Sample nginx configuration for proxy when using remote device management
This is a sample configuration when using a NGINX version 1.14.1 reverse proxy. It was used for a NGINX system installed on Rocky Linux 8. You will be required to modify the highlighted unique fields for your environment. Other reverse proxy systems may require different modifications and it is recommended you test your configurations prior to deployment. Other configuration entries may be required if the NGINX system will be handling other types of network traffic as well.
Depending on release of Rocky Linux you may have to modify the nginx.conf file, see notes in RED in the below configuration.
More information on the nginx config file can be found from nginx: https://docs.nginx.com/nginx/admin-guide/basic-functionality/managing-configuration-files/
The example below was used as a single config file, placed in nginx.conf. The location of nginx.conf can vary based on operating system and package system used to install NGINX, but is often in /etc/nginx.
Note: NGINX for Windows may not perform as well as NGINX for Linux. See http://nginx.org/en/docs/windows.html for more information.
Tip: When configuring nginx, if you are using CA signed certificates, you will have a leaf certificate, a root certificate and a number of intermediate certificates. To use these certificates with nginx, you have to create a single file that contains all the certificates in the following order:
- Leaf Certificate
- Intermediate Certificate(s)
- Root Certificate
If using another reverse proxy software, consult with their documentation.
# MC Config
## Speced to 20,000 clients
worker_rlimit_nofile 80000;
events {
worker_connections 50000;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include mime.types;
default_type application/octet-stream;
ssl_prefer_server_ciphers on;
map $http_upgrade $connection_upgrade {
default upgrade;
# Single Quote - issue?
'' close;
}
upstream websocket {
server <ip of management console>:5172;
}
proxy_read_timeout 90;
server {
listen 5172;
# If using newer release of Rocky Linux, SSL has been depreciated and the command above may need to be modified to - listen 5172 ssl;
location / {
proxy_pass https://<ip of management console>:5172/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
ssl on;
#If using newer release of Rocky Linux, SSL has been depreciated and the command above may need to be remarked out - #ssl on;
ssl_certificate proxy-certificate-ca-chain.pem;
ssl_certificate_key proxy.key;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-CBC-SHA256:ECDHE-RSA-AES256-CBC-SHA384:DHE-RSA-AES128-CBC-SHA256:DHE-RSA-AES256-CBC-SHA256;
ssl_prefer_server_ciphers on;
}
log_format upstream_time '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"'
'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
access_log logs/access.log upstream_time;
error_log logs/error.log debug;
#NOTE we have seen instances where the proxy service does not start because the log folder does not exist. Follow path in error message and confirm if log folder is present
}
For deployments that have a large number of endpoints, the proxy must be configured to support a large number of connections, and in these cases, you may have to perform some additional configurations.
For example, using nginx installed on Rocky Linux 8, you will need to alter the /etc/security/limits.conf file on the nginx virtual machine to include the following entries:
* soft nofile 65535
* hard nofile 65535