NGINX and Reverse Proxy

Mr Shark recently wrote a comment which I believe warrants it’s own blog entry, so see below (update August 7, 2019).

ApacheDespite still showing Apache in “the script”, I have replaced Apache with Nginx with success and so has Mr Shark (Antonio) so feel free to use this separate script (always make backups first) if you are interested in the change to Nginx…
https://gist.github.com/fragolinux/7229c1785652e4598d0bb61e50aa9093

NGINXAnd as Nginx is apparently great as a reverse proxy, too, Antonio has reversed Grafana, Chronograf and Nodered also the Nodered UI using Nginx, read comments in his script below for more info:
https://gist.github.com/fragolinux/2f66b6ca9396330a9063a05c38108939

This way anyone using “The Script” to set up Grafana, Node Red and perhaps Chronograf can have the following changes:

Grafana moved from ip:3000 to ip/grafana
Nodered and its dashboardmoved from ip:1880 to ip/nodered and ip/ui
Chronograf moved from ip:8888 to ip/chronograf

if you change the Nginx default port, all the above will change accordingly (example: web on http://ip:81 then Nodered on http://ip:81/nodered)

Antonio has tried the above and no issues so far, please test and report back to Antonio, thanks.. I’m still mulling over the point of the reverse proxy if you change the default port for NGINX, though at least you now just specify only one port.

45 thoughts on “NGINX and Reverse Proxy

  1. By false or true the reverseproxy entry

    192.168.178.97/grafana result was this

    hope this helps maybe I should use chrome not firefox

    or maybe clear cache at exit

    regards Brian

  2. hello Mr Shark

    All was ok till I cleared firefox stored cookies, site data, and cache .

    I immediately had grafana login problem again when useing Pete’s utility

    to access it see grafana1_Pete utility false ( sub_path false)

    1. you don’t have to use Pete’s index file if you want to point to reverse proxied services, or you need to correct it to point to the new urls, i thought that was implied… if you’re using subpath, that file still points to standard url, which has no subpath, hence the error… point to new urls directly, or modify that file, you choose 🙂

  3. Hello Mr Shark

    I did another test taking out my change

    serve_from_sub_path = true

    and entering it as before

    serve_from_sub_path = false

    It made to change that is I am getting the login correct

    so Sorry the serve can not have been my the problem.

    The sub_path login is working whether I have false or true

    I dont know what was causing my problem it appears to be cured.

    I was at the time also trying to get my static directory to work in reverseproxy

    regards Brian

  4. Hello Mr Shark

    update report

    On further testing

    was getting problems with grafana reverse proxy and local login

    This is in on virgin Buster on pi4 with Pete’s script

    To get # grafana, from ip:3000 to ip/grafana

    In /etc/grafana/grafana.ini

    Change line after root url
    # The full public facing url you use in browser, used for redirects and emails
    # If you use reverse proxy and sub path specify full url (with sub path)

    root_url = http://localhost:3000/grafana/

    # Serve Grafana from subpath specified in `root_url` setting. By default it is $false

    #******* I had to Set this to true to get http://localhost/grafana/login ********
    serve_from_sub_path = true

    In /etc/nginx/sites-enabled/default
    location /grafana/ {
    proxy_pass http://localhost:3000/;
    }

    Grafana now to local login as

    http://localhost:3000/

    This gives http://localhost :3000/grafana/login *****ok works

    http://localhost/grafana/

    This gives http://localhost/grafana/login ************ok works

    both working

    Iv had no success with the static problem.

    regards Brian

  5. hello Mr Shark

    feedback php pear

    used this one

    Package php-pear

    buster (stable) (php): PEAR Base System
    1:1.10.6+submodules+notgz-1.1: all

    installed no problems

    Thanks once more

    regards Brian

  6. hello Mr Shark

    this line was in js.settings

    httpStatic: ‘/home/pi/.node-red/public’,

    it was there Id forgotten otherwise it would not have shown gauges via Petes utilities I will try googling and also playing with the reverse proxy files
    with regards to static directories.

    regards Brian

  7. Hello Mr Shark

    yes sorry I had forgotten to change this as this is a completely new version

    original busterlite and it has been a year or to that my stretch was always cloned.

