Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Hello need some help with setting up a nginx reverse proxy server on my server for experience
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Hello need some help with setting up a nginx reverse proxy server on my server for experience

timnboystimnboys Member
edited December 2015 in Help

What I basically need to do is have a nginx or apache reverse proxy that is listening on the outer or outside ports of 80 and 443 to return back the website content on internal servers that host mutiple websites on both http and https or ssl ports and the reverse proxy uses the appropriate ssl cert for each website to ensure there are no ssl errors. And the nginx or apache reverse proxy should be able to distinguish between the normal http and https traffic and also sstp vpn or ssl vpn traffic and forward to the appropriate server internally nat will be used. So each type of traffic must be forwarded like vpn traffic like normal and http and https traffic like normal also since using nat it will be using the address scheme of the usual 192.168.1.x internally and have one static public ipv4 address

Comments

  • That's complicated for me. Try serverpilot.io and digitalocean and see what the config files are in etc nginx-sp and etc apache sp.

    Serverpilot provides an installer apache-nginx with nginx as proxy and apache listening on localhost:81.

    So i'd look at their config files for a start for ideas.

  • This is actually easy to do, it's just the way you've explained it, and the grammar, that makes this almost unreadable.

  • https is impossible until you hav3 the certificate key and the certificate.

    from what I assume you want to do like this :

    your backend : 1.1.1.1:xxxx
    and you want to configure the nginx proxy to able to listen yo the xxxx port and deliver requests on its 80/443 ?

  • @RockBeltHOST said:
    https is impossible until you hav3 the certificate key and the certificate.

    from what I assume you want to do like this :

    your backend : 1.1.1.1:xxxx
    and you want to configure the nginx proxy to able to listen yo the xxxx port and deliver requests on its 80/443 ?

    I have found out you can set it to sslproxy on nginx to allow it to just return the certificate on the server it is pulling the website's pages from.
    my backend is in the ip range scheme of 192.168.1.x(just not 1.1.1.1) yes I want the nginx proxy to listen to requests on the edge of the nat on ports 80/443 and then the edge nginx goes inside the nat and pulls the website's files and returns it back to the web browser requesting it so it would be a nginx reverse proxy not just a nginx proxy.

    I am testing the setup here: http://www.cmdln.org/2009/07/12/transparent_dynamic-reverse-proxy-with-nginx/ that someone wrote a tutorial on how to configure nginx to work like I want it but just wondering if it should work the way I want it as I would like to forward email through nginx as well to a internal zimbra email server.

  • @timnboys said:
    I am testing the setup here: http://www.cmdln.org/2009/07/12/transparent_dynamic-reverse-proxy-with-nginx/ that someone wrote a tutorial on how to configure nginx to work like I want it but just wondering if it should work the way I want it as I would like to forward email through nginx as well to a internal zimbra email server.

    it will not forward email emq or whatever its file format was...
    you need GRE tunnel for that I think

  • It's hard to understand what you saying, so just reverse proxy?

  • timnboystimnboys Member
    edited December 2015

    @rokok said:
    It's hard to understand what you saying, so just reverse proxy?

    reverse proxy for multiple websites with ssl

  • PieHasBeenEatenPieHasBeenEaten Member, Host Rep
    edited December 2015
  • timnboystimnboys Member
    edited December 2015

    okay so how does that use the ssl certificate on the "upstream" or "backend" servers as I understand nginx's syntax as I did find a article to use something like ssl_proxy_engine on or something that did just that but cannot find it in google so fast like last time.
    I looked at that but couldn't figure out how to implement that.
    well that explains it it was in apache I found that not nginx.
    http://serverfault.com/questions/84821/apache-proxypass-with-ssl

  • If just reverse proxy its pretty easy

    https://lowendtalk.me/

    I try proxying LET non-ssl site to ssl

  • PieHasBeenEatenPieHasBeenEaten Member, Host Rep
                    location / {
                    proxy_set_header Host $http_host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-Proto https;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_redirect http:// https://;
    
    
                    proxy_pass https://app_server;
                    }
                }
    

    Here is what my reverse proxy looks like when passing ssl

  • rincewindrