0

I have an internal LAMP (Ubuntu 18.04) server that I use for various personal projects. It has always been exposed directly on ports 80 and 443. It hosts 4 sites (Apache virtual hosts) and I use CloudFlare full SSL for the domains. I issued the Let's Encrypt certs using certbot. This was all done following tutorials online as I've never been a sysadmin.

Last night a friend put an NGINX server up and all traffic on ports 80 and 443 go to it instead. We're working on some projects together and now have several servers in my network, hence the nginx reverse proxy. I have been asked to simply use ssl passthrough to re-enable access to my sites.

I know where the config files are located and I know how to restart the nginx service, but that's about it. I have never worked with NGINX and I have no idea what configuration to use or how to proceed.

S16
  • 2,963
  • 9
  • 40
  • 64

1 Answers1

-3

The answer you are looking for is here:
https://reinout.vanrees.org/weblog/2017/05/02/https-behind-proxy.html

In summary here are the config options you need.

server {
  listen 443;
  server_name sitename.example.org;
  location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto https;
    proxy_redirect off;
    proxy_pass https://internal-server-name;
    proxy_http_version 1.1;
  }
  ssl on;
  ....
  ssl_certificate /etc/ssl/certs/wildcard.example.org.pem;
  ssl_certificate_key /etc/ssl/private/wildcard.example.org.key;
}

Of course, you'll need to setup SSL on your proxied-to server, but this is the basic idea.

Noteworthy is the fact that nginx by default will proxy using HTTP/1.0. That's why you need the proxy_http_version

Suggest you read the full blog post for more background.

gahooa
  • 131,293
  • 12
  • 98
  • 101
  • If this is SSL pass-through, why are the cert locations on the nginx server? Do I need to re-issue them? Or copy them from the destination server? This is where I start getting confused. – S16 Jan 08 '20 at 19:45
  • Yeah, this doesn't help me. It's not what I want to do. I _do not_ want to host an SSL certificate on the nginx server. I simply want that traffic to pass through to the destination server. Is this not possible? – S16 Jan 08 '20 at 20:46
  • @S16 try this instead https://serversforhackers.com/c/tcp-load-balancing-with-nginx-ssl-pass-thru – gahooa Jan 09 '20 at 02:17
  • 1
    I don't want to terminate the certificate at NGINx, I wanted true passthrough. The solution ended up being using a stream for true passthrough and is nowhere near either of these solutions. – S16 Jan 10 '20 at 00:03