Proxy_pass nginx


#1

I have a nginx server used as a proxy server to multiple sites. I have one configuration file using proxy_pass to redirect traffic to a local ip of 192.168.1.166:
_____________________________________________________
server {
listen 80;
listen [::]:80;

    root /var/www/blownup.space/html;

    index index.html index.htm index.nginx-debian.html;

    server_name blownup.space www.blownup.space;

    location / {
            proxy_pass http://192.168.1.166;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;

}
}


I installed lets encrypt using the command sudo certbot --nginx
on 192.168.1.166 and have a configuration file:


server {
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/blownup.space/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/blownup.space/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    root /var/www/blownup.space;

    index index.html index.htm index.nginx-debian.html;

    server_name www.blownup.space blownup.space;

    location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
            # proxy_pass http://127.0.0.1:8080;
    }



}



server {
    listen 80 default_server;
    listen [::]:80 default_server;



    if ($host = www.blownup.space) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = blownup.space) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    root /var/www/blownup.space;

    index index.html index.htm index.nginx-debian.html;

    server_name www.blownup.space blownup.space;

    location / {
            # First attempt to serve request as file, then
            # as directory, then fall back to displaying a 404.
            try_files $uri $uri/ =404;
            # proxy_pass http://127.0.0.1:8080;
    }

}

Do I need to run the command on the first machine also or only? And how do I run the command for a specific configuration file, not the default?


#2

I can’t get my head around your network setup.

Generally if you are running a proxy server for an internal network, you’ll only want to setup SSL/Certbot on the proxy server, not on the internal servers.

diagram

So in your instance I don’t think you actually want to be running Certbot on 192.168.1.166 - just listen on port 80 there.

And on your proxy server, issue SSL certificates for each of your proxied virtual hosts with e.g.:

certbot --nginx -d blownup.space -d www.blownup.space

#3

The first machine is passing all port 80 traffic to the second one.
So the second one can authenticate for itself.

Commands are specific to FQDNs.
Which should match up to individual vhost configs.

Based on this:

It seems you have already obtained certs on that second system.
You can review certs issued, the FQDNs covered, and their expiration dates easily with:
certbot certificates

So…
What problem remains?
Is the nginx also going to proxy port 443 traffic?
[that would require the nginx to terminate the SSL and thus also need matching certs]


#4

basically I get a ‘page not found’ when going to https://blownup.space. I’ll try again this afternoon


#5

I’m unable to connect to that IP via https.
[http works just fine]

Firewall?


#6

Yes, what I need to know is how to proxy port 443 traffic with letsencrypt? Can I just copy and paste the certificates to the proxy server and set the configuration the same? or do I run Certbot on the proxy server? I do have port 443 open and directed to the proxy server from my router.


#7

Yes, but that would require manual intervention (or scripting the copy) every time it renews (between 60 to 90 days).

If the proxy server can run certbot, that could simplify things (a lot).

Unless more than one system needs a cert for the exact same name, then one will have to get it and then “share it” to the other.


#8

If you decide to run certbot on the proxy, you may have to do one of:

  • also route port 80 to the proxy [then proxy web requests to the web server]
  • accept port 80 requests and then redirect the challenge requests to port 443 (HTTP to HTTPS redirection)

Either way, LE would connect to the proxy when trying to validate certs.


#9

thanks, I’ll try it and get back to you


#10

It seems like I can have certbot certifications on the proxy server and redirect anything coming through the 443 port to the local server, However is there a flag I can use to use with installing certbot for a specific configuration file? in this case /etc/nginx/sites-available/blownup.space


#11

Yes.

You can use the --nginx plugin which should try to parse the nginx config and update it accordingly to use https on the given config (covering the given domain/FQDN).
You can also specific which domain/FQDNs you want it to specifically address with
-d blownup.space -d www.blownup.space
[if the www also exists]

So a good place to start is:
certbot --nginx -d blownup.space
or
certbot --nginx -d blownup.space -d www.blownup.space
[whichever matches the server_name {list of name(s)} in the vhost config covering that name]

If that fails, reply with the exact command ran and the error message returned.


#12

Thanks rg305 , you definitely clarified things for me. Thanks for taking the time. Il get back to about this.


#13

You are awesome, that was it. I didn’t have to actually make any changes on the server with the files, only on the proxy server.
I ran the command you suggested on the server using proxy_pass:

certbot --nginx -d blownup.space

This was all I had to do no further configuration. thank you for helping me clean things up


#14

:slight_smile: