Security through separation
We can achieve a measure of security by separating out the point to which clients connect to an application. This is one of the main reasons for using reverse proxy architecture. The client directly connects only to the machine running the reverse proxy. This machine should, therefore, be secured well enough that an attacker cannot find a point of entry.
Security is such a large topic that we will touch only briefly on the main points to observe:
Set up a firewall in front of the reverse proxy that only allows public access to port 80 (and 443, if HTTPS connections should also be made)
Ensure that NGINX is running as an unprivileged user (typically
www
,webservd
, orwww-data
, depending on the operating system)Encrypt traffic where you can to prevent eavesdropping
We will spend some time on this last point in the next section.
Encrypting traffic with SSL
NGINX is often used to terminate SSL connections, either because the upstream server is not capable of using SSL or...