Nginx reverse proxy to hide my real servers

Question

I have 2 servers, both using nginx.

Server 1: 192.168.xxx.xxx (This is the main server with the mydomain.com domain with LEMP)

Server 2: 128.111.xxx.xxx (which will come)

On the first server I used Cloudflare to hide the server IP. But that apparently didn't really hide it.

So I got advice in the form of something like this.

Another way, you can buy a another server and use it as a reverse proxy to your main server.

So my question is, how to make this happen?

I want all traffic to go through server 2 first, which I plan to use as a reverse proxy before forwarding it to server 1. That way the IP on the main server will not be visible even in certain ways.

I only understand a little about Nginx, and I've read several articles and similar cases but I still don't understand how to make it happen.

---

Updates:

I have managed to proxy_pass server2 to server1, but since it is on server1 I use it for multiple domains. And I put the several config in server1 /etc/nginx/sites-available , proxy_pass on the server2 points to server1 /etc/nginx/sites-available/default.

Where "default" is the default config which, if the IP is accessed, will lead to the default Welcome to Nginx page! And also some config domain1, domain2, domain3 and so on. What I want to do is proxy_pass server2 to server1 which points to the config domain1 is in /etc/nginx/sites-available/domain1.

But what I get in server2 config, server2 does proxy_pass to /etc/nginx/sites-available/default, not to domain1.

Here is the config that I have, where is it wrong?

Server2 config:

    upstream backend {
        server server1_IP;
    }

server {
    listen 80;
    server_name domain1.com www.domain1.com;
        location / {
            proxy_pass http://backend;
        }

server1 config default:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    listen 443 ssl http2;
    ssl_certificate /etc/ssl/master/master.crt;
    ssl_certificate_key /etc/ssl/master/master.key;
    root /var/www/html;
    index index.nginx-debian.html index.html index.htm index.php;
    server_name _;
    location / {
        try_files $uri $uri/ /index.php?$args;
    }
    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

Server1 domain1.com

server {
    listen 80;
    listen 443 ssl http2;
    ssl_certificate /etc/ssl/domain1.com/domain1.com.crt;
    ssl_certificate_key /etc/ssl/domain1.com/domain1.com.key;
    root /var/www/html/domain1.com;
    index index.php index.html index.htm;
    error_log /var/log/nginx/domain1.com.error.log;
    server_name domain1.com www.domain1.com;
    location / {
        try_files $uri $uri/ /index.php?$args;
    }
    if ($http_user_agent ~* (BLEXBot|GrapeshotCrawler|MJ12bot|SemrushBot|AhrefsBot|DotBot) ) { return 301 http://127.0.0.1/; }
    location ~* /(?:uploads|files)/.*\.(asp|bat|cgi|htm|html|ico|js|jsp|md|php|pl|py|sh|shtml|swf|twig|txt|yaml|yml|zip|gz|tar|bzip2|7z)$ { deny all; }
    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_param PHP_VALUE open_basedir="/tmp/:/usr/share/php/:/dev/urandom:/dev/shm:/var/lib/php/sessions/:$document_root";
        fastcgi_pass unix:/run/php/php7.4-domain1.com-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
    location = /wp-login.php {
        limit_req zone=limit burst=1 nodelay;
        limit_req_status 429;
        fastcgi_pass unix:/run/php/php7.4-domain1.com-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
    location = /robots.txt {
            try_files $uri $uri/ /index.php?$args;
        allow all;
        log_not_found off;
        access_log off;
    }
    location ~* \.(js|jpg|jpeg|gif|png|css|tgz|gz|rar|bz2|doc|pdf|ppt|tar|wav|bmp|rtf|swf|ico|flv|txt|woff|woff2|svg)$ {
        expires 365d;
    }
    location ~ /\.ht {
        deny all;
    }
    location ~ /\.us {
        deny all;
    }
        location ~* "(base64_encode)(.*)(\()" {
        deny all;
        }
        location ~* "(eval\()" {
        deny all;
        }
    location = /xmlrpc.php {
        return 403;
    }
    rewrite ^/sitemap_index\.xml$ /index.php?sitemap=1 last;
    rewrite ^/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;



}

For domain2, 3 and so on the same as domain 1.

So basically I want proxy_pass to domain1 from server2 not to the default. Which later I will enter the IP on server2 into Cloudflare's A record.

So even if someone can find my server IP address even using Cloudflare they will only read the IP of server2 not server1.

Answer 1

If you want to forward the server2's traffic to server1, config server2's nginx config like below.

http {
    upstream backend {
        server backend1.example.com;
        #server backend2.example.com;
        #server backend3.example.com;
    }

    server {
        listen 80;
        server_name example.com;

        location / {
            proxy_pass http://backend;
        }

        # if you want to config different backend
        location /a/ {
            proxy_pass adifferentbackend;
        }
    }

    # if you have other server
    server {
        listen 80;
        server_name domain1

        location / {
            proxy_pass subdomainserver;
        }
    }

}