How to get certs for a NGINX reversed proxy

Hello, I found many pages describing how to use Certbot for an NGINX webserver. But I can not find anything about how to install an SSL certificate on a Reversed Proxy server (running NGINX). The NGINX Proxy runs on Debian 10 (on a Raspberry 4). Behind the proxy are several Wordpress servers (also on NGINX) running smoothly behind the proxy (without SSL).

The proxy itself should have a domain name to get a certificate. On the other hand it’s a proxy (not running a webserver). So should I choose a domain of one of the Wordpress servers behind the proxy? Or should I give the proxy a ‘dummy’ domain name, pointing only to the IP address

Please help. I don’t understand how I can set up secure Wordpress servers behind my proxy. I understand that if the client-proxy connection is secure all servers behind the proxy also show up as an SSL connection. I hope that’s true, but I still remain with the question how to install this configuration…?

Thank you for your help.

Arjan555

That’s not true.
If you secure the proxy, you are only securing the connection between clients and the proxy server. Connections between proxy and the backend remain unencrypted.

Did you configure virtual hosts on that reverse proxy for each domain name? If so, you can obtain a certificate on your proxy by catching the .well-known folder for your server.

   location /.well-known {
        alias /var/www/validation/;
   }

This is what I used to catch Let’s Encrypt validations from the proxy server.
If you use this, all requests for $your_domain/.well-known/ made to your proxy server will ends up looking for files under /var/www/validation/. For example, example.com/.well-known/acme-challenge/xxx234 will go to /var/www/validation/acme-challenge/xxx234 instead of your backend servers.

Please also keep in mind that this will prevent your backend server from receiving any Let’s Encrypt validation requests, so if you also want to obtain a certificate for your backend servers, you’ll need to use either DNS-01 validation or also place the files to your proxy server.

P.S. If those servers are in an internal network, you can try to secure connections between backend and proxy by making your own CA and certificates.

Thank you

Thank you Stevenzhu,

I know that if I secure the proxy the connection to the backend remains insecure.
However, with a secured proxy the connection to a backend webserver looks secure from a client perspective.
Right?

Each domain name has a virtual host indeed.
The proxy uses the C-name of a domain to redirect to the right host.

The part I don’t understand is how I obtain a certificate for my proxy? What command should I use?
Should I still have a domain name dor the proxy or is an IP dress sufficient?
I read about the .well-known folder but I did not understand its relation with Let’s Encrypt validations
I’ll google and see if I can find some best install practises or guides. Recommendations to read that will help me are welcomed.

Thank you once again!

You have 2 choices:

1- Terminate SSL on the NGINX Reverse Proxy. The proxy server will obtain the certs and can speak http or https to the backend servers. To do that, run certbot on the reverse proxy server for each domain.

2- Pass-through SSL on the NGINX Reverse Proxy. To do that, run certbot on the servers behind the proxy. Each server will need a certificate for every domain it serves. The servers can share the same certificates - via networked filestore or something similar, but each will need to configure the cert.

1 Like

It’s just like how you would obtain a certificate on your web server. Use certbot or whichever client, just doing that on your proxy server instead of web server.

You can learn more about the well-known folder and http validation here: https://letsencrypt.org/docs/challenge-types/

But my proxy server does not have a domain name… thanks

Ok… If you don’t have a domain name, how does these websites being proxied?

You are not getting a certificate for your proxy server, you are getting a certificate for the domains(websites) that passthrough your proxy server. (Given that these domains are under your control or you have permission from owner to do so)

If you also don’t have a domain name for these websites, then you need to get one since Let’s Encrypt can’t issue certificates to IP addresses (for now, might change in the future)

Im still a bit mystified. The answers above do not seem very consistent to me.
Maybe I should ask my questions better:

  • I have several domain names registered, they all point with their A records to the same public-IP number
  • An NGINX proxy is configured, so all requests to the public IP-number are redirected to the appropriate webserver (using the CNAME).

Now I want to secure the client-proxy connection. Questions I have:
a) should I install a certificate on the proxy or on each of the webservers behind the proxy?
b) if I try to install a certificate on the proxy, Certbot asks me for which domain names I should activate HTTPS for. I select all. But in runs in an error with an invalid response during the ACME challenge for two of the 4 names. Does that make sense? There is no /var/www/validation folder created.

If I try to install a certificate on the webserver it runs in an error with an invalid response during the ACME challenge.

I read the documentation. But sadly I did not help me so far.

Yes. Any traffic between the webservers and the proxy would be unencrypted. If you want that to be encrypted as well, you could do that using a self-signed certificate on the webservers. As long as your reverse proxy trusts that cert, it will be fine–the clients will never see the self-signed cert.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.