Beginners Guide to nginx reverse proxy + several different webservers all secured

maul0r · March 6, 2017, 2:11pm

Hey guys.

I am very new to nginx and let’s encrypt. I would like to run several webservers (ie owncloud, nextcloud, trial horizon view) but of course there is the port issue. So I set up a reverse proxy to solve this problem.

My current setup is as follows:

P.Q.100.50 = Proxy
P.Q.50.101 = web01
P.Q.50.102 = web02

The setup works with self signed certificates, but now I’d like to use let’s encrypt without manually updating several locations.

This is the server block to proxy traffic to web01:


server {
        listen 443 ssl;

        server_name web01.pete.no;

        ssl_certificate /etc/nginx/ssl/web01.pete.local.trusted.crt;
        ssl_certificate_key /etc/nginx/ssl/web01.pete.local.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

        location / {
                proxy_pass https://P.Q.50.101;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    
}

The same config with different IP and Server name as well as the different cert has been applied for web02.

Config of the web01 server

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        root /var/www/html;

        #SSL Config
        ssl_certificate /etc/nginx/ssl/web01.pete.local.trusted.crt;
        ssl_certificate_key /etc/nginx/ssl/web01.pete.local.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name web01.pete.no;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }
}

How could I configure this now, so that the acme challenge succeeds and that both certificate locations are updated?
My issue is that as far as I understand, let’s encrypt needs a directory that it can write to. If I add the well known location block on my web01 server, would that be enough? how would I update the cert of the proxy, or do i not need a cert on there at all?

I realize this is a noobish question and in part concerns nginx rather than let’s encrypt, but I was hoping for all-in-one answer maybe?

Thanks in advance!

ahaw021 · March 12, 2017, 10:41am

if your proxy has SSL configured you shouldn’t need to have SSL configured on your backed servers

you can use BASH scripts to copy the files over using the HOOKS syntax

system · April 11, 2017, 10:41am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Nginx reverse proxy ssl config Help	7	1641	November 2, 2020
LetsEncrypt for Nginx server block Help	4	930	April 2, 2022
How to setup reverse NGINX and LetsEncrypt certificates Server	5	8159	September 7, 2017
LetsEncrypt cert setup with proxy server question Help	7	814	April 3, 2024
Nginx Reverse Proxy Multi-file configuration Help	36	5027	September 17, 2021

Beginners Guide to nginx reverse proxy + several different webservers all secured

Related topics