Beginners Guide to nginx reverse proxy + several different webservers all secured


#1

Hey guys.

I am very new to nginx and let’s encrypt. I would like to run several webservers (ie owncloud, nextcloud, trial horizon view) but of course there is the port issue. So I set up a reverse proxy to solve this problem.

My current setup is as follows:

P.Q.100.50 = Proxy
P.Q.50.101 = web01
P.Q.50.102 = web02

The setup works with self signed certificates, but now I’d like to use let’s encrypt without manually updating several locations.

This is the server block to proxy traffic to web01:


server {
        listen 443 ssl;

        server_name web01.pete.no;

        ssl_certificate /etc/nginx/ssl/web01.pete.local.trusted.crt;
        ssl_certificate_key /etc/nginx/ssl/web01.pete.local.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

        location / {
                proxy_pass https://P.Q.50.101;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    
}

The same config with different IP and Server name as well as the different cert has been applied for web02.

Config of the web01 server

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        root /var/www/html;

        #SSL Config
        ssl_certificate /etc/nginx/ssl/web01.pete.local.trusted.crt;
        ssl_certificate_key /etc/nginx/ssl/web01.pete.local.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name web01.pete.no;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }
}

How could I configure this now, so that the acme challenge succeeds and that both certificate locations are updated?
My issue is that as far as I understand, let’s encrypt needs a directory that it can write to. If I add the well known location block on my web01 server, would that be enough? how would I update the cert of the proxy, or do i not need a cert on there at all?

I realize this is a noobish question and in part concerns nginx rather than let’s encrypt, but I was hoping for all-in-one answer maybe?

Thanks in advance!


#2

if your proxy has SSL configured you shouldn’t need to have SSL configured on your backed servers

you can use BASH scripts to copy the files over using the HOOKS syntax :smiley:


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.