I was using an editor to write the reverse proxy, but I found a good tool to make sure it works. You can use the reverse proxy to see WordPress behind you.
The design of placing a Docker container behind a Nginx reverse proxy has several important advantages. Here are some of the main advantages
- Increased security:.
- The reverse proxy is placed in front of the actual backend server (in this case the WordPress container), thus blocking direct external access and reducing the attack surface.
- Additional layers of security can be added with the ability to filter out unauthorized requests and attacks.
- Load Balancing and Redundancy:.
- Requests to multiple back-end servers (containers) can be distributed, improving service availability and fault tolerance.
- It is especially effective in high-traffic situations and prevents overloading of individual servers by evenly distributing the server load.
- Centralized SSL/TLS management:.
- SSL/TLS certificate management can be centralized in a reverse proxy, making it easy to implement secure HTTPS connections.
- This simplifies management by eliminating the need to configure individual certificates for each back-end server.
- Improved caching and performance:.
- Caching static content in a reverse proxy offloads the back-end servers and improves website response times.
- This improves response time to users and the overall user experience.
- Configuration flexibility and customization:.
- Nginx is a very flexible and convenient reverse proxy that is highly configurable, including URL rewriting, redirection, and load balancing rules.
- Customization is easy, such as adding special headers for specific requests or setting access controls.
In particular, reverse proxies are useful to effectively divert traffic to different back-end services and applications while using the same port number (typically port 80 or 443). A reverse proxy sits between the client and the server, receiving requests from the client, forwarding them to the appropriate back-end server, and sending the response back to the client.
You can check locally or in the cloud, but we will actually check with the latter. First, we need to link the domain to the external IP of the server on which the reverse proxy will be installed. Create an appropriate directory and write docker-compose.yml as in the official GitHub.
mkdir proxy
cd proxy
nano docker-compose.yml
[Description]
version: '3.8'
services:
app:
image: 'docker.io/jc21/nginx-proxy-manager:latest'
restart: unless-stopped
ports:
- '80:80'
- '81:81'
- '443:443'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
Start the container
docker compose up -d
Go to the following URL first and enter your default email address and password to log in. The nginx-proxy-manager screen should now appear in your browser. Once logged in, you will have to create a user. Also, change the password.
http://test.example.com:81
In my environment, the firewall is enabled. However, for the sake of the length of this article, we will assume that the firewall is disabled. If it is enabled, you will need to add the port number to be used. Or disable it.
Create docker-compose.yml
to launch a typical new start-up docker WordPress. The two instances belong to the same segment of the network.
version: "3.8"
services:
db:
container_name: testmaria
image: mariadb:latest
ports:
- "3306:3306"
volumes:
- db_data:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=rootpass
- MYSQL_DATABASE=wordpress
- MYSQL_USER=wpuser
- MYSQL_PASSWORD=testpass
restart: always
wordpress:
container_name: testwp
depends_on:
- db
image: wordpress:latest
ports:
- "8080:80"
environment:
- WORDPRESS_DB_HOST=db
- WORDPRESS_DB_USER=wpuser
- WORDPRESS_DB_PASSWORD=testpass
- TZ=Asia/Tokyo
restart: always
volumes:
- /etc/localtime:/etc/localtime:ro
volumes:
db_data:
One of the main roles of a reverse proxy is to forward connections from clients to a backend server (e.g., a web application running on Docker) based on a specified domain name or URL pattern. The following describes the specific behavior.
- Receiving requests based on domain name or URL: A reverse proxy receives HTTP requests for a specific domain name or URL. For example, if
www.example.com
is accessed, the reverse proxy receives this request. - Request parsing and routing: Received requests are parsed and forwarded to the appropriate backend servers according to the rules described in the configuration file. For example, if the request is
www.example.com/blog
, it can be routed to a server that handles blog content; if the request iswww.example.com/shop
, it can be routed to a shopping-related server. - Request Forwarding: The reverse proxy forwards the request to the backend server and receives a response from that server. During this process, it may process request headers, IP addresses, and other information as needed.
- Send response to client: The response from the backend server is returned to the client. At this time, the reverse proxy stands between the client and the backend server, so the client can receive data without being aware of the backend server’s presence.
Thus, reverse proxies play a very important role on the network, providing many benefits such as improved security, load balancing, and cache management by properly managing traffic based on domain names. In addition, reverse proxy software such as Nginx is very flexible in its configuration, allowing it to meet a wide variety of needs.
When using a reverse proxy, the server behind it does not need to be directly exposed to the Internet; a private IP address is sufficient. However, in a cloud environment such as AWS (Amazon Web Services), if you need to SSH into the server for administration or maintenance, it must be configured to be accessible from the outside. There are several ways around this. There is also a lack of global IP addresses, and some services are now charging for this service.
1. Using Elastic IP
AWS allows you to assign an Elastic IP (a fixed public IPv4 address) to your instances, making them directly accessible from the Internet. This allows you to move IP addresses between instances as needed.
2. Private Subnets and Bastion Hosts
For more security, you can use a bastion host (also known as a jump box). In this configuration, instances on the private subnet are not assigned a public IP address, but are accessed indirectly via a bastion host placed on the public subnet. The bastion host is assigned a public IP and strict security rules are applied to enhance security.
3. VPN Connections
Another common way for companies to securely access AWS resources is to set up a VPN (Virtual Private Network), which provides a secure communication channel to instances in a private subnet without being accessed directly over the Internet The VPN is also used for the following purposes
4. AWS Systems Manager
The Session Manager feature of AWS Systems Manager allows secure access to instances without an SSH key. This is a tool that allows you to connect to your instances via the Internet through the AWS Management Console or AWS CLI.
By choosing and combining these options appropriately, you can strike a balance between security and accessibility in a cloud environment. Which method you choose will depend on factors such as security requirements, cost, and management complexity.
Reverse proxies and WordPress can be installed by individuals in their homes, where a router is responsible for managing network segments and coordinating communications between devices. The router typically acts as a gateway to the home network, distributing Internet connections and providing security for the internal network.
Figure Description: Router/Gateway
- Router/Gateway: Located at the center of the home network, it manages Internet access and internal traffic routing; IP address is
192.168.1.1.
- Personal computer: Has IP address
192.168.1.2
and is connected to the router via a wired connection. - Smartphones andtablets: have IP addresses
192.168.1.3
and192.168.1.4
, respectively, and are connected to the router via Wi-Fi.
This screenshot shows a typical network design in a home, and is a visual screenshot of how the different devices are connected and communicating. It is a non-generic setup and is a typical environment found in many homes. A reverse proxy can be used to set up access to services bound to a specific port (e.g., an application such as Stable Diffusion) that can be accessed externally via a simple URL. This is especially useful in development environments and internal networks, where multiple services can operate on different ports internally while providing simple, easy-to-remember URLs for external users.
Reverse proxies provide the following functions
- Traffic routing: Reverse proxies forward traffic to the appropriate back-end servers and ports based on domain name or request path.
- SSL Termination: A reverse proxy can manage SSL/TLS certificates and terminate HTTPS communications. This eliminates the need for internal services to handle SSL directly and simplifies configuration.
- Load balancing: If multiple servers are serving the same service, a reverse proxy can distribute the load and handle increased traffic.
- Increased Security: Reverse proxies can be used to hide the IP addresses of back-end servers, protecting them from direct attacks.
For example, if you have a local instance of Stable Diffusion running on port 7860, you can set up a reverse proxy to make it accessible via the address https://example.com/stablediffusion. This way, users don’t need to remember the port number and can access the service using an intuitive URL.
These are the steps to set up a reverse proxy. Continue with creating users and changing their passwords.
http://test.example.com:81
Now let’s get specific and configure the proxy so that it can route to WordPress behind it.
In the NGINX Proxy Manager, in the Domain Name field, enter the name of the domain you want to use to access through that proxy.
This will configure NGINX to route requests with the specified domain name to the appropriate back-end service.
Specifically, the configuration proceeds in the following steps
- Configure the domain name: Specify the domain name (e.g.
example.com)
to be used for external access in the proxy manager. - Reverse Proxy Rule Settings: Configure rules for which backend servers and services to send traffic to based on the specified domain name. This may include port number, protocol, path, etc.
- Security settings: If necessary, configure SSL/TLS certificates to enable HTTPS communication; NGINX proxy managers may also offer the ability to automate certificate acquisition and renewal.
- Access control and log management: You can also set up access restrictions to specific domains and logging to analyze access patterns.
With these settings, NGINX Proxy Manager is a GUI tool that allows multiple applications and services to operate efficiently on the same server. Requests can be properly routed through domain names for easy management.
In addition, the NGINX Proxy Manager greatly simplifies the configuration of SSL certificates. In particular, automated certificate acquisition and renewal capabilities using free SSL certificate provision services such as Let’s Encrypt make SSL certificate management easy.
Benefits of centralized SSL certificate management:.
- Increased security: Centralized management of SSL certificates on a reverse proxy server avoids direct exposure to back-end servers. This setup enhances security by centralizing data encryption.
- Simplified configuration: Managing SSL certificates for multiple back-end servers in one place eliminates the need to configure and renew certificates individually on each server. This reduces configuration errors and simplifies operations.
- Improved performance: The reverse proxy server absorbs the load of SSL/TLS negotiation, allowing more efficient use of back-end server resources. This improves overall server performance.
- Compliance: Certain industries are required by law or regulation to encrypt data, and centralized management of SSL certificates allows these requirements to be met efficiently.
The NGINX Proxy Manager makes these settings intuitive through a GUI, and regular certificate renewals are automatic, making it easy to maintain ongoing security. This is a great advantage for companies and organizations, as it allows them to create a secure and reliable web environment.
When setting up a reverse proxy, it is common to tie multiple domain names to a single external IP address. The same physical or virtual server can host multiple websites and applications and handle traffic efficiently. After all, you would assign multiple domain names to the external IP of the reverse proxy server if there are multiple servers behind it.