1

I am trying to setup a environment where I have two VM's.

Scenaio would be like

VM1 and VM2 are there and VM one trying to reach internet (all outboud), it should forward the all traffic to VM1 (which has nginx running as forward proxy)

I created IP table rule in source VM (VM2) as below

iptables -t nat -A OUTPUT -p tcp -o eth1 --dport 80 -j DNAT --to proxyserverip:8888
iptables -t nat -A OUTPUT -p tcp -o eth1 --dport 443 -j DNAT --to proxyserver:8888

and in VM1(proxy VM running nginx) have below config. how ever this is not working as expected.

server {
    listen       8888;

    location / {
        resolver 8.8.8.8;
        proxy_pass http://$http_host$uri$is_args$args;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   html;
    }
}

I am trying this in aws ec2 using nat and internet gateways as below.

enter image description here

But unable to establish connection.

DevOpsGeek
  • 302
  • 1
  • 4
  • 15
  • this might help: https://stackoverflow.com/questions/10727443/how-to-use-iptables-in-linux-to-forward-http-and-https-traffic-to-a-transparent – ofirule Apr 01 '23 at 07:29

2 Answers2

1

Assuming that your NAT gateway and VM1 are in the same subnet, these two will not talk to each other. VM1 should be in a private subnet, i.e. the one not containing an Internet gateway; the NAT gateway, positioned in the public subnet, will then route VM1's requests to the Internet gateway.

If VM1 has to be positioned in a public subnet in your topology and you have no interest in obfuscating its IP, VM1 can simply be exposed to the internet (via Igw obviously).

I am not sure what role does VPC peering play in your diagram, why do you need to place VM1 and VM2 in different VPCs?

Generally speaking, the most efficient way of restricting the flow to VM2 would be to put VM1 and VM2 in two separate security groups and then allow traffic into VM2's security group only from VM1's security group.

Alex Chadyuk
  • 1,421
  • 2
  • 10
0

It looks like you're almost there based on your code... Locate the default Nginx configuration file and comment out the server part in order to save it as an archived copy. Usually, we can find it in /etc/nginx/sites-enabled/default:

# Default server configuration
#server {
    #listen 80 default_server;
    #listen [::]:80 default_server;

    #root /var/www/html;

    # Add index.php to the list if you are using PHP
    #index index.html index.htm index.nginx-debian.html;

    #server_name _;

    #location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        #try_files $uri $uri/ =404;
    #}
#}

Next, create a new file called forward and add all the needed configurations to turn Nginx into a working forward proxy:

server {

    listen 8888;

    location / {

        resolver 8.8.8.8;

        proxy_pass http://$http_host$uri$is_args$args;

    }

}

The ‘resolver 8.8.8.8' directive specifies which nameservers should be used to resolve the names of upstream servers into addresses, in this case 8.8.8.8 corresponds to Google's nameservers.

The variable $http_host contains the host in the original request, whereas $uri contains the path after the domain or IP. The last two variables $is_args and $args check for any additional arguments in the initial request, and they add them automatically to the proxied request.

After we update all the necessary configurations, we need to restart the nginx.service for them to take effect:

sudo systemctl restart nginx.service
joe hoeller
  • 1,248
  • 12
  • 22