{"id":49185779,"url":"https://github.com/dcrypt3d/nginx_lb","last_synced_at":"2026-04-23T04:02:12.154Z","repository":{"id":331058437,"uuid":"1110354656","full_name":"dcrypt3d/nginx_lb","owner":"dcrypt3d","description":null,"archived":false,"fork":false,"pushed_at":"2025-12-30T05:29:21.000Z","size":17,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-02T16:13:03.104Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dcrypt3d.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-05T04:29:33.000Z","updated_at":"2025-12-30T05:29:24.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/dcrypt3d/nginx_lb","commit_stats":null,"previous_names":["dcrypt3d/nginx_lb"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/dcrypt3d/nginx_lb","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dcrypt3d%2Fnginx_lb","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dcrypt3d%2Fnginx_lb/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dcrypt3d%2Fnginx_lb/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dcrypt3d%2Fnginx_lb/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dcrypt3d","download_url":"https://codeload.github.com/dcrypt3d/nginx_lb/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dcrypt3d%2Fnginx_lb/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32165201,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-23T02:19:40.750Z","status":"ssl_error","status_checked_at":"2026-04-23T02:17:55.737Z","response_time":53,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-04-23T04:02:11.528Z","updated_at":"2026-04-23T04:02:12.125Z","avatar_url":"https://github.com/dcrypt3d.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Nginx SSL Termination Load Balancer with Sticky Sessions for IIS\n\nThis setup configures Nginx as an SSL termination proxy with load balancing and sticky sessions to two IIS hosts.\n\n## Architecture\n\n- **Nginx**: Terminates SSL/TLS connections and load balances traffic at Layer 7 (HTTP)\n- **IIS Hosts**: Two backend servers receiving proxied HTTPS requests\n- **SSL Termination**: SSL/TLS is terminated at Nginx, then re-encrypted and forwarded to IIS over HTTPS\n- **Sticky Sessions**: Uses `ip_hash` to ensure the same client IP always routes to the same backend server\n- **Domain**: Configured for `*.host.com` wildcard domain\n\n## Installation Options\n\nThis project supports two installation methods:\n\n1. **Docker** (Container-based) - See [Docker Installation](#docker-installation)\n2. **Local CentOS/RHEL Install** - See [Local CentOS/RHEL Installation](#local-centosrhel-installation)\n\n---\n\n## Docker Installation\n\n### Prerequisites\n\n1. Docker and Docker Compose installed\n2. SSL certificates (cert.pem and key.pem) placed in the `ssl/` directory\n3. Network access to your IIS hosts\n\n### Configuration\n\n#### 1. Update IIS Host Addresses\n\nEdit `nginx.conf` in the `upstream iis_backend` block and replace the placeholder hostnames/IPs:\n- `iis-host1:443` - Replace with your first IIS server address (port 443 for HTTPS)\n- `iis-host2:443` - Replace with your second IIS server address (port 443 for HTTPS)\n\nIf your IIS hosts are on different ports or use hostnames, update accordingly.\n\n**Note**: The backend servers are configured to use HTTPS (port 443). Ensure your IIS servers have SSL configured and are listening on port 443.\n\n#### 2. SSL Certificates\n\nPlace your SSL certificates in the `ssl/` directory:\n- `ssl/cert.pem` - Your SSL certificate\n- `ssl/key.pem` - Your SSL private key\n\nFor testing, you can generate self-signed certificates:\n```bash\nopenssl req -x509 -nodes -days 365 -newkey rsa:2048 \\\n  -keyout ssl/key.pem -out ssl/cert.pem\n```\n\n**Important**: Nginx terminates SSL, so it needs valid SSL certificates. Backend connections to IIS use HTTPS.\n\n#### 3. Network Configuration\n\nIf your IIS hosts are on the same Docker network, ensure they're accessible. If they're external hosts, you may need to:\n- Use actual IP addresses\n- Configure Docker network settings\n\n### Usage\n\n#### Start the Nginx container:\n```bash\ndocker-compose up -d\n```\n\n#### View logs:\n```bash\ndocker-compose logs -f nginx\n```\n\n#### Stop the container:\n```bash\ndocker-compose down\n```\n\n#### Reload configuration (without downtime):\n```bash\ndocker-compose exec nginx nginx -s reload\n```\n\n---\n\n## Local CentOS/RHEL Installation\n\n### Prerequisites\n\n1. CentOS Stream 9/10, RHEL 9/10, or compatible Linux distribution\n2. Root or sudo privileges\n3. SSL certificates (cert.pem and key.pem)\n4. Network access to your IIS hosts\n\n### Quick Setup\n\n1. **Install Nginx**:\n   ```bash\n   sudo dnf install epel-release -y\n   sudo dnf install nginx -y\n   ```\n\n2. **Run Setup Script** (as root or sudo):\n   ```bash\n   sudo chmod +x setup-centos.sh\n   sudo ./setup-centos.sh\n   ```\n\n3. **Manual Setup** (if preferred): See [INSTALL_CENTOS.md](INSTALL_CENTOS.md) for detailed instructions\n\n### Configuration\n\n#### 1. Update IIS Host Addresses\n\nEdit `/etc/nginx/nginx.conf` in the `upstream iis_backend` block and replace the placeholder hostnames/IPs.