Nginx Reverse Proxy

The v4 uses Nginx in two different ways. One is plain old way of serving a site using Nginx as a web server. The other is to route traffic to different sites using Nginx as a reverse proxy. This article explains nginx-proxy part in details.

Why we need reverse proxy?

EasyEngine v4 uses docker for every site. This means, if you create 10 sites, then there will be 10 nginx web servers running on your machine.

But the host machine has only one port 80/443. So by default, only one container (site) can use these ports.  

So we need an intermediate layer which will listen to these ports (80/443) and based on HTTP Host header route requests to correct nginx containers.

This layer is reverse proxy layer which is a bit complicated to understand if you are new to the container world.

What we liked about nginx proxy?

We wanted to find a lightweight and transparent solution for reverse proxy needs. We explored many, even tried traefik.io but finally settled on jwilder’s nginx-proxy.

For us – using Nginx for reverse proxy and web server gave many advantages such as the ability to use Nginx features we are already familiar with at both levels.

Also, since we know Nginx very well, debugging Nginx reverse-proxy was easy.

How Nginx Proxy Works?

You may visit request cycle article to understand how it works in overall scheme.

Nginx Proxy File Structure

Nginx Proxy stores all data, config, logs and other files in a top-level host directory /opt/easyengine/services/nginx-proxy/. This directory has following directory for different purpose:

Purpose Host Directory Path
Let’s encrypt acme-php libraries work directory  acme-conf/
SSL certificates and keys for each sites certs/
Global nginx reverse proxy config  conf.d/
Diffie-Hellman key folder dhparam/
Folder used during let’s encrypt certificate generation for .well-know html/
HTTP auth password file htpasswd/
Nginx reverse proxy logs folder logs/
Site-specific configs folder vhost.d/

Nginx Proxy & Containers

We are using containers for almost everything. When container starts or even recreated, containers gets a random IP assigned.

The Nginx Proxy keeps track of these events and regenerates the nginx configuration to allow traffic for a domain to be passed to the correct Nginx container.

This config is regenerated from a go template and stored in file:

/opt/easyengine/services/nginx-proxy/conf.d/default.conf

Do not modify this file as it will  gets regenerated whenever any of container starts/stops.

Nginx Proxy Config Customization

Please refer to jwilder/nginx-proxy’s readme for more info.

EasyEngine supports adding basic HTTP Authentication via auth-command. So please do not modify files inside /opt/easyengine/services/nginx-proxy/htpasswd. You may ignore basic authentication support from jwilder/nginx-proxy as it is not required and also can conflict with EasyEngine’s auth-command

SSL Certificates

Nginx Reverse Proxy is where external SSL requests are terminated. The site-specific Nginx doesn’t expose port 443. Traffic between outer Nginx reverse-proxy to inner site-specific Nginx is not encrypted but both Nginx being on same host machine, it is not needed.

For each site, EasyEngine creates three files for reverse nginx-proxy and store them in /opt/easyengine/services/nginx-proxy/certs

  • example.com.crt – SSL Certificate(Public Key)
  • example.com.key – Private key
  • example.com.chain.pem – Certificate Chain File

Link: https://github.com/jwilder/nginx-proxy

Subpages