Skip to content
CloakProbe

Nginx Reverse Proxy

Running CloakProbe behind Nginx provides SSL termination, load balancing, and additional security.

Architecture

Section titled “Architecture”
Internet → Cloudflare → Nginx (443) → CloakProbe (127.0.0.1:8080)

CloakProbe binds to localhost only, with Nginx handling external connections.

Basic Configuration

Section titled “Basic Configuration”

  1. Install Nginx

    Terminal window
    sudo apt update
    sudo apt install nginx

  2. Create site configuration

    Terminal window
    sudo nano /etc/nginx/conf.d/cloakprobe.conf

  3. Add configuration

    upstream cloakprobe {
        server 127.0.0.1:8080;
        keepalive 32;
    }
    

    server {
        listen 80;
        server_name ip.example.com;
    

        # Redirect HTTP to HTTPS
        return 301 https://$host$request_uri;
    }
    

    server {
        listen 443 ssl http2;
        server_name ip.example.com;
    

        # SSL certificates
        ssl_certificate     /etc/letsencrypt/live/ip.example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/ip.example.com/privkey.pem;
    

        # SSL settings
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
        ssl_prefer_server_ciphers off;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 1d;
    

        # Disable logging for privacy
        access_log off;
        error_log /dev/null crit;
    

        location / {
            proxy_pass http://cloakprobe;
    

            # Proxy headers
            proxy_set_header Host              $host;
            proxy_set_header X-Real-IP         $remote_addr;
            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
    

            # Pass through Cloudflare headers
            proxy_set_header CF-Connecting-IP  $http_cf_connecting_ip;
            proxy_set_header CF-Ray            $http_cf_ray;
            proxy_set_header CF-IPCountry      $http_cf_ipcountry;
            proxy_set_header CF-Visitor        $http_cf_visitor;
    

            # Timeouts
            proxy_connect_timeout 5s;
            proxy_send_timeout 10s;
            proxy_read_timeout 10s;
    

            # HTTP/1.1 for keepalive
            proxy_http_version 1.1;
            proxy_set_header Connection "";
        }
    }

  4. Test and reload

    Terminal window
    sudo nginx -t
    sudo systemctl reload nginx

Configuration Explained

Section titled “Configuration Explained”

Upstream Block

Section titled “Upstream Block”
upstream cloakprobe {
    server 127.0.0.1:8080;
    keepalive 32;
}
  • Defines the backend server
  • keepalive 32 maintains persistent connections for performance

Proxy Headers

Section titled “Proxy Headers”
proxy_set_header X-Real-IP         $remote_addr;
proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
proxy_set_header CF-Connecting-IP  $http_cf_connecting_ip;
  • X-Real-IP: The IP Nginx sees (Cloudflare’s IP if proxied)
  • X-Forwarded-For: Chain of IPs through proxies
  • CF-Connecting-IP: The real client IP from Cloudflare

CloakProbe prioritizes CF-Connecting-IP when available.

Disabled Logging

Section titled “Disabled Logging”
access_log off;
error_log /dev/null crit;

For privacy, logging is disabled. Remove these lines if you need logs for debugging.

SSL Certificates

Section titled “SSL Certificates”
Section titled “Let’s Encrypt (Recommended)”
Terminal window
# Install certbot
sudo apt install certbot python3-certbot-nginx


# Get certificate
sudo certbot --nginx -d ip.example.com


# Auto-renewal is configured automatically

Cloudflare Origin CA

Section titled “Cloudflare Origin CA”

If using Cloudflare Full (strict) mode:

  1. In Cloudflare dashboard, go to SSL/TLSOrigin Server
  2. Click Create Certificate
  3. Generate a certificate for your domain
  4. Save the certificate and key to your server
  5. Update Nginx config to use these files

Performance Tuning

Section titled “Performance Tuning”

Worker Connections

Section titled “Worker Connections”

In /etc/nginx/nginx.conf:

events {
    worker_connections 4096;
    use epoll;
    multi_accept on;
}

Buffer Settings

Section titled “Buffer Settings”
location / {
    # ... other settings ...


    proxy_buffering on;
    proxy_buffer_size 4k;
    proxy_buffers 8 4k;
}

Health Checks

Section titled “Health Checks”

Add a health check location for monitoring:

location /nginx-health {
    access_log off;
    return 200 "healthy\n";
    add_header Content-Type text/plain;
}

Multiple Instances

Section titled “Multiple Instances”

For load balancing multiple CloakProbe instances:

upstream cloakprobe {
    least_conn;
    server 127.0.0.1:8080 weight=5;
    server 127.0.0.1:8081 weight=5;
    server 192.168.1.10:8080 backup;
    keepalive 64;
}

Troubleshooting

Section titled “Troubleshooting”

502 Bad Gateway

Section titled “502 Bad Gateway”

CloakProbe isn’t running or isn’t listening:

Terminal window
# Check if CloakProbe is running
sudo systemctl status cloakprobe


# Check if port is listening
ss -tlnp | grep 8080

Timeout errors

Section titled “Timeout errors”

Increase timeout values:

proxy_connect_timeout 30s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;

Permission denied

Section titled “Permission denied”

Check Nginx can connect to the backend:

Terminal window
# Test connection as nginx user
sudo -u www-data curl http://127.0.0.1:8080/healthz