Category Archives: Howto Tutorials (EN)

Knowledge Network for Tutorials, Howto’s, Workaround, DevOps Code for Professionals.

NGINX Reverse Proxy on Debian

NGINX used as a reverse proxy on Debian Linux

The NGINX web server software is developed in C by Igor Sysoev and is released under the BSD license. NGINX is used as a web server, reverse proxy, load balancer and HTTP cache.

Due to its small size and reverse proxy functionality, NGINX is also popular for obscuring the true address of botnet commnd and control servers.

Which in turn can also be used in companies and organizations to primarily disguise unsafe Microsoft Windows servers in order to protect against possible weak points.

Install Nginx on Debian Linux

$ apt install nginx certbot python3-certbot-nginx -y

First, we can disable the default virtual host that is pre-configured when Nginx is installed.

$ unlink /etc/nginx/sites-enabled/default

We can edit nginx.conf file in order to configure the NGINX server to act as a reverse proxy here on Debian 12 (bookworm).

we can set worker_processes count based on the number of cores allocating for worker processers. Also, set worker_connections as the number of connections concurrently handled by one processor.

Create the Nginx Reverse Proxy

After disabling the virtual host, we need to create a file called example.domain.com within the /etc/nginx/sites-available directory to keep reverse proxy information.

This is done as follows by creating a file using the vi editor:

$ vi /etc/nginx/sites-available/example.domain.com

Let’s say example.domain.com is a service behind the NGINX proxy with endpoint port 80.

In the file, we need to paste in these content:

server {
    listen 80;
    listen [::]:80;
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name example.domain.com;
    server_tokens off;
    access_log /var/log/nginx/reverse_access.log;
    error_log /var/log/nginx/reverse_error.log;

    location / {
        proxy_pass http://203.0.113.10:80/;
        include proxy_params;
        try_files $uri $uri/ =404;
        proxy_redirect off;
        proxy_ssl_trusted_certificate /etc/nginx/ssl/ca.crt;
    }
}

Once completed, simply save the file and exit the vi editor by hit :wq

In the above command, the considerable point is the proxy_pass is allowing the requests coming through the Nginx reverse proxy to pass along to 203.0.113.10:80, which is the remote server where to pass.

Now, activate the directives by linking to /sites-enabled/ using the following command:

$ ln -s /etc/nginx/sites-available/example.domain.com /etc/nginx/sites-enabled/

Test Nginx Reverse Proxy configuration

Lastly, we need to run an Nginx configuration test and restart Nginx to check its performance. Type the below command to verify the Nginx functioning on the Linux terminal:

$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If the above result is displayed, we can now restart Nginx:

$ systemctl restart nginx

To check whether the Nginx service is listening on port 80, the following command can be executed:

$ netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address   Foreign Address     State     PID/Program name
tcp      0    0 0.0.0.0:80          0.0.0.0:*           LISTEN    3706/nginx: master
tcp      0    0 0.0.0.0:22          0.0.0.0:*           LISTEN    681/sshd: /usr/sbin
tcp6     0    0 :::22               :::*                LISTEN    681/sshd: /usr/sbin
tcp6     0    0 :::80               :::*                LISTEN    3706/nginx: master

Content Security Policy (CSP) comes with a whole range of parameters that can be used to fine-tune browser behavior, find here.

Conclusion

NGINX is a powerful web server software used by several hosting companies mainly as reverse proxy or cache and load balancer. It was designed to handle a high volume of requests simultaneously. Therefore, it offers faster loading times and better performance than most other web servers.

Additionally, NGINX uses fewer system resources than other web server software. This feature makes it a cost-effective solution. It is also compatible with a wide range of web applications.

NGINX Reverse Proxy on Debian

NGINX server provides security to backend servers that exist in the private network by hiding their identity. The backend servers are unknown to the client that are making requests. it also provides a single point of access to multiple backend servers regardless of the backend network topology.

OpenVPN Connection fails on iOS and Android

Here my experience using OpenVPN connection on iOS and Android mobile device. When you try to start a connection with the OpenVPN Connect App.

When you try to start a connection with OpenVPN Connect on your iOS or Android device, the VPN connection is established but no network resources can be reached, also you may find the error message in the OpenVPN server log;

Bad compression stub (swap) decompression header

Error openvpn_server1 user1/10.11.0.2:38767 Bad compression stub (swap) decompression header byte: 250

How to solve this issue, it comes to works perfectly with add options in the OpenVPN server configuration. I use here a Synology NAS and an OPNsense as a VPN server in this experience report.

allow-compression no
push "compress migrate"

This completely deactivates full and asymmetric compression, which is useful for functionality and secure communication with OpenVPN mobile clients. These finding can give valuable hints to make your users happy.

Note. The options are used to provision the OpenVPN clients, existing clients can continue to make VPN connections, the settings do not have to be changed manually.

How do I know that no compression is in use?

You will find the statistics of the OpenVPN connection in the log file. This way you can also see the state of the compression, like in the screenshots below.

OpenVPN Connection to Synology NAS

I have an OpenVPN server package installed on my Synology NAS, and the OpenVPN client on my iPhone 15 (iOS 17.3.1) is able to connect to it over a cellular connection. FileBrowserGO is then able to connect to the Synology using the OpenVPN Server’s LAN IP address.

We have tried this with both a UDP and TCP based OpenVPN connection (forwarding port 1194) to the Synology NAS. I would recommend trying an IP Address in FileBrowserGO’s “Name or URL” field, to avoid the DNS lookup stage of the connection.

To prevent compression on the OpenVPN server on a Synology NAS, you can open the VPN server in DSM under OpenVPN and disable the option Use compression on the VPN connection. If you enable ssh then you can log in with an ssh terminal to open the configuration file.

$ sudo vi /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf

OpenVPN Connect from iOS, Android to OPNsense

I went through it with another environment with deploy a virtual OPNsense using the OpenVPN Server. To do this, go to VPN -> OpenVPN -> open the corresponding server, here under Compression select “No Preference”, next add the two lines in the box under Advanced configuration, then save changes.

OpenVPN Connection fails on iOS and Android
OPNsense GUI: VPN – OpenVPN – Servers

Restart the OpenVPN server again and launch a VPN connection with your iOS or Android mobile device.