Hello everyone! I recently had a commission to set up a web server structure for a company. We have a main domain that we have in CloudFlare for cache, ssl, rules, etc. We have this pointing to the public IP address. We have several subdomains, web (machine with PLESK), storage (nextCloud), internal application, financial application … In the router, we have the ports open to v-machine 01, which only has NGINX to launch requests to the different v-servers.
We have a single physical server with different virtual machines. Virtual machine for NGINX (machine 01) Virtual machine for web application Virtual machine for the internal application Virtual machine for financial application …
Is this approach correct? How should I protect both the NGINX machine and the servers behind it? Should I configure ssl certificates on all machines or with what cloudflare offers (ssl on all connections) would that be enough?
Sorry to be such a newbie but I hope you give me a hand!
Before I had all the applications on a single machine, without differentiating anything, but I had performance problems and that I cannot put port 80 for more than one subdomain … With NGINX I think that this is solved together with dividing the virtual machines into several virtual machines applications that I have to open.
Thank you.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Thanks for the reply! It is of great help to me.
The nginx VM will only act as a reverse proxy, what resources should I allocate? Does the reverse proxy consume a lot and of launching the requests towards internal servers and returning them? 4GB RAM? 100GB disk? We are talking about no more than 5k visits a day.
And another question of the scheme, my local private network really starts on the nginx server, right?
Thank you!
Hi, Going on your description, I can see your configuration like below. Correct it if it is actually different, pls.
user (somewhere in the internet)
|
SSL|
|
-----------------------------
| Cloudflare
SSL|
|
-----------------------------
SSL| Company's infrastructure
|
.-----------------.
| Firewall/router |
'-----------------'
SSL|
| Bare metal server
.-----------------------------|----------------------------------.
| SSL| |
| .-------------. |
| | VM-01 | |
| | nginx | |
| '-------------' |
| | Private network (LAN) |
| .------------------------------------------. |
| | | | |
| .--------------. .-----------------. .-------------------. |
| | VM | | VM | | VM | |
| | web app | | internal app | | financial app | |
| '--------------' '-----------------' '-------------------' |
| |
'----------------------------------------------------------------'
Some quick thoughts on your configuration:
- It seems to be absolute minimum to have SSL/TSL connection both between user and Cloudflare and between Cloudflare and VM-01. Cloudflare calls it Full SSL. If a user addresses app VMs through the subdomains, SSL certificate needs to include them or separate certificates need to be issued/installed for these subdomains.
- I would put the financial app VM behind VPN gateway (server) to secure an access to it more. I am pretty sure that the data served by this VM is sensitive enough to enhance security. The same may be related to the internal and web app VMs but again, it depends on how sensitive data is served by them. You can assess the data sensitivity going on (1) the regulations are in force in the countries where your company is present, (2) the regulations that are in force in the industries that your company is involved in (e.g. military), (3) internal regulations in your company, (4) a common sense. A consultation with your company’s law department may be needed on that subject.
Considering VPN, you could check Cloudflare’s service called Access. They announced it in March this year: https://blog.cloudflare.com/dogfooding-from-home/.
I hope it is helpful a bit.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.