\n\n#### 2. SSL Certificates\n\nCopy your SSL certificates to `/etc/nginx/ssl/`:\n- `cert.pem` - Your SSL certificate\n- `key.pem` - Your SSL private key\n\nSet proper permissions:\n```bash\nsudo chmod 644 /etc/nginx/ssl/cert.pem\nsudo chmod 600 /etc/nginx/ssl/key.pem\n```\n\n#### 3. Update Domain Name\n\nEdit `/etc/nginx/conf.d/default.conf` and update `server_name *.host.com` to your actual domain.\n\n#### 4. Configure Firewall\n\n```bash\nsudo firewall-cmd --permanent --add-service=http\nsudo firewall-cmd --permanent --add-service=https\nsudo firewall-cmd --reload\n```\n\n### Usage\n\n#### Test configuration:\n```bash\nsudo nginx -t\n```\n\n#### Start and enable Nginx:\n```bash\nsudo systemctl start nginx\nsudo systemctl enable nginx\n```\n\n#### Reload configuration (without downtime):\n```bash\nsudo systemctl reload nginx\n```\n\n#### Check status:\n```bash\nsudo systemctl status nginx\n```\n\n#### View logs:\n```bash\nsudo tail -f /var/log/nginx/access.log\nsudo tail -f /var/log/nginx/error.log\n```\n\nFor detailed installation instructions, see [INSTALL_CENTOS.md](INSTALL_CENTOS.md).\n\n---\n\n## Load Balancing Methods\n\nThe current configuration uses `ip_hash` for sticky sessions. You can change this in `nginx.conf` in the `upstream iis_backend` block:\n\n- **`ip_hash`** (current) - Routes based on client IP address (sticky sessions)\n  - Same client IP always goes to the same backend server\n  - Best for maintaining session state\n  - Note: Clients behind NAT/proxies will share the same IP and route to the same server\n  \n- `least_conn` - Routes to server with fewest active connections\n- `round-robin` - Default, distributes requests evenly (no sticky sessions)\n\n### Sticky Sessions\n\n**Sticky sessions are enabled** using `ip_hash`:\n\n- **Method**: IP-based routing ensures session affinity\n- **Benefit**: Same client always connects to the same backend server\n- **Use Case**: Perfect for applications that maintain session state on the server\n- **Consideration**: Multiple users behind the same NAT/proxy will route to the same backend server\n\n**Note**: For cookie-based sticky sessions, you would need a custom Nginx build with the `nginx-module-sticky` module, or use a pre-built image that includes it.\n\n## Health Checks\n\nThe configuration includes:\n- `max_fails=3` - Mark server as down after 3 failed attempts\n- `fail_timeout=30s` - Retry after 30 seconds\n\nA health check endpoint is available at `/nginx-health`.\n\n## Troubleshooting\n\n### Docker Installation\n1. **Check container logs**: `docker-compose logs nginx`\n2. **Test configuration**: `docker-compose exec nginx nginx -t`\n3. **Verify network connectivity**: Ensure IIS hosts are reachable from the container\n4. **Check SSL certificates**: Verify certificates are correctly mounted\n\n### Local CentOS/RHEL Installation\n1. **Check logs**: `sudo tail -50 /var/log/nginx/error.log`\n2. **Test configuration**: `sudo nginx -t`\n3. **Verify network connectivity**: `ping your-iis-server.com`\n4. **Check SSL certificates**: Verify certificates exist: `ls -l /etc/nginx/ssl/`\n5. **Check ports**: Ensure ports are listening: `sudo ss -tlnp | grep -E ':80|:443'`\n6. **Check SELinux**: `getenforce` and review denials if needed\n7. **Check firewall**: `sudo firewall-cmd --list-all`\n\n## Notes\n\n- **SSL Termination**: SSL/TLS is terminated at Nginx, then re-encrypted and forwarded to IIS over HTTPS\n- **IIS HTTPS**: IIS receives HTTPS traffic (port 443) - ensure IIS has SSL configured\n- **Layer 7 Proxying**: Uses HTTP-level load balancing (can inspect HTTP headers and cookies)\n- **Sticky Sessions**: Enabled via `ip_hash` - same client IP routes to same backend\n- **Domain Matching**: Configured for `*.host.com` - update the server_name in conf.d/default.conf if needed\n- **SSL Certificates**: Nginx requires SSL certificates for termination\n- **Backend SSL Verification**: Set to `on` for security - verifies backend certificates (NIST compliant)\n- **NIST Compliance**: Configuration aligns with NIST SP 800-52 Rev. 2 - see [NIST_COMPLIANCE.md](NIST_COMPLIANCE.md)\n- Adjust timeouts and buffer sizes in the proxy settings based on your application needs\n\n## Files\n\n- `nginx.conf` - Main nginx configuration (Docker/Linux/CentOS paths)\n- `conf.d/default.conf` - Server configuration (Docker/Linux/CentOS paths)\n- `docker-compose.yml` - Docker Compose configuration\n- `setup-centos.sh` - CentOS/RHEL setup script\n- `INSTALL_CENTOS.md` - Detailed CentOS/RHEL installation guide\n- `NIST_COMPLIANCE.md` - NIST compliance documentation\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdcrypt3d%2Fnginx_lb","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdcrypt3d%2Fnginx_lb","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdcrypt3d%2Fnginx_lb/lists"}