How to set up secure remote access to monitoring server using a NginX Reverse Proxy with SSL certificate

A reverse proxy protects applications against cybercriminals and malicious software. It also allows limiting access to applications based on username, IP, domain, or geographical location.

Reverse proxy includes a special network intermediary, which is located between the application user and the infrastructure where the protected applications are located. This allows you to eliminate many problems, such as the impact of DoS / DDoS attacks or application attacks. The advantage of this type of solution is also the fact that the configuration of the application behind the Reverse Proxy does not require any major changes.

Additionally, with the Reverse Proxy on NginX you can block bots (both malicious and those from search engines), and restrict access to applications based on username, IP, domain, or geographical location. So, for example, you can limit access only for admins who log in from the office and home IP, and for admins from an office located in a specific country.

Configuration of NginX and SSL

Preconditions

Before configuring NginX Reverse Proxy, you should do the following:

  1. Create name-to-number mapping (Host A) DNS entry, for example: netcrunch.your_domain_name.com
  2. Install and configure OS (preferably Linux)
  3. Create CSR - a certificate signing request
  4. Using CSR, get an SSL Certificate, at least * Wildcard
  5. Install NginX

Configuration of NginX Reverse Proxy

To configure NginX Reverse Proxy, use these following commands:

  • make a copy of the original nginx.conf file
mv /etc/nginx/nginx.conf nginx.conf.bac
  • open nginx.conf file in an editor
vi /etc/nginx/nginx.conf

Example configuration from nginx.conf file:

worker_processes auto; Error_log /var/log/nginx/error.log; Pid /run/nginx.pid;

Events { worker_connections 1024; }

Http { include /etc/nginx/mime.types; default_type application/octet-stream;

Log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"';

Access_log /var/log/nginx/access.log main; Sendfile on; Keepalive_timeout 65; Include /etc/nginx/conf.d/*.conf; Index index.html index.htm; }

Configuration of SSL Wildcard certificate:

  1. Copy all the files in the package from the certificate Provider to your server along with the Private Key to the appropriate directories. Best practice recommends placing the certificate files in the directory /etc/ssl on your server.
  2. Include SSL configuration to nginx.conf file, for example:

server { listen 443; ssl on; ssl_certificate /etc/ssl/your_domain_name.pem; #or bundle.crt ssl_certificate_key /etc/ssl/your_domain_name.key; server_name your.domain.com; access_log /var/log/nginx/nginx.vhost.access.log; error_log /var/log/nginx/nginx.vhost.error.log; location / { root /home/www/public_html/your_domain_name.com/public/; index index.html; } }

Creating virtual host(s) configuration

We can do it using this command:

vi /etc/nginx/conf.d

Example configuration:

server { listen 80; server_name netcrunch.your_domain_name.com, 10.0.2.10; location / { proxy_pass http://10.0.11.12:8080; } }

Important notes

To complete the setup, remember to make sure that you

  • set firewall rules:
sudo firewall-cmd --permanent --zone=public --add-service=http 
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload
  • enable NginX service:
sudo systemctl enable nginx
  • check NginX configuration:
nginx -t

Configuration of NetCrunch to enable secure remote access to NetCrunch Server

As we mentioned at the beginning of the article, the configuration of the application itself does not require any major changes. All you have to do is to add a user in NetCrunch. To do it:

  1. Open Top Menu Tools User & Access Profiles...
  2. From the left pane select NetCrunch Users tab
  3. Click on the Add button on the bottom
  4. Provide Username, Access Profile, and Password
  5. Click OK button

From now, you will be able to open Web Console of your NetCrunch from anywhere in the world in a secure way.

Once you have created the appropriate user, enable your Web Browser, enter the appropriate address, and log in using the previously created user and password.

nginxproxyreverse proxysecurityssl

NetCrunch Network Monitoring

Network Maps, Dashboards, and Alerts.
Monitor anything. Network, cloud, config.