We have a raspberry where nginx is installed in docker and used as a reverse proxy. The second host has a service for which you need to get an ssl certificate. How to do this correctly? I will add everything you need. I just don't know what to post.
@Lyuasasel, welcome to the community!
I beleive that the backend server behind reverse proxy running nginx on the raspberry PI is on the same network. If this is the case, HTTP may be even enough, you do not need HTTPS for the backend connection.
1 Like
When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Also please see:
That said, Docker could complicate things. I personally don't have much experience with it.
2 Likes
The service located on the second host requires an ssl certificate. The reverse proxy settings contain the following lines:
listen 443 ssl;
listen [::]:443 ssl;
You're going to have a DNS issue:
- the Internet is routed to the proxy
- the internal network(s) needs to see the server via the name on the cert
So, you will need to override the DNS [for the internal network(s)].
And you will need to do one of:
-
proxy the HTTP challenge to the server [so it can get its' own cert]
[this won't allow the proxy to establish secure connections from the Internet for that name] -
obtain the cert at the proxy and use it there [for inbound connections from the Internet]
and also copy it to the server [for secure local connections]
The second option would be recommended [if you plan on having secure connections to that name from the Internet].
2 Likes
configuration file nginx
Summary
server {
listen 80;
listen [::]:80;
server_name xxx.exemple.com;
}
location / {
proxy_pass http://192.168.1.19:3333/;
}
}
when accessed from the Internet at xxx.example.com, the service page opens. But for its full functioning, you need to obtain a certificate. I don't know how to do it correctly through a reverse proxy.
Get it on the reverse proxy
Ok, get a cert there.
Then only proxy the secure connections.
1 Like
What is the correct way?
I'm running docker nginx, with the configuration shown above
"correct" is subjective.
There are many ways to achieve a desirable outcome.
[i.e. There is no wrong way - so long as it solves the problem]
3 Likes