    Thank you Im an idiot!

    regards Brian

  8. Hello Mr Shark

    Sorry to be such a pain

    Iv just instigated reverse proxy and have a funny!!!

    entering nodered ui from Petes utilities works perfectly

    entering ip/ui appears to be okay untill you notice all gauges from my public directory and darksky pics are not displayed see jps attached my public directory is as set up by Pete
    1)
    Address changes to this on Petes utility input
    http://192.168.178.97:1880/ui/#!/4?socketid=8S0FdNGtuuDL927eAAAG
    2)
    Address chages to this on ui input
    http://192.168.178.97/ui/#!/4?socketid=TRl-BT2xtv_DHu2OAAAF

    all normal gauges from pallette are displayed as normal

    1. oh, i think it’s the “httpStatic” option in settings.js which needs to be altered… don’t have time now but you can try to play with this line or adding it someway to nginx proxy, too… try a little google and let me know, otherwise i’ll try to look at that in next weekend…

      file: .node-red/settings.js

      search for something like:
      httpStatic: ‘/home/pi/.node-red/public

      that folder should contain all your static file as addon js files, icons, etc

  9. Hello Mr Shark

    can I use this to install Pear was on github Pear site

    install-pear-nozlib.phar installs PEAR automatically without asking anything. It is shipped with PHP itself.

    or should I use this one

    Package php-pear

    buster (stable) (php): PEAR Base System
    1:1.10.6+submodules+notgz-1.1: all

    as in your suggestion

    regards Brian

  10. hello Mr Shark

    I ran script without PEAR

    I changed line 3 and also took out PEAR run line which couldnt be found

    as I had read that its now included in 7.3 ,but I cant find where I read it
    so maybe you can check this as I have not a clue where to look. I can only say your script worked and nginx is perfect for what I want will now implement the reverse proxy
    Thanks for everything

    regards Brian

  11. Hello Mr Shark

    line1 and 2 run

    sudo apt-get -y remove –purge *apache* *php*

    sudo apt-get -y autoremove

    Okokok

    line 3 with change

    sudo apt-get -y install nginx sqlite3 php php-{common,cli,fpm,json,zip,gd,mbstring,curl,xml,pear,bcmath,sqlite}

    now gives

    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    Package php-sqlite is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or
    is only available from another source

    E: Package ‘php-sqlite’ has no installation candidate

    I changed line 3 and also took out pear run line which couldnt be found

    line 3 run

    sudo apt-get -y install nginx sqlite3 php php7.3-{common,cli,fpm,json,zip,gd,mbstring,curl,xml,bcmath,sqlite3}

    Reading package lists… Done
    Building dependency tree
    Reading state information… Done

    …………………………
    ………………………….lots more
    …………………………….

    Creating config file /etc/php/7.3/cli/php.ini with new version
    Setting up php7.3-fpm (7.3.4-2) …

    Creating config file /etc/php/7.3/fpm/php.ini with new version
    Created symlink /etc/systemd/system/multi-user.target.wants/php7.3-fpm.service → /lib/systemd/system/php7.3-fpm.service.
    Setting up nginx (1.14.2-2) …
    Setting up php7.3 (7.3.4-2) …
    Setting up php (2:7.3+69) …
    Processing triggers for systemd (241-5+rpi1) …
    Processing triggers for man-db (2.8.5-2) …
    Processing triggers for libc-bin (2.28-10+rpi1) …

    line 4 to 9 no changes

    sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.bak

    sudo sed -i -e ‘s/index index.html/index index.php index.html/g’ /etc/nginx/sites-enabled/default

    sudo sed -i -e ‘s/#location ~ \\.php$ {/location ~ \\.php$ {/g’ /etc/nginx/sites-enabled/default

    sudo sed -i -e ‘s/#.*include snippets/ include snippets/g’ /etc/nginx/sites-enabled/default

    sudo sed -i -e ‘s/#.*fastcgi_pass unix/ fastcgi_pass unix/g’ /etc/nginx/sites-enabled/default

    sudo sed -i -e ’63s/#}/}/’ /etc/nginx/sites-enabled/default

    bak file now made in sites-available

    in sites-enabled default file has correct entries

    # Self signed certs generated by the ssl-cert package
    # Don’t use them in a production server!
    #
    include snippets/snakeoil.conf;

    root /var/www/html;

