From 3c46dfec0126def9c95fe699e96a7b4f55cdeb85 Mon Sep 17 00:00:00 2001
From: Chad <me@hyperling.com>
Date: Sun, 9 Jul 2023 16:02:47 -0700
Subject: [PATCH] Fixes for Reverse Proxy Go-Live (#6)

* Add new area for defining upstream systems.

* Example file for demonstration domain.

* Use the new upstream hosts section.

* Do the proxy directives in the main file.

* Commit any final changes.

* Fix example resource name.

* Mention the need to have ports specified in the upstream file, not server block.

* Adjust formatting.
---
 .gitignore                                    |  1 +
 Config/ReverseProxy/Dockerfile                |  6 +++++
 .../config/conf.d/proxy.example.com           | 10 +++----
 Config/ReverseProxy/config/hosts/README.md    |  3 +++
 Config/ReverseProxy/config/hosts/example.com  |  8 ++++++
 Config/ReverseProxy/config/nginx.conf         | 26 ++++++++++++++++++-
 6 files changed, 46 insertions(+), 8 deletions(-)
 create mode 100644 Config/ReverseProxy/config/hosts/README.md
 create mode 100644 Config/ReverseProxy/config/hosts/example.com

diff --git a/.gitignore b/.gitignore
index 26771be..3e7c551 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,6 +10,7 @@ logs/*
 # Ignore private reverse proxy configurations.
 Config/ReverseProxy/config/conf.d/*.*
 Config/ReverseProxy/config/html/*.*
+Config/ReverseProxy/config/hosts/*.*
 
 # Ignore MailServer Files
 Config/MailServer/setup.sh
diff --git a/Config/ReverseProxy/Dockerfile b/Config/ReverseProxy/Dockerfile
index 17da52d..22616af 100644
--- a/Config/ReverseProxy/Dockerfile
+++ b/Config/ReverseProxy/Dockerfile
@@ -18,3 +18,9 @@ RUN rm -rfv /etc/nginx/html
 # Add any static HTML websites.
 COPY ./config/html /etc/nginx/html
 RUN rm -rfv /etc/nginx/html/README*
+
+## Upstream Hosts ##
+RUN rm -rfv /etc/nginx/hosts
+COPY ./config/hosts /etc/nginx/hosts
+RUN rm -rfv /etc/nginx/hosts/README*
+
diff --git a/Config/ReverseProxy/config/conf.d/proxy.example.com b/Config/ReverseProxy/config/conf.d/proxy.example.com
index f232231..42c163b 100644
--- a/Config/ReverseProxy/config/conf.d/proxy.example.com
+++ b/Config/ReverseProxy/config/conf.d/proxy.example.com
@@ -38,13 +38,6 @@ server {
 
     # Send traffic to upstream server
     location / {
-        proxy_set_header X-Forwarded-Proto https;
-
-        # These cause "400 Bad Request Request Header Or Cookie Too Large"?
-        #proxy_set_header Host $host;
-        #proxy_set_header X-Real-IP $remote_addr;
-        #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
         ## General format is PROTOCOL://SERVER:PORT. For example:
         #
         # If using a domain name:
@@ -53,6 +46,9 @@ server {
         # If using an IP address:
         #proxy_pass http://192.168.1.80:8080;
         #
+        # If using an upstream server:
+        #proxy_pass http://example-proxy-site;
+        #
         # If forwarding to an external source:
         #proxy_pass https://website.name;
         #
diff --git a/Config/ReverseProxy/config/hosts/README.md b/Config/ReverseProxy/config/hosts/README.md
new file mode 100644
index 0000000..a33da34
--- /dev/null
+++ b/Config/ReverseProxy/config/hosts/README.md
@@ -0,0 +1,3 @@
+# Upstream Host Configuration
+For systems which do not resolve well such as ignoring `/etc/hosts`.
+
diff --git a/Config/ReverseProxy/config/hosts/example.com b/Config/ReverseProxy/config/hosts/example.com
new file mode 100644
index 0000000..170de7e
--- /dev/null
+++ b/Config/ReverseProxy/config/hosts/example.com
@@ -0,0 +1,8 @@
+# Local servers for everything related to `example.com`.
+# If specific ports are needed they will go here instead of the `conf.d` file(s).
+
+upstream example-proxy-site {
+    #server 127.0.0.1:8080;
+    server hyperling.com;
+}
+
diff --git a/Config/ReverseProxy/config/nginx.conf b/Config/ReverseProxy/config/nginx.conf
index f74fe5b..9449e28 100644
--- a/Config/ReverseProxy/config/nginx.conf
+++ b/Config/ReverseProxy/config/nginx.conf
@@ -14,7 +14,7 @@ http {
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
 
-    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+    log_format main '$remote_addr - $remote_user [$time_local] $host "$request" '
                     '$status $body_bytes_sent "$http_referer" '
                     '"$http_user_agent" "$http_x_forwarded_for"';
 
@@ -27,6 +27,27 @@ http {
 
     #gzip on;
 
+    ## Proxy Settings ##
+    proxy_redirect     off;
+    proxy_set_header   Host               $host;
+    proxy_set_header   X-Real-IP          $remote_addr;
+    proxy_set_header   X-Forwarded-For    $remote_addr;
+    proxy_set_header   X-Forwarded-Proto  $scheme;
+    proxy_set_header   HTTP_AUTHORIZATION $http_authorization;
+    proxy_hide_header                     X-Powered-By;
+    proxy_intercept_errors                on;
+    proxy_http_version                    1.1;
+    # Proxy Buffer settings - See http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size
+    proxy_buffer_size          4k;
+    proxy_buffers              4 32k;
+    proxy_busy_buffers_size    64k;
+    proxy_temp_file_write_size 64k;
+    # Timeouts, give up to 5 minutes for slow apps.
+    proxy_connect_timeout 600;
+    proxy_send_timeout    600;
+    proxy_read_timeout    600;
+    send_timeout          600;
+
     ## LetsEncrypt Certbot Setup ##
     # Allow nginx to fulfill LetsEncrypt Certbot challenges.
     server {
@@ -35,6 +56,9 @@ http {
         }
     }
 
+    ## Upstream Configuration ##
+    include /etc/nginx/hosts/*;
+
     ## Reverse Proxied Website Configurations ##
     include /etc/nginx/conf.d/*;
 }