Reverse Proxy for Nginx with Kemp VLM

Tutorial on how to configure Reverse Proxy for Nginx with Kemp VLM

Components used in this lab

  1. 1 x Ubuntu 20.04 with Nginx 1.17 installed (192.168.1.234/24)
  2. 1 x Kemp VLM Free Edition (192.168.1.222/24)

Reverse Proxy for Nginx with Kemp VLM

Steps to Configure Reverse Proxy for Nginx with Kemp VLM in Same Segment

Download and Import Nginx Template

  1. Download Nginx Template File from Kemp Documentation Page

  2. Go to Virtual Services – Management Templates and click Choose File to upload the downloaded Nginx Template File. Click Add New Template to continue

  1. Nginx Template Files are added successfully

Enable Subnet Originating Requests (SOR) – Optional

It is best practice to enable the Subnet Originating Requests option globally.

In a one-armed setup (where the Virtual Service and Real Servers are on the same network/subnet) Subnet Originating Requests is usually not needed. However, enabling Subnet Originating Requests should not affect the routing in a one-armed setup.

Refer to my post on How to Two-Arm Deployment with Kemp VLM with SOR Enabled

Public SSL Certificate

Import Let’s Encrypt Wildcard SSL Certificate by following Initial Configuration of KEMP LoadMaster VM

Go to Certificate & Security – Remote Access to change the Web Administrative Access Port from default 443 to 4430 as we will use the Interface IP Address (192.168.1.222) of Kemp VLM to publish Nginx Server

Virtual Services (VS) and Real Server

  1. Go to Virtual Services – Add New and create a VS using the IP Address of Kemp DMZ Interface (192.168.1.222) with Nginx HTTPS Template

  1. Click Modify to add the SSL Certificate & Real Server

  1. Expand SSL Properties and
    • SSL Acceleration = Enabled
    • Uncheck TLS1.1
    • Select the uploaded SSL Certificate and click Set Certificate to apply the change
    • Cipher Set = Best Practices
    • Strict Transport Security Header = Add the Strict Transport Security Header – No Subdomains

  1. Expand Real Servers and click Add New

  1. Expand Advanced Properties, and configure Add HTTP Header = X-Forwarded-For (No Via)

The X-Forwarded-For (XFF) HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through Load Balancer

  1. Enter the Virtual Address and select Nginx HTTPS template. Click Add this Virtual Services to save the changes

  1. User will get the output below when they access to https://uat.aventislab.com

Access Log in Nginx

Verify that –with-http_realip_module is enabled in Nginx

kwyong@ubuntu:~$ sudo nginx -V
[sudo] password for kwyong:
nginx version: nginx/1.17.10 (Ubuntu)
built with OpenSSL 1.1.1f  31 Mar 2020
TLS SNI support enabled
configure arguments: 
--with-http_realip_module 

Add the following to /etc/nginx/nginx.conf

Replace the IP Address with the Load Balancer IP in set_real_ip_from

# Directives for setting real_ip/XFF IP address in log files
        set_real_ip_from    192.168.1.222;
        real_ip_header      X-Forwarded-For;

Restart Nginx Service

kwyong@ubuntu:~$ sudo systemctl restart nginx

Verify the source client IP address is show in Nginx access log

kwyong@ubuntu:~$ sudo tail -f 10 /var/log/nginx/access.log

219.92.18.37 - - [25/Apr/2020:17:37:49 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.92 Safari/537.36 Edg/81.0.416.53"

202.171.36.2 - - [25/Apr/2020:17:39:13 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36 Edg/81.0.416.64"

Refer to NGINX and X-Forwarded-For Header (XFF) for more detail information

Enable HTTP/2 Support

Understand more about HTTP/2 by going through What is HTTP/2 – The Ultimate Guide

Expand Advanced Properties and Enable HTTP/2 Stack

Verify HTTP/2 is enabled via https://http2.pro/

A+ Result in Qualys SSL Labs

Refer to the checklist below to obtain A+ result in Qualys SSL Labs

  • Public Signed SSL Certificate and Intermediate Certificate is imported to Kemp
  • TLS 1.1 is disabled
  • Cipher Set = Best Practices
  • Strict Transport Security Header = Add the Strict Transport Security Header – No Subdomains
  • HTTP Strict Transport Security (HSTS) – Refer to this link to understand more

If you had enabled HSTS on your site however, and this user has visited your site before, the browser will remember it should go back to https. As the fake site does not have an SSL certificate, the user can’t visit the site, and will be safe.

Enable HSTS in Kemp VLM

Go to Rules & Checking – Content Rules to create a new Rule

  • Rule Name = HSTS
  • Rule Type = Add Header
  • Header Field to Added = Strict-Transport-Security
  • Value of Header Field to be Added = max-age=31536000 (1 year)

Expand the Advanced Properties of VS, and click on Show Header Rules

Go to Response Rules and add the newly created HSTS Rule

Perform SSL Test via https://www.ssllabs.com/ssltest/ and it show obtain A+ result as below now

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top