    # Add index.php to the list if you are using PHP
    index index.php index.html index.htm index.nginx-debian.html;

    server_name _;

    location / {
    # First attempt to serve request as file, then
    # as directory, then fall back to displaying a 404.
    try_files $uri $uri/ =404;
    }

    # pass PHP scripts to FastCGI server
    #
    location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    #
    # # With php-fpm (or other unix sockets):
    fastcgi_pass unix:/run/php/php7.3-fpm.sock;
    # # With php-cgi (or other tcp sockets):
    # fastcgi_pass 127.0.0.1:9000;
    }

    lines 10 to end

    sudo nginx -t

    sudo systemctl restart nginx php7.3-fpm
    pi@raspberrypi:~ $ sudo nginx -t
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful
    pi@raspberrypi:~ $
    pi@raspberrypi:~ $ sudo systemctl restart nginx php7.3-fpm

    put test screen in www and call it works see jpg

    hope this helps

    regards Brian

    1. php package should be a meta package pointing to the correct version, 7.0 on stretch, 7.3 on buster… it’s not working, then… ok, i’ll specify the correct version directly, then thanks

  12. Hello Mr Shark

    I set up new card to update my system

    sorry but the nginx script problem is repeatable. I took a new copy of busterlite

    added Pete’s script nothing else no flows only raspi-config local parameters.

    Ran the script for nginx. Did not purge all directories if files within.

    Script stopped after purge.

    So I reran from line 5 again . No index.php in default file.

    Sqlite gives forbidden all as my first report

    I enter by hand index.php
    I enter by hand fastcgi pass unix:/run/php/php7.3-fpm.sock;

    and test
    pi@rpi4buster:~ $ sudo nginx -t
    nginx: [emerg] “fastcgi_pass” directive is not allowed here in /etc/nginx/sites-enabled/default:60
    nginx: configuration file /etc/nginx/nginx.conf test failed
    I # the line fastcgi
    Then run script from line 7
    test
    pi@rpi4buster:~ $ sudo nginx -t
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful
    pi@rpi4buster:~ $

    in the default file is now

    #
    include snippets/snakeoil.conf;
    root /var/www/html;
    # Add index.php to the list if you are using PHP
    index index.php index.html index.htm index.nginx-debian.html;
    server_name _;
    location / {
    # First attempt to serve request as file, then
    # as directory, then fall back to displaying a 404.
    try_files $uri $uri/ =404;
    }
    # pass PHP scripts to FastCGI server
    #
    location ~ \.php$ {
    include snippets/fastcgi-php.conf;
    #
    # # With php-fpm (or other unix sockets):
    fastcgi_pass unix:/run/php/php7.3-fpm.sock;
    # # With php-cgi (or other tcp sockets):
    # fastcgi_pass 127.0.0.1:9000;
    }

    The index.php written by me.
    The fastcgi —– now enabled which I had # out

    At no time was a bak file made by the script

    Tested webmin ok
    node-red control panel ok no flows entered
    node.red ui ok no flows
    Grafana ok
    Chronograf ok
    Ha bridge ok
    SQLite gives *
    There was a problem setting up your database, /home/pi/dbs/esp8266.db. An attempt will be made to find out what’s going on so you can fix the problem more easily.

    Checking supported SQLite PHP extensions…

    PDO: installed
    PDO SQLite Driver: not installed
    SQLite3: not installed
    SQLiteDatabase: not installed

    …done.

    It appears that your database is of SQLite version 3 but your installation of PHP does not contain the necessary extensions to handle this version. To fix the problem, either delete the database and allow phpLiteAdmin to create it automatically or recreate it manually as SQLite version 2.

    See https://bitbucket.org/phpliteadmin/public/wiki/Installation for help.

    Nearly same as I reported before. Except the sqlite info.
    System info ok on my ist report was forbidden 403

    This test running script on virgin busterlite with Pete’s script which ran fault free the only entry by me.

    The original sd I tested is still running all ok except sqlite which now refuses my password, At the beginning it had accepted it.

    regards Brian

    1. sqlite problems are pdo related, have to take a look on an actual rpi, as i tested everything on a buster virtual machine, but had reports it worked on rpi too… have to test again, once i’ve decent connectivity…

  13. Hello Mr Shark

    Thank you correct php was missing I reran lines from 5 onwards. Now have all working and index.php is in the default file, I still dont know why this occurred
    I have rerun the install lines at least 3 times, maybe its my copypaste malfunctioning?

    Will now change my running system Pete’s script + go + sonoffs + some of myown to nginx

    regards from a still sunny and very dry (not in the “Alt Stadt” Düsseldorf

  14. Hello Mr Shark

    looking at this location
    sudo sed -i -e ‘s/index index.html/index index.php index.html/g’ /etc/nginx/sites-enabled/default

    Doesnt look like script wrote to this file here is what I have in this file

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;

    I cant get a reaction for php no index.php

    will check further

    regards Brian

  15. Hello Mr Shark

    heres what’s runnung

    pi@rpi4buster:~ $ sudo netstat -lntp
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 0.0.0.0:9001 0.0.0.0:* LISTEN 533/mosquitto
    tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN 534/vncserver-x11-c
    tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 645/perl
    tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 565/nginx: master p
    tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 433/pure-ftpd (SERV
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 545/sshd
    tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 327/cupsd
    tcp 0 0 127.0.0.1:8088 0.0.0.0:* LISTEN 530/influxd
    tcp 0 0 0.0.0.0:1880 0.0.0.0:* LISTEN 321/node-red
    tcp 0 0 0.0.0.0:1883 0.0.0.0:* LISTEN 533/mosquitto
    tcp6 0 0 :::5900 :::* LISTEN 534/vncserver-x11-c
    tcp6 0 0 :::80 :::* LISTEN 565/nginx: master p
    tcp6 0 0 :::21 :::* LISTEN 433/pure-ftpd (SERV
    tcp6 0 0 :::8086 :::* LISTEN 530/influxd
    tcp6 0 0 :::22 :::* LISTEN 545/sshd
    tcp6 0 0 ::1:631 :::* LISTEN 327/cupsd
    tcp6 0 0 :::8888 :::* LISTEN 532/chronograf
    tcp6 0 0 :::3000 :::* LISTEN 531/grafana-server
    tcp6 0 0 :::1883 :::* LISTEN 533/mosquitto
    pi@rpi4buster:~ $

    will look at your other suggestions

    regards Brian

  16. Hello Mr Shark

    Nginx script update

    a new sandisk 32gb uhs-1 with latest busterlite virgin Petes script

    with webmin,sqlite,grafana and infoflux without office and the maths prog

    These all working . Added my flows via import json

    All working.

    ran your new script via copy to putty

    script ran and purged apache and php.

    but did not carry on to install nginx.

    I then recopied from script to putty the install part again

    sudo apt-get -y install nginx php php-{common,cli,fpm,json,zip,gd,mbstring,curl,xml,pear,bcmath}

    sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.bak

    sudo sed -i -e ‘s/index index.html/index index.php index.html/g’ /etc/nginx/sites-enabled/default

    sudo sed -i -e ‘s/#location ~ \\.php$ {/location ~ \\.php$ {/g’ /etc/nginx/sites-enabled/default

    sudo sed -i -e ‘s/#.*include snippets/ include snippets/g’ /etc/nginx/sites-enabled/default

    sudo sed -i -e ‘s/#.*fastcgi_pass unix/ fastcgi_pass unix/g’ /etc/nginx/sites-enabled/default

    sudo sed -i -e ’63s/#}/}/’ /etc/nginx/sites-enabled/default

    sudo nginx -t

    sudo systemctl restart nginx php7.3-fpm

    This ran and installed nginx.

    From Petes utility web

    webmin works
    Nodered control panel works
    Nodered ui desktop works
    grafana works
    chronograf works
    SQLite gives 403 forbidden
    phpsysinfo gives 403 forbidden
    fing is working

    So all addresses that are direct ip and port work
    Addresses that have ip but no port only name give forbidden.

    I have not looked yet why this is, just to let you know Nginx appears to be working,
    but I still have apache directory in etc which I will remove as you suggested (it contains 2 files). The purge did not remove all

    Will investigate further

    Once again a BIG thankyou for the info and speed of your response

    regards Brian

    1. check if php is working, try adding a basic phpinfo page in your /var/www/html (search the net, i can’t add in comments), peter had similar issues and was because he had php 7.0 sock file instead of 7.3 in his nginx config

      check with
      sudo netstat -lntp
      what’s running and on which port, and share it
      check nginx logs under /var/log/nginx

  17. hello Mr Shark

    thanks for all your usefull infos

    I have a problem with your script for useing nginx and removing apache

    I have busterlite running with script from pete no problems.
    I run your script apache and php are removed , but I get on install of nginx a problem with php
    which one should install?
    The removal of apache also removed the php 7.3
    installed by petes script

    here is what I get which one do I need?

    sudo apt-get -y install nginx php php-{common,cli,fpm,json,pdo,zip,gd,mbstring,curl,xml,pear,bcmath}
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    Package php-pdo is a virtual package provided by:
    php7.3-common 7.3.4-2
    php7.2-common 7.2.9-1+b2
    php7.1-common 7.1.20-1+b2
    You should explicitly select one to install.

    E: Package ‘php-pdo’ has no installation candidate
    pi@rpi4buster:~ $ sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.bak
    cp: cannot stat ‘/etc/nginx/sites-available/default’: No such file or directory
    pi@rpi4buster:~ $ sudo sed -i -e ‘s/index index.html/index index.php index.html/g’ /etc/nginx/sites-enabled/default

    regards Brian

    1. pete had same problems last weekend, don’t know what happened from when i published script, as i had good working reports about it, too, in comments above, and i personally tested various time on buster (in a vm, though, not on any rpi)…
      anyway, i’m updating script, try this new version (same url as before)

      https://gist.github.com/fragolinux/7229c1785652e4598d0bb61e50aa9093

      i removed php-pdo and fully remove all apache and php stuff… php stuff is reinstalled soon after, in a clean state

        1. no, i just added what we did last weekend to solve your problems, hope not forgetting anything we did on skype…

          for Brian Gentles: if this is not enough, remove or move elsewhere every apache/php/nginx folder you have in /etc then relaunch that script to have them clean as just installed… Pete had some remainings of php 7.0, for example, as he upgraded from stretch to buster…

      1. It could be worth a look but to be honest it barely scratches the surface of what can be done with nginx. From reverse proxying to content caching to load balancing, nginx is truly fabulous.

  18. Works a treat, thank you for sharing! I was using this to access nodered from outside through SSL but couldn’t get the proxy config nailed down correctly for the nodered admin and Grafana… Perfect now!

  19. thanks for the blog entry, Pete 🙂
    to be clearer: with nodered on port 81 in last sentences, i mean, a reverse proxy “masks” the ports of underlying “proxied” services and exposes only its own, default 80… so every local service proxied is served as it was a sub-url of the default site…

    if you move default webserver port from 80, you have to add that to the url, then, so, if you move to port 81, if nodered “proxied” was before at http://ip/nodered now it’s on http://ip:81/nodered but nothing else needs to be changed in both nginx and nodered configs, just default port of nginx… this to help you and whomever uses Alexa which insists in using port 80 for its own “female” businesses 😀

    but i plan to reverse proxy even alexa, so you’ll have all on port 80, ALL, but need to test to see if it’s possible, i think yes

    1. And, of course, you can now (always assuming that you have control over your own firewall) use the magic of NAT, port-forwarding, the reverse proxy and letsencrypt to put your ESP8266 on the internet with a genuine, browser-recognized certificate.

      That means not only being able to have an SSL/TLS encrypted web site (although I’ve never really seen the point of that on an ESP, other than novelty value), but also to enable encrypted communication with your internal ESPs from the internet. With a reverse proxy like nginx (or Pound), you can do pattern matching on the incoming request and then forward it to which ever of your internal machines should handle it. So a request coming in on port 443 to switch on the porch lights is decrypted by nginx and sent to the ESP8266 which handles that triac/relay in plain text.

      Great stuff!

      1. exactly, all of that, too 🙂
        a reverse proxy is like NAT for webservices, so you can expose other local lan http servers using the same proxy 🙂

        i didn’t add the ssl part as i think that coming in in vpn is more secure than exposing the web server, and all the underlying services thanks to reversing them…

        but who wants can easily add letsencrypt, which has an automatic setup/install/renewal script for both apache and nginx

        or you can easily install docker and this proxy manager which is excellent… no need to use docker for anything else if you’re scared, but it’s a little step 😉
        https://nginxproxymanager.jc21.com/

Comments are closed.