Question

Web server structure scheme

Hello everyone! I recently had a commission to set up a web server structure for a company. We have a main domain that we have in CloudFlare for cache, ssl, rules, etc. We have this pointing to the public IP address. We have several subdomains, web (machine with PLESK), storage (nextCloud), internal application, financial application … In the router, we have the ports open to v-machine 01, which only has NGINX to launch requests to the different v-servers.

We have a single physical server with different virtual machines. Virtual machine for NGINX (machine 01) Virtual machine for web application Virtual machine for the internal application Virtual machine for financial application …

Is this approach correct? How should I protect both the NGINX machine and the servers behind it? Should I configure ssl certificates on all machines or with what cloudflare offers (ssl on all connections) would that be enough?

Sorry to be such a newbie but I hope you give me a hand!

Before I had all the applications on a single machine, without differentiating anything, but I had performance problems and that I cannot put port 80 for more than one subdomain … With NGINX I think that this is solved together with dividing the virtual machines into several virtual machines applications that I have to open.

Thank you.

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Hi, Going on your description, I can see your configuration like below. Correct it if it is actually different, pls.

                            user (somewhere in the internet)
                              |
                           SSL|
                              |   
                 -----------------------------
                              |  Cloudflare
                           SSL|
                              |  
                 -----------------------------
                           SSL|  Company's infrastructure
                              |
                     .-----------------.
                     | Firewall/router |
                     '-----------------'
                           SSL|
                              |   Bare metal server
.-----------------------------|----------------------------------.
|                          SSL|                                  | 
|                      .-------------.                           |
|                      |    VM-01    |                           |
|                      |    nginx    |                           |
|                      '-------------'                           |
|                             | Private network (LAN)            |
|         .------------------------------------------.           |
|         |                   |                      |           |
| .--------------.   .-----------------.   .-------------------. |
| |      VM      |   |       VM        |   |        VM         | |
| |    web app   |   |  internal app   |   |   financial app   | |
| '--------------'   '-----------------'   '-------------------' |
|                                                                |
'----------------------------------------------------------------'

Some quick thoughts on your configuration:

  • It seems to be absolute minimum to have SSL/TSL connection both between user and Cloudflare and between Cloudflare and VM-01. Cloudflare calls it Full SSL. If a user addresses app VMs through the subdomains, SSL certificate needs to include them or separate certificates need to be issued/installed for these subdomains.
  • I would put the financial app VM behind VPN gateway (server) to secure an access to it more. I am pretty sure that the data served by this VM is sensitive enough to enhance security. The same may be related to the internal and web app VMs but again, it depends on how sensitive data is served by them. You can assess the data sensitivity going on (1) the regulations are in force in the countries where your company is present, (2) the regulations that are in force in the industries that your company is involved in (e.g. military), (3) internal regulations in your company, (4) a common sense. A consultation with your company’s law department may be needed on that subject.

Considering VPN, you could check Cloudflare’s service called Access. They announced it in March this year: https://blog.cloudflare.com/dogfooding-from-home/.

I hope it is helpful a bit.

Thanks for the reply! It is of great help to me.

The nginx VM will only act as a reverse proxy, what resources should I allocate? Does the reverse proxy consume a lot and of launching the requests towards internal servers and returning them? 4GB RAM? 100GB disk? We are talking about no more than 5k visits a day.

And another question of the scheme, my local private network really starts on the nginx server, right?

Thank you!