Certificate error with two servers at the same IP

Right, so it doesn't look like that bookstack VM is running HTTPS.

What happens if you just proxy_pass that VM using http://, instead of https://?

results in....

> curl: (7) Failed to connect to bookstack.s7.org port 443: Connection refused

Do you realy need HTTPS within your local network?

Can you just HTTPS to the proxy then it uses HTTP to the VM?

I admire the effort going into this but personally I'd use DNS validation instead of http validation, that way you can issue certs for any fully qualified hostname (any of your home servers etc) regardless of whether it's working web server or not.

1 Like

[takes the easy way out - LOL]

1 Like

I need HTTPS when outside home (I'm traveling half the month).

Regarding #1, I'm going to try to set up a simple index.php and see if I can get it working with the simplest of setups...

I read something vague about it but found no procedure for it. Am I to understand that I would place a string into a TEXT type DNS record for that domain? I can certainly do that since I own the domain.

But, I would still need rg305's reverse proxy in any case, right? I'm doing this from home so it's a number of LAMP virtual machines with their own internal IPs behind a residential cable modem/router.

Ok so here's where I am....

  • 192.168.1.224 is now set up with only Apache.
  • I can access 192.168.1.224 internally via HTTP and via 127.0.0.1 also via HTTP.
  • When I try to access via domain/proxy at http://bookstack.s7.org, I get "
502 Bad Gateway
nginx/1.18.0 (Ubuntu)

"

It must be something wrong with the proxy at this point?

You would need to "override" the external DNS resolution for bookstack.s7.org with your internal IP address (192.168.1.224?).
That can be done is various ways:

  1. modify the hosts file in each local system that needs to access that system
    in windows that's %windir%\system32\drivers\etc\hosts
    in lunux that's /etc/hosts
  2. use "split-DNS"
    have all the internal systems use an internal DNS server which resolves the hostname locally
  3. Use a router that allows internal systems to be reached via their external IPs
    ["NAT Hairpinning" (that's what it is called)]

_AZ, I have a reference Ubuntu + Apache set up now. I can access it internally but I get

502 Bad Gateway

nginx/1.18.0 (Ubuntu)

from bookstack.s7.org. If two domains work behind the proxy, why would it be throwing this 502 error for a 3rd domain? The other domains are s7.org and mno.org (real domain names protected) and they properly work with HTTPS. In the case of bookstack.s7.org, I want to get it going through the proxy via HTTP first, then I'll add Let's Encrypt afterwards.

Additionally:
Global DNS can't resolve "bookstack.s7.org"

s7 is not the real domain. I was trying to prevent creating a security vulnerability by giving it attention on forums. The real domain does resolve properly and the main domain s7.org, has an active LAMP server with HTTPS hosted from my house, from behind AZ's proxy set up, and it works perfectly.

OOOH!!!!
[that explains it]

Ok... made some major progress on that 502 Bad Gateway error. The DNS entry had a CNAME for the primary domain s7.org but not for bookstack.s7.org. So I added a CNAME DNS record bookstack --> CNAME --> s7.org and NOW it comes up as HTTP. I verified it from various browsers on different networks. So the reverse proxy is working fine.

EDIT: to be clear... the DNS entry had an A NAME record pointing to the s7.org and bookstack.s7.org domain but evidently you also need a CNAME.

Next step is seeing if I can make it HTTPS.

Further good news...
I ran cerbot on the NGINX proxy server per the instructions at the top of this thread... works perfectly. I didn't do any HTTPS activity to the actual bookstack server.

So, if you want to run multiple servers with different addresses (e.g. https://server1.mydomain.com, https://server2.mydomain.com, https://server3.mydomain.com, ...), then each serverXYZ.mydomain.com needs to have its own CNAME DNS entry.

1 Like

This statement needs more words or better ones:

"A NAME" records point to IPs not other names...