Nginx reverse proxy ssl config

harry1 · October 3, 2020, 2:00am

Hi this is a more generic question on setting up letsencrypt with nginx in a reverse proxy configuration.

Ive a setup as follows:

we have a single dedicated IP and use DNS through a provider
internet -> router -> LAN ( server 1 + server 2)
the router handles port forwarding
we use nginx for web serving and proxying

server 1 is working properly with letsencrypt for virtual web servers on this machine

server 1 is also acting as a reverse proxy for virtual web servers on server 2

server 2 is working properly for virtual web servers without ssl

but having a problem implementing ssl for virtual web servers server 2

was able to get letsecnrypt to generate certificates using the DNS challenge for the virtual web server on server 2 but cannot find a configuration to work

from my limited understanding i think it relates to ssl termination at server 1 instead of server 2

may I have some guidance for the nginx configuration on server 1 and server 2 where server 1 is acting as a reverse proxy for server 2

_az · October 3, 2020, 2:10am

This is the key.

Server 1 can't proxy SSL connections to Server 2 (without some tricky SNI prereading hacks). Instead, Server 1 must terminate the SSL connection by itself.

If you wish to further encrypt the connection between Server 1 and Server 2, you can choose to do that, but that's a separate connection that the visitor does not see.

harry1 · October 3, 2020, 2:22am

thanks. so to be clear, without the SNI hacks it's not possible for nginx to proxy ssl connections.

could you suggest a methodology by which server 1 can still work as a reverse proxy to server 2 and server 2 can still run https?

_az · October 3, 2020, 2:31am

I guess I don't understand your objective here.

Let's say that you have these domains:

app1.server1.com
app2.server1.com
app1.server2.com
app2.server2.com

They all point to your home IP address, where ports 80 and 443 are port forwarded to Server 1.

On Server 1, you set up nginx so that it serves server1.com domains locally, and for server2.com domains, it proxies them via proxy_pass.

At this point, everything works without HTTPS.

Next up, on Server 1, you secure all of your domains (including those of Server 2) by running:

certbot --nginx -d app1.server1.com
certbot --nginx -d app1.server2.com
certbot --nginx -d app2.server1.com
certbot --nginx -d app2.server2.com

At this point, you can access all of your domains via HTTPS, and it will just work.

Now, I gather that you also want to issue certificates on Server 2. My question is: why? You can do it, but they will effectively go unused.

harry1 · October 3, 2020, 2:51am

I obtain certs for app1.server2.com (hosted on server 2) on server 1. check.
also it's unnecessary to obtain certs for server 2. check.

this is what I was using (which didn't work) for nginx app.1server2.conf on server 2:

ssl_certificate /etc/letsencrypt/live/app1.server2.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/app1.server2.com/privkey.pem;

server {
listen 80;

server_name app1.server2.com;
root /var/www/app1.server2.com;
index index.php index.html index.htm;

listen 443 ssl;

include /etc/letsencrypt/options-ssl-nginx.conf;

location / {
try_files $uri $uri/ /index.php?$args;
 }
}

as the certs are not needed on server 2 how would you suggest the .conf to work with ssl?

_az · October 3, 2020, 2:55am

On Server 2, all you need to do is listen on port 80. Anything related to SSL is unnecessary. So you can remove anything related to SSL.

Did you also configure Server 1's nginx to use the certificate you obtained (if it wasn't done automatically)?

So if you had:

server {
    listen 80;
    server_name app1.server2.com;
    location / {
        proxy_pass http://192.168.123.123;
    }
}

you would perhaps update it to:

server {
    listen 80;
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/app1.server2.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/app1.server2.com/privkey.pem;   
    include /etc/letsencrypt/options-ssl-nginx.conf; 
    server_name app1.server2.com;
    location / {
        proxy_pass http://192.168.123.123;
    }
}

OK, but didn't work in what way?

Share any error messages and screenshots.

harry1 · October 3, 2020, 3:05am

perfect, it now works. thank you very much for your help.

system · November 2, 2020, 3:05am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.