/nginx/nginx.conf file is configured with the following upstream block to instruct nginx to use one of the two proxy backend servers.

http {
# BEGIN ANSIBLE MANAGED BLOCK
upstream backend {
  server rproxy-1:80 max_fails=3 fail_timeout=5s;
  server rproxy-2:80 backup;
}
# END ANSIBLE MANAGED BLOCK

Each web server configuration (i.e. sites-available) is configured to use the upstream block as shown here. Also note that SSL handshake is done here.

server {

    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name homelab.refol.us;
    ssl_certificate /data/certs/homelab.refol.us/fullchain.pem;
    ssl_certificate_key /data/certs/homelab.refol.us/privkey.pem;

    index index.html index.htm index.php;

    location / {
        proxy_pass http://backend;

Backend Server Configuration¶

Each backend server configuration is identical to each other. Each configuration is set as it would be configured as a reverse proxy. Notice that there is no secure connection (i.e., no SSL) to the actual service. The SSL connection is handled by the frontend nginx server.

    location / {
        proxy_pass http://192.168.2.186:80;