Reverse Proxy VM (NGINX)

This virtual machine is the gateway of the Trash Panda ecosystem. It manages external access to internal services, handles SSL termination, and enforces secure routing policies. While it is internet-facing, its sole function is to run a reverse proxy and manage certificates. Proper VM design ensures reliable access and minimal exposure risk.

This page covers only the VM setup and deployment. NGINX configuration, CERTBOT setup, and site routing are covered in their own guide.

The Reverse Proxy VM:

• Routes inbound traffic to internal services
• Terminates SSL/TLS via CERTBOT
• Acts as the single point of entry for web-facing services
• Lives in the DMZ to isolate external access

By isolating this service into a dedicated VM, we:

• Reduce attack surface for exposed services
• Simplify troubleshooting and maintenance
• Ensure predictable performance for all proxy and certificate operations

This VM should operate quietly and securely mediate traffic between the internet and internal services.

• Ubuntu Server 24.04 LTS
• Minimal installation (no desktop environment)
• Automatic security updates enabled

Ubuntu LTS provides:

• Long-term security support
• Strong community documentation
• Stability for long-running, internet-facing services

This VM should run headless and be administered via SSH.

• 2 GB RAM (fixed allocation)

Why 2 GB?

• NGINX and CERTBOT are lightweight applications
• Memory headroom ensures stable operation under traffic bursts

Avoid memory overcommit to maintain responsiveness for web requests.

• 2 vCPUs

Traffic handling is:

• Burst-oriented rather than sustained
• Light on raw compute
• Sensitive to latency

Two vCPUs provide sufficient parallelism for proxy and certificate tasks.

• 30 GB virtual disk
• Thin provisioned (recommended)

This storage is used for:

• OS and system packages
• NGINX installation and configuration
• SSL certificates, logs, and temporary files

No media or user data is stored here. This VM’s sole purpose is proxying and certificate management.

This VM requires one network interface, optimized for controlled exposure.

Purpose:

• Serve as the entry point for inbound web traffic
• Outbound access for CERTBOT and updates
• Communicate with internal services behind the proxy

Characteristics:

• Standard MTU (1500)
• Routed through firewall
• Static IP recommended

Placing the VM in the DMZ ensures:

• Isolation from internal LAN services
• Minimal attack surface
• Controlled, secure access to exposed services

Assuming VMware Workstation Pro 17:

• Attach a single virtual network adapter
• Bind to the physical NIC connected to the DMZ VLAN
• Disable unnecessary virtual hardware (sound, USB, etc.)
• Use VMXNET3 adapters for best performance

Do not connect this VM to the Primary LAN VLAN.

This VM is designed to be:

• Quiet
• Predictable
• Disposable if needed
• Easy to rebuild

If it ever fails, you should be able to:
1. Recreate the VM
2. Restore NGINX configuration and SSL certificates
3. Resume secure proxy operations

No irreplaceable data should live on the VM itself.

Once the VM is deployed and reachable:

• Install and configure NGINX (native to OS)
• Configure CERTBOT and SSL certificate automation
• Integrate with internal services and firewall rules
• Configure backups and monitoring

Each of these topics is covered in their respective guides.

A well-configured Reverse Proxy VM keeps services accessible and secure without fuss.