Intro
This is a follow up post to NGINX Reverse Proxy LetsEncrypt Auto-Renew where I should you how to configure NGINX as a reverse proxy. This post details the specific configuration needed to access eve-ng over the internet using a reverse proxy. I assume you have deployed the eve-ng appliance on ESXi or another hypervisor however it will probably work with bare metal installs.
Configure NGINX
Firstly on the reverse proxy server install nodejs and npm (only a few dependencies). I am using CentOS 7 for the reverse proxy. Please note you might not have to install this but I used it to test the websocket connection.
|
1 |
yum install nodejs npm |
Then install the ws program.
|
1 |
npm install -g ws |
You can test a websocket connection with: (It will fail until you configure tomcat further down the page)
|
1 |
wscat --connect ws://labs.example.com/html5 |
Next create a new server configuration (I assume you have a NGINX configuration as described here).
|
1 |
nano -c /etc/nginx/conf.d/reverseproxyLABS.conf |
Now add the following, adjusting the IP address and server name to match your environment. Please note: The .well-known location is for LetsEncrypt to verify the subdomain.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
upstream websocket { server 192.168.20.20:8080; } server { listen 443 ssl; # Example config for EVE-NG, browsable at https://labs.example.com server_name labs.example.com; client_max_body_size 0; add_header Strict-Transport-Security "max-age=31536000" always; ssl on; location /.well-known { root /usr/share/nginx/html/; } location /html5/ { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://websocket/guacamole/; } location /html5/websocket-tunnel { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://websocket/guacamole/websocket-tunnel; } location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_pass http://192.168.20.20/; } } |
Now save this file and restart NGINX.
Eve-ng Appliance Configuration
SSH into your EVE appliance (I have deployed the EVE-NG Ubuntu VM on ESXi).
Edit the tomcat server.xml file to allow connections to port 8080 from another host.
|
1 |
nano /var/lib/tomcat8/conf/server.xml |
Find the connector section and change ‘address=”127.0.0.1″‘ to ‘address=”0.0.0.0″‘; tomcat will now listen on any address.
|
1 2 3 4 5 |
<Connector port="8080" protocol="HTTP/1.1" address="0.0.0.0" connectionTimeout="20000" URIEncoding="UTF-8" redirectPort="8443" /> |
Save the file and exit.
I made a mistake, you don’t need to edit the apache config file. If you do then you can’t login to the web client when “html5” is selected.
Now open the apache2 vhost config file and comment out the reverse proxy section.
|
1 |
<del><code>nano /etc/apache2/sites-enabled/unetlab.conf</code></del> |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
<del><code># <Location /html5/> # Order allow,deny # Allow from all # ProxyPass http://127.0.0.1:8080/guacamole/ flushpackets=on # ProxyPassReverse http://127.0.0.1:8080/guacamole/ # </Location> # # <Location /html5/websocket-tunnel> # Order allow,deny # Allow from all # ProxyPass ws://127.0.0.1:8080/guacamole/websocket-tunnel # ProxyPassReverse ws://127.0.0.1:8080/guacamole/websocket-tunnel # </Location></code></del> |
Restart both apache2 and tomcat8.
|
1 2 |
systemctl restart tomcat8 systemctl restart apache2 |
You should be able to access eve-ng at https://labs.example.com. Don’t forget to update the DNS server to point at the reverse proxy!