reverse proxy with nginx ssl passthrough

Question

I have several ISS Webservers hosting multiple web applications on each IIS server. The do have a public certificate on each system. Every IIS has an unique IP. All IIS Server are placed in the same DMZ

I have setup an nginx System in another DMZ. My goal is, to have nginx handle all the requests to the IIS from the Internet and JUST passthrough all the SSL and certificates checking to the IIS. So as it was before nginx. I don't want to have nginx break up the certificates, or offloads them etc.

Before I try to rumble with nginx reverse proxy to get it done (since I'm not very familiar with nginx), my question would be, if this is possible?

Believe me I've googled times and times and could not find something which answers my question(s) Or maybe I'm too dumb google correctly. I've searched even for passthrough, or reverse proxy, offloading.

So far I've gathered, nginx needs probably some extra mods. Since I have a "apt-get" Installation, I don't even know how to add them.

Answer 1

nevermind I found the solution:

Issue:

1. Several Webservers with various applications on each are running behind a FW and responding only on Port 443
2. The Webservers have a wildcard Certificate, they are IIS Webservers(whoooho very brave), have public IP addresses on each
3. It is requested, that all webserver should not be exposed to the Internet and moved to a DMZ
4. Since IP4 addresses are short these days, it is not possible get more IPs addresses
5. Nginx should only passthrough the requests. No Certificate break, decrypt, re-encrypt between webserver and reverse proxy or whatsoever.

Solution:

1. All websservers should be moved to a internal DMZ
2. A single nginx reverse proxy should handle all requests based on the webservers DNS entries and map them. This will make the public IP4 address needs obsolete
3. All webservers would get a private IP
4. A wild certificate would be just fine to handle all aliases for DNS forwarding.

Steps to be done:

1. A single nginx RP should be placed on the external-DMZ.

2. Configure nginx: - Install nginx on a fully patched debian with apt-get install nginx. At this Point you'll get Version 1.14 for nginx. Of course you may compile it too

3. If you have installed nginx by the apt-get way, it will be configured with the following modules, which you will need later: ngx_stream_ssl_preread, ngx_stream_map, and stream. Don't worry, they are already in the package. You may check with nginx -V

4. external DNS Configuration: - all DNS request from the Internet should point the nginx.

E.g   webserver1.domain.com --> nginx
      webserver2.domain.com --> nginx
      webserver3.domain.com --> nginx

5. Configuration nginx reverse-proxy

• CD to /etc/nginx/modules-enabled
• vi a filename of your choice (e.g. passtru) Content of this file:

enter code here

stream {

  map $ssl_preread_server_name $name {
      webserver01.domain.com webserver01_backend;
      webserver02.domain.com webserver02_backend;
}

upstream support_backend {
    server 192.168.0.1:443; # or DNS Name
}

upstream intranet_backend {
    server 192.168.0.2:443;  # or DNS Name
}

log_format basic '$remote_addr [$time_local] '
             '$protocol $status $bytes_sent $bytes_received '
             '$session_time "$upstream_addr" '
             '"$upstream_bytes_sent" "$upstream_bytes_received" 
              "$upstream_connect_time"';

access_log /var/log/nginx/access.log basic;
error_log  /var/log/nginx/error.log;

server {
    listen 443;
    proxy_pass $name;   # Pass allrequests to the above defined variable container $name
    ssl_preread on;

 }
}

6. Unlink the default virtual webserver rm /etc/nginx/sites-enabled/default

7. Redirect all http traffic to https:

• create a file vi /etc/nginx/conf.d/redirect.conf add following code

enter code here

server {

listen 80;

return 301 https://$host$request_uri;

}

8. test nginx -t
9. reload systemctl reload nginx

10. Open up a browser and check the /var/log/nginx/access.log while calling the webservers

11. Finish