Contents
Preface
Basically, all applications deployed in the home data center are finally published to the outside through the reverse proxy. This is the same as configuring a reverse proxy on the cloud host. The only difference is that port 443 cannot be used for publishing. Since I use the Baota Linux panel to implement the reverse proxy, this article will take the Baota Linux panel as an example to briefly describe how to configure the domain namewww.example.com
Steps to configure a reverse proxy and enable https.
It is recommended that everyone use https. It is better not to use http. On the one hand, http is indeed not safe. On the other hand, many browsers will prompt that it is not safe when accessing http, which is very annoying.
Add a site
Select "Website" - "Add Site":
If it is a cloud host with a public IP and the domain name has been registered, port 443 is available and the domain name in the above picture does not need to be followed by the port number. If it is a home broadband or an unregistered cloud host, only non-443 ports can be used (44443 is just an example, you can fill in non-443 and 80 and other more sensitive ports at will, as long as the port is reachable, but it is best to be easy to remember~), and finally click "Submit" in the lower right corner.
Setting up SSL Certificate
There are two ways to obtain an SSL certificate:
1. Manual application
From each cloud provider, as long as you purchase a domain name, you can get a certain number of free one-year certificates (usually 20). The following uses Alibaba Cloud and Tencent Cloud as examples to explain the application location.
Ali Cloud:
The application location is "Digital Certificate Management Service" - "SSL Certificate" - "Free Certificate" - "Create Certificate":
Alibaba Cloud provides 20 free certificates per year, and I have only one left.
Tencent Cloud:
The application location is "SSL Certificate" - "My Certificate" - "Free Certificate" - "Apply for Free Certificate":
It says 50, but Tencent domain names can only be used for 20, which is the same as Alibaba Cloud.
After the certificate is issued, if you want to download it, just download nginx:
2. Automatic application
这个主要是指的Let’s Encrypt,可以免费申请有效期3个月的证书,并可以自动续签,但是一个主域名168小时之内只能申请5次,达到以后就只能等168小时了。
The interface for successful site creation is as follows:
In the above picture, click "Settings" in the red box on the right to enter the site settings interface:
Click on SSL in the red box on the left side of the above picture, and the interface is as follows:
If you add the SSL certificate manually, unzip the downloaded nginx certificate in the current certificate location of the "red box" in the above picture, and open it with a text editor.www.example.com.key
File, copy all the contents into the key (KEY) in the red box on the left bottom of the picture above; open it with a text editorwww.example.com.pem
File (in fact, the contents of .pem and .crt files are the same), copy all the contents into the certificate (PEM) in the red box on the lower right side of the picture above, and then click the green button "Ensure and Enable Certificate" below.
If you want to useLet's Encrypt
自动申请SSL证书,点击Let’s Encrypt标签,如下图:
推荐验证方式使用DNS验证,因为如果正确设置了DNS服务提供商的的API,例如阿里云DNS以及腾讯云DnsPod的API,Let’s Encrypt可以在证书到期前自动续期,理论上就可以永远不担心SSL证书过期了。最后点击下方的绿色按钮"申请",正常的话等一会SSL证书就自动申请下来了:
Modify the site configuration file (optional)
The reason why it is optional is that as mentioned earlier, whether there is a legal 443 port registered. If so, this step is unnecessary. If not, this step is necessary.
After setting up the SSL certificate in the previous section, the contents of the configuration file are as follows:
As shown in the red box on the right side of the above picture, the default Baota panel sets the SSL listening port to 443 by default. If there is a legitimate port 443, this is of course no problem, but if not, this will directly lead to the failure of external browser access to establish an SSL connection, so you need to change 443 to the port you configured, in this article it is 44443, so the modified content is as follows:
You only need to change this one place, then click the green "Save" button below.
Setting up a reverse proxy
Finally, we get to the point of this article, setting up a reverse proxy. The previous parts are just preparations.
Click the reverse proxy in the red box on the left of the above picture, and the following interface will appear:
Click "Add Reverse Proxy" in the red box above, and the following interface will appear:
If the IP of the intranet application is 192.168.1.100 and the port is 8000, the correct configuration is as follows:
There is not much to say about the "target URL", but here I would like to mention the sending domain name and content replacement.
The default value of the domain name sent is $host. Generally, you can leave it unchanged. This means that the domain name that your browser accesses iswww.example.com
Passed to the application corresponding to the target URL, many applications do not care about this. However, there are some special applications, such as using minio to build cos (see article:Docker series builds a private COS platform based on minio), the docker it deploys only recognizes host 127.0.0.1 (very speechless), so for minio, the default value cannot be used to send the domain name. The following is my configuration:
There are also some other applications, such as wordpress and nextcloud, which have to hard-code the access domain name inside the application. These may require modifying the sending domain name.
Content replacement is useful in some special occasions. For example, the free version page of some software has many words like pro. You can directly use content replacement to replace pro with blank or other words. If you are interested, you can try it.
In addition: This article mainly describes the specific steps of using the Baota Linux panel to build a reverse proxy. It does not involve too much explanation of the reverse proxy theory. If you want to further understand the role and working method of the reverse proxy, you can refer to my other two articles:Home Data Center Series Application Release - Reverse Proxy (Part 1)andHome Data Center Series Application Release - Reverse Proxy (Part 2).