Reverse Proxy on NGINX for MIAB

Vigo · October 19, 2022, 10:59am

Hello my setup is
network 192.168.1.0/24
1 public IP adress, domain and subdomain

1 VM webserver/apache2 with 192.168.1.110:8080
1 VM MAIB with 192.168.1.120
1 VM proxy/nginx with 192.168.1.150

1 router settings 192.168.1.150 ports 80 and 443 are forwarded
192.168.1.120 ports for MAIB open. (MIAB system message all green)

How to set reverse proxy on 192.168.1.150 to work with 192.168.1.110:8080 and 192.168.1.120:80
my config on proxy is
server {
listen 80;
listen [::]:80;
server_name xxxx.xx;
location / {
proxy_pass http://192.168.1.110:8080;
proxy_set_header Host $host;
}
}

server {
listen 80;
listen [::]:80;
server_name box.xxx.xx;
location / {
proxy_pass http://192.168.1.120:80;
proxy_set_header Host $host;
}
}

webserver works fine. MIAB doesnt do anything. without proxy MIAB works excellent.
I dont want to buy another IP for mailserver only.
thx for help

amp51 · October 23, 2022, 5:22am

Not exactly sure what it is you are wanting to do here but will try to suggest some ways of dealing with what I think you are looking for.

To summarize, there are two systems that have web services and other services you want to access via the web. One is an Apache web server and the other is a MIAB server. Both need access to the web and both have web servers that you want to be able to access from the web separately without the need for another (static?) IP address. Because this is the case you are looking to deploy another server with a Nginx reverse proxy. I’m guessing this is to route web traffic to the other two servers. Is this correct so far?

Vigo · October 23, 2022, 1:36pm

yes this is correct

amp51 · October 23, 2022, 2:56pm

Are you wanting to use a reverse proxy in between the 2 servers and the 1 public IP?

Can you help me understand the specifics of this and the core reason for wanting a reverse proxy vs using port forwarding at the firewall/router?

stylnchris · October 23, 2022, 3:14pm

Here’s a Guess.

I have a single static IP, but I have multiple servers that need to “share” that IP.

So I port fwd from my router or firewall to the NGINX reverse proxy. 80/443.

From there the NGINX reverse proxy can pass traffic from www.example.com to the correct server running as the webserver for www.example.com

Now I want mail.example.com to go to the MiaB server so I instruct NGINX to send all “mail.example.com” traffic to MiaB (the correct server behind the scene)…

Now I want helpdesk.example.com to go to a complete different server then the first two…

Mail should in fact work because I can port fwd all the other ports directly to that server, such as 25, 993, 587, 4190, essentially everything except 80/443. Because those ports are not duplicate.

This would WHY (I think) they would want to do this… now the NGINX box that does all the reverse proxy stuff could either be its own box or you could essentially send everything directly to the MiaB server and fix the nginx conf to have it pass stuff on to the correct servers behind the scenes.

I was going to do a setup like this for myself but essentially opted to just host MiaB on its own IP for simplicity.

I had this working with an HAproxy box that essentially got the 80/443 ports and then sent out all the stuff to backend servers but the one thing that would never work right with HAproxy is passing along the letsencrypt stuff to MiaB directly. HAproxy wanted this cert. plus this cert gets used for more then just 80/443.

I think if I was to try this again I would configure NGINX to do the reverse proxy to backend servers on MiaB -or- just get a paid cert and install it on both HAproxy and the mail server.

stylnchris · October 23, 2022, 3:27pm

I think what you want to do is send everything to your MiaB server and then modify this file:

/etc/nginx/conf.d/local.conf

server {
server_name helpdesk.example.com;
location / {
proxy_pass http://192.168.1.120:80;
proxy_set_header Host $host;
}
}

maybe stick it in somewhere around line 127? before the #control panel tag. ??

feel free to hit me up on the slack channel Join the Mail-in-a-Box Community Chat community on Slack! (same user as the forums)

Vigo · October 23, 2022, 3:30pm

yes i need reverse proxy between x servers - firewall, webservers,MIAB, maybe other services on 1 public IP.

MIAB listen on port 80. Apache listen on port 80. If i forward them out only one works.
I tried to manipulate with apache to work on different port, but it doesnt work. Edgerouter-x is my router.
Reverse proxy is standart solution. Or i like it more bicouse i have forward only one Lan IP.
Or make it simple - When i forward MIAB only, it works beautifully. When i change forwarding to reverse proxy and configure ngingx as reverse proxy, it doesnt work at all.
This configuration on reverse proxy is not working for MIAB but it works for webserver with virtualhost as well.
server {
listen 80;
listen [::]:80;
server_name box.xxx.com;
location / {
proxy_pass http://192.168.1.120:80;
proxy_set_header Host $host;
}
}
question is why is this not working and how to make it work.

thx for your time and patience.

stylnchris · October 23, 2022, 3:36pm

You still need your DNS updated to pass that info to nginx server_name correctly. and you probably wont be able to “test” this yourself unless you maybe take your phone off wifi and test from your phones data connection. Inside your house/business it will never work properly, but from the outside it should.

Also I dont think you need the listen stuff twice because its already in the config file

but its not clear where you are doing this… are you doing this on the MiaB server or somewhere else like a 3rd server?

Vigo · October 23, 2022, 3:40pm

you mean make reverse proxy directly on MIAB server? I was thinking that all configs will be automaticly change on updates.

stylnchris · October 23, 2022, 3:44pm

They would for sure… but MiaB has nginx already installed and also has examples in the config that already reverse proxy stuff back to the box itself.

You would essentially have to “keep track of your custom config” and put it back after an upgrade.

I do this all the time for things that people dont want in the server’s code – Like allowing images to load in roundcube by default.

yes, its not supported, yes its probably not the best idea but Ill be honest if you dont do it on the MiaB server then the cert stuff will likely be an issue.

I’ve very familiar with edgerouters too, I used to use them.

again, hit me up on slack if you want to talk back and forth quicker.

Oh one VERY important thing totally recommend making a backup of the config file cp /etc/nginx/conf.d/local.conf /home/etc-nginx-conf.d-local.conf

Vigo · October 23, 2022, 3:47pm

thank you, i will try it and then i will report back.

stylnchris · October 23, 2022, 3:50pm

probably need to bounce nginx too…

service nginx reload

if you get an error then you either put it in the wrong spot in the config file or have a stray syntax.

you can also test it before trying to reload

nginx -t -c /etc/nginx/nginx.conf

(oops - need to text against the main config file) sorry for the multiple edits

stylnchris · October 24, 2022, 5:36pm

@Vigo - How did you make out?

iota · October 24, 2022, 10:42pm

I have been able to achieve a reverse proxy via MIAB for a Matrix Server, Its pretty simple and I’ve been able to do by putting the config in /etc/nginx/sites-enabled/your.domain.tld

Vigo · October 25, 2022, 7:34am

today is the day, first i changed router from edgemax-x to mikrotik, so this was that delay.And another thought. If i insert one webserver into one Vlan and MIAB into another Vlan. What will be result on the end on forwarded IP address? will be there the same conflict on port:80?

Vigo · October 25, 2022, 7:36am

yes, exactly this is what i am going to try today. and another thing i am going to try, but i will speak about it after test.

stylnchris · October 25, 2022, 10:20am

Yes, the problem is one public IP. You can only do a port fwd to one device at a time.

Vigo · October 25, 2022, 10:47am

Ok. i will describe what i did in steps.

forwarded all trafic to MIAB 80:443:and all mail thingies
in new file on etc/nginx/sites available/ i made new conf. with reverse proxy configuration. same code as i have on reverse proxy.
create link to sites-enable and restart nginx service.
MIAB works as usual, but there is no signs of webservers data.
when i write address for apache subdomain only NGINX default page is shown, in this case mail in the box default page.

here is code what i use for nginx default.conf -
$=variable, it is only here for security. normaly is there my real domain.
as you see there are two webservers
one server 192.168.1.110 is server with 2virtualhosts
second server is default.

server {

    server_name $domain.eu  web.$domain.eu    test.$domain.eu;

    location / {

            proxy_pass http://192.168.1.110:80;

            proxy_set_header Host $host;                

    }

}

server {

    server_name wiki.$domain.eu;

    location / {

            proxy_pass http://192.168.1.111:80;
            proxy_set_header Host $host;
   }

}

i think there must be also code for MIAB itself?

Vigo · October 25, 2022, 10:49am

and later i insert proxy code to conf.d/local.conf and disable default.config and restart nginx with same results

Vigo · October 25, 2022, 10:53am

i forgot to put there this code for proxiing MIAB
server {
server_name helpdesk.example.com;
location / {
proxy_pass http://192.168.1.120:80;
proxy_set_header Host $host;
}
}