Question

Web server structure scheme

Posted November 28, 2020 572 views
NginxInitial Server Setup

Hello everyone!
I recently had a commission to set up a web server structure for a company. We have a main domain that we have in CloudFlare for cache, ssl, rules, etc.
We have this pointing to the public IP address. We have several subdomains, web (machine with PLESK), storage (nextCloud), internal application, financial application …
In the router, we have the ports open to v-machine 01, which only has NGINX to launch requests to the different v-servers.

We have a single physical server with different virtual machines.
Virtual machine for NGINX (machine 01)
Virtual machine for web application
Virtual machine for the internal application
Virtual machine for financial application …

Is this approach correct? How should I protect both the NGINX machine and the servers behind it?
Should I configure ssl certificates on all machines or with what cloudflare offers (ssl on all connections) would that be enough?

Sorry to be such a newbie but I hope you give me a hand!

Before I had all the applications on a single machine, without differentiating anything, but I had performance problems and that I cannot put port 80 for more than one subdomain … With NGINX I think that this is solved together with dividing the virtual machines into several virtual machines applications that I have to open.

Thank you.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
2 answers

Hi,
Going on your description, I can see your configuration like below. Correct it if it is actually different, pls.

                            user (somewhere in the internet)
                              |
                           SSL|
                              |   
                 -----------------------------
                              |  Cloudflare
                           SSL|
                              |  
                 -----------------------------
                           SSL|  Company's infrastructure
                              |
                     .-----------------.
                     | Firewall/router |
                     '-----------------'
                           SSL|
                              |   Bare metal server
.-----------------------------|----------------------------------.
|                          SSL|                                  | 
|                      .-------------.                           |
|                      |    VM-01    |                           |
|                      |    nginx    |                           |
|                      '-------------'                           |
|                             | Private network (LAN)            |
|         .------------------------------------------.           |
|         |                   |                      |           |
| .--------------.   .-----------------.   .-------------------. |
| |      VM      |   |       VM        |   |        VM         | |
| |    web app   |   |  internal app   |   |   financial app   | |
| '--------------'   '-----------------'   '-------------------' |
|                                                                |
'----------------------------------------------------------------'

Some quick thoughts on your configuration:

  • It seems to be absolute minimum to have SSL/TSL connection both between user and Cloudflare and between Cloudflare and VM-01. Cloudflare calls it Full SSL. If a user addresses app VMs through the subdomains, SSL certificate needs to include them or separate certificates need to be issued/installed for these subdomains.
  • I would put the financial app VM behind VPN gateway (server) to secure an access to it more. I am pretty sure that the data served by this VM is sensitive enough to enhance security. The same may be related to the internal and web app VMs but again, it depends on how sensitive data is served by them. You can assess the data sensitivity going on (1) the regulations are in force in the countries where your company is present, (2) the regulations that are in force in the industries that your company is involved in (e.g. military), (3) internal regulations in your company, (4) a common sense. A consultation with your company’s law department may be needed on that subject.

Considering VPN, you could check Cloudflare’s service called Access. They announced it in March this year: https://blog.cloudflare.com/dogfooding-from-home/.

I hope it is helpful a bit.

Thanks for the reply! It is of great help to me.

The nginx VM will only act as a reverse proxy, what resources should I allocate? Does the reverse proxy consume a lot and of launching the requests towards internal servers and returning them? 4GB RAM? 100GB disk? We are talking about no more than 5k visits a day.

And another question of the scheme, my local private network really starts on the nginx server, right?

Thank you!

  • @smd07 wrote
    The nginx VM will only act as a reverse proxy, what resources should I allocate? Does the reverse proxy consume a lot and of launching the requests towards internal servers and returning them? 4GB RAM? 100GB disk? We are talking about no more than 5k visits a day.

    Hardware requirements depend on some factors like:

    • content what is served from behind the reverse proxy,
    • the numbers of concurrent requests/connections from the internet at the moment,
    • the kind of traffic HTTP/HTTPS,
    • (paradoxically) the reverse proxy configuration in itself (e.g. buffering, caching)

    So, it is difficult to explicitly specify the hardware requirements. From my experience: 1 CPU core / 1 GB RAM / 25 GB disk is enough for most reverse proxy implementations.

    @smd07 wrote
    And another question of the scheme, my local private network really starts on the nginx server, right?

    The connections on the diagram reflect how I can imagine your configuration going on your description. It is only the pictorial diagram. The true implementation may be completely different, and it will depend on the network configuration in your company. I will bring you some example tomorrow :)

    • @Yannek
      Thank you very much for your explanations, you do not know how much I appreciate that someone with experience helps the rest who are starting to take steps with this.

      I will start to assemble this structure.
      I have a DELL server with 16 cores and 32GB of RAM. Also 600MB of symmetric fiber.

      I will install HYPER-V and I will start to deploy the components through virtual machines, starting with Ubuntu 20.04 + NGINX and later the necessary MVs of my applications.
      https://www.digitalocean.com/community/tutorials/how-to-host-a-website-using-cloudflare-and-nginx-on-ubuntu-20-04-es

      Any recommendation you want to make will be very well received and eternally grateful.

      Kind regards,

      by anondon
      El autor seleccionó Electronic Frontier Foundation para recibir una donación como parte del programa Write for DOnations. Cloudflare es…
      • @smd07
        No worries :) But what I could suggest is to take another opinions as well, especially on the forums where hardware configurations and the issues related the them are discussed more frequently than here. The people publishing there are usually in touch with hardware related subjects on a daily basis. For comparison, I deployed my recent server ‘on premises’ about 6-8 years ago, if I recall correctly ;)

        Returning to my previous diagram and the private network (LAN) on it. As I mentioned, it was just a picture built on your description, for imaging a general concept on SSL connection. SSL is usually not needed in private network, unless private network is untrusted.
        In your implementation, for example, it may be needed to connect all app VMs to LAN to provide local access to apps for people working on-site. Another example: it may be needed to connect internal app VM to LAN but financial app VM to the particular VLAN only, for security reason, etc. You will tailor your configuration to the needs in your company.