I am very new in using reverse proxy. Therefor I need some background knowledge.
I have running 2 servers behind my router. Both are using different ports and for cert renewal I change the ports to 80 and/or 443 depending on requirements.
Now I want to add a reverse proxy. So can I keep the cert renewal process and SSL config on each server and just add the reverse proxy or MUST do the reverse proxy take care of the cert handling?
It depends on which ports will be handled by the reverse proxy.
If only port 80, then that can be proxied quite easily.
If port 443 will be proxied, then the proxy may have to terminate the TLS connections before it can proxy them correctly to their respective servers. As such, the proxy would need to have a valid cert for those names.
That said, those certs could be shared with the downstream servers and they too can use them.
I need to proxy 443 and want to redirect requests on port 80 to https. Does it mean it is better or easier to let the proxy handle the issuing of certs and remove the SSL config from the configuratin of the servers behind the proxy?
Yes, if your reverse proxy is answering https requests for your services it will normally handle the ssl stuff (terminate ssl) TLS termination proxy - Wikipedia
Your back-end services can optionally also use TLS (ssl) but the client browser is directly interacting with the proxy only. [This is also a particularly useful setup if your backend services are running in docker on a a variety of ports]
A question left and I know it might be not a LE issue. I have installed a proxy for test purpose. I ran Certbot and it managed my nginx configuration as expected. Here it is:
server {
server_name nc.pc-fee.com;
location / {
proxy_pass http://10.0.0.3;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
client_max_body_size 0;
# SSL config managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/nc.pc-fee.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/nc.pc-fee.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# Nextcloud service redirect as described in here:
# https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
}
server {
if ($host = nc.pc-fee.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name nc.pc-fee.com;
listen 80;
return 404; # managed by Certbot
}
Now I thought all http calls will be redirected to https: But it is still possible to call the page via http and it will be delivered via http. Any idea what it is caused by?
It looks to me like it's redirecting properly—do you maybe have a browser with a cached connection with no redirect? Maybe you would see something different after restarting the browser?
Well, I tried with Edge and Chrome and both of them has been cleaned previously and restarted afterwards. You can try by your own: http://nc.pc-fee.com
Any idea why the redirect is not working? I am working from Egypt this week. Might this be a reason? Some testers in Germany confirmed, that the redirect is working properly fine at their end.