2 server, 2 certbots, same IP, nginx, proxy redirect

Setup:

Two server in a home network
Same public IP adress
Server 1 with nginx, Server 2 with apache

Aim:

Both server create ssl certificates, server 1 for domain 1, server 2 for domain 2
Router redirects all traffic to Server 1
Server 1 redirects all traffic for domain 2 to server 2

What I tried:

entries in nginx.conf adapted

Problem: When trying to connect to domain 2, error message “SSL_ERROR_BAD_CERT_DOMAIN”

content of nginx.conf:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##
        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        server {
                listen 80;
                server_name huntworker.ddns.net;
                return 301 https://$host$request_uri;
        }

        server {
                listen 80;
                listen 443;
                server_name bardhome.de;

                location / {
                        proxy_pass 192.168.101;
                        proxy_buffering off;
                        proxy_set_header X-Real-IP $remote_addr;
                }
        }

        server {
               listen 80 default_server;
                listen 443 ssl;
                listen [::]:80 default_server;


                ssl_certificate         /etc/letsencrypt/live/huntworker.ddns.net/fullchain.pem;
                ssl_certificate_key     /etc/letsencrypt/live/huntworker.ddns.net/privkey.pem;

                server_name _;

                location / {
                        proxy_pass http://192.168.178.2:81/;
                        proxy_buffering off;
                        proxy_set_header X-Real-IP $remote_addr;
                }

       }

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bardhome.de, huntworker.ddns.net

I ran this command:

It produced this output:

My web server is (include version): nxing (server 1), apache (server 2)

The operating system my web server runs on is (include version): Debian Buster

My hosting provider, if applicable, is: none, self-hostet

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

1 Like

Hi @Simon2020

your config is buggy.

Don’t mix port 80 and 443 in one vHost. Create 4 different vHosts.

There is only one certificate defined, so that certificate is always used -> that’s your error.

There

D:\temp>download http://huntworker.ddns.net/ -h
SystemDefault
Connection: keep-alive
Content-Length: 194
Content-Type: text/html
Date: Tue, 30 Jun 2020 11:02:24 GMT
Location: https://huntworker.ddns.net/
Server: nginx/1.14.0 (Ubuntu)

Status: 301 MovedPermanently

21,23 seconds

you see a hidden bug: http + huntworker.ddns.net has a timeout (20 seconds), then the default server answers -->> defining default servers --> debugging is harder.

2 Likes

@JuergenAuer

Thank you very much for the hints.

On server2 (192.168.178.8) there is also a certbot running to provide the certificate for bardhome.de.

I modified it that way, but when accessing huntworker.ddns.net I get a PR_END_OF_FILE_ERROR, bardhome.de ist not reachable at all. Have you any hints what I could do?

root@reverseProxy:~# nano /etc/nginx/nginx.conf
  GNU nano 2.9.3                                    /etc/nginx/nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

#stream {
#       server {
#               listen 443;
#               proxy_ssl on;
#               server_name .bardhome.de;
#               location / {
#                       proxy_pass https://192.168.178.101;
#               }
#       }
#
#}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
   ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javas$

    ##
    # Virtual Host Configs
    ##

    server {
            listen 80;
            server_name huntworker.ddns.net;
            return 301 https://$host$request_uri;
    }

    server {
            listen 80;
            server_name .bardhome.de bardhome.spdns.de;

            return 301 192.168.178.8;
    }

    server {
            listen 443;
            server_name .bardhome.de bardhome.spnds.de;
            return 301 192.168.178.8:443;

#                location / {
#                      proxy_pass https://192.168.101/;
#                       proxy_buffering off;
#                       proxy_ssl_server_name on;
#                       proxy_set_header X-Real-IP $remote_addr;
#                }
#
#       }

        server {
                listen 80 default_server;
                listen 443 ssl;
                listen [::]:80 default_server;


                ssl_certificate         /etc/letsencrypt/live/huntworker.ddns.net/fullchain.pem;
                ssl_certificate_key     /etc/letsencrypt/live/huntworker.ddns.net/privkey.pem;

                server_name _;

                location / {
                        proxy_pass http://192.168.178.2:81/;
                        proxy_buffering off;
                        proxy_set_header X-Real-IP $remote_addr;
                }

                location /pv {
                        proxy_pass http://192.168.178.7/;
                        proxy_buffering off;
                        proxy_set_header X-Real-IP $remote_addr;
                }
        }

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}
1 Like

I tried to make it clearer with the picture:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.