NAT and NGINX on the same server

networking amazon-ec2 nat amazon-vpc

6,223

Solution 1

You can easily do this without any problems, simply use an nginx conf file like the following for each server

server {
    listen 80;
    server_name subdomain.domiain.com;

    location / {
        proxy_pass      http://internal-server;
        }
}

Obviously you can get more complex, and do ssl, and other such things, but at it's core this will work, then you just open port 80, and go to the named host (or you can open multiple ports, and do this for each port instead of a URL)

Solution 2

I can't comment on if this is a good idea for your application architecture, however, it's technically possible to use your own NAT instance. It's quite simple.

In AWS:

1) disable source/destination checking 2) configure linux to enable the nat functionality in the kernel and iptables rules.

For point 2 you can just use the configure-pat.sh script from an existing amazon nat. I've pasted it here if this helps.

Hope this helps

Andrew

6,223

Morten

Updated on September 18, 2022

Comments

Morten over 1 year

I'm setting up a VPC cluster for my collaborative todo list application www.getdoneapp.com.

To have my servers on the private network I need a NAT server so my servers on the private network can connect to the internet to receive updates and what not.

The NAT server will consume an elastic IP address, so I'm wondering if I can just have that NAT server run nginx to direct traffic to my internal servers for HTTP.

So the question is, is it a bad idea to run NGINX and NAT on the same server, or should I go for consuming 2 elastic IP addresses?
Kevin over 11 years

That being said, an EIP is not prohibitively expensive, and may be desired if you want to seperate the roles of each server.
Morten over 11 years

But is there anything bad with going for a single point exposure to the internet. For example considering security: I can go both ways, one is that I have a single point of entry to secure, the other is that that point of entry has several roles.
Kevin over 11 years

There are many ways to secure this. Technically this server only has a single role, as being a proxy for servers behind your NAT. This actually limits the exposure to your internal servers (as they will have to secure access to this server, and then go deeper into the network to get at the actual sites). You can do IP restriction on say SSH access, and create complex nginx rules to filter out the admin portion of every application behind the proxy, and put those on a different IP restricted port. You have to use what will work best for you, either way it can be secured.