How to proxy any REST and WebSocket with nginx
1 min readAug 2, 2023
mkdir -p /etc/nginx/conf.d
cat <<'EOF' > /etc/nginx/conf.d/nginx.pem
-----BEGIN CERTIFICATE-----
MIIG...
-----END CERTIFICATE-----
EOF
cat <<'EOF' > /etc/nginx/conf.d/nginx-key.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIF...
-----END ENCRYPTED PRIVATE KEY-----
EOF
CLOUDENV=$(https_proxy= aws ssm get-parameter --name /app/environment --output text --cli-read-timeout 30 --cli-connect-timeout 30 2>/dev/null | awk '{print $6}')
CERTPASS=$(https_proxy= aws ssm get-parameter --name /app/$CLOUDENV/https_cert_pass --with-decryption --output yaml 2>/dev/null| grep -e "^ Value: " | cut -c 10-128)
echo "$CERTPASS" > /etc/nginx/conf.d/password
UPSTREAM="10.0.0.10" ## FIXME: add more IPs here
cat <<'EOF' > /etc/nginx/nginx.conf.template
events {
worker_connections 1024;
}
error_log /dev/stdout info;
http {
include /etc/nginx/mime.types;
access_log /dev/stdout;
server {
listen 443 ssl;
server_name frontend.awscloud.dev.net;
ssl_certificate /etc/nginx/conf.d/nginx.pem;
ssl_certificate_key /etc/nginx/conf.d/nginx-key.pem;
ssl_password_file /etc/nginx/conf.d/password;
location / {
set $upstream https://UPSTREAM;
proxy_set_header Host "frontend.awscloud.dev.net";
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
add_header Referrer-Policy "origin";
add_header Access-Control-Allow-Origin *;
proxy_pass $upstream;
proxy_redirect http:/UPSTREAM/ https://frontend.awscloud.dev.net/;
proxy_http_version 1.1;
}
location ~* \.(?:css|webp|ttf|woff2)$ {
expires 1d;
add_header Vary Accept-Encoding;
add_header Cache-Control private;
set $upstream https://UPSTREAM;
proxy_set_header Host "frontend.awscloud.dev.net";
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
add_header Access-Control-Allow-Origin *;
proxy_pass $upstream;
proxy_redirect http:/UPSTREAM/ https://frontend.awscloud.dev.net/;
proxy_http_version 1.1;
}
}
}
EOF
cat /etc/nginx/nginx.conf.template | sed -e s/UPSTREAM/$UPSTREAM/ > /etc/nginx/nginx.conf
podman --runtime crun run -d --name gw -p 443:443 -v /etc/nginx/conf.d:/etc/nginx/conf.d:Z,ro -v /etc/nginx/nginx.conf:/etc/nginx/nginx.conf:Z,ro docker.io/nginx:latest
