Reverse Proxy Advanced Topics
[ 90 ]We will discuss these topics, as well as the remaining proxy module directives,
in the following sections:
- Security through separation
- Isolating application components for scalability
- Reverse proxy performance tuning
Security through separation
We can achieve a measure of security by separating out the point to which clients
connect to an application. This is one of the main reasons for using a reverse proxy in
an architecture. The client connects directly only to the machine running the reverse
proxy. This machine should therefore be secured well enough that an attacker cannot
find a point of entry.
Security is such a large topic that we will touch only briefly on the main points
to observe:
- Set up a firewall in front of the reverse proxy that only allows public access
to port 80 (and 443, if HTTPS connections should also be made) - Ensure that NGINX is running as an unprivileged user (typically www,
webservd, or www-data, depending on the operating system) - Encrypt traffic where you can to prevent eavesdropping
We will spend some time on this last point in the next section.
Encrypting traffic with SSL
NGINX is often used to terminate SSL connections, either because the upstream
server is not capable of using SSL or to offload the processing requirements of SSL
connections. This requires that your nginx binary was compiled with SSL support
(--with_http_ssl_module) and that you install an SSL certificate and key.
For details about how to generate your own SSL certificate,
please see the Using OpenSSL to generate an SSL certificate
tip in Chapter 3, Using the Mail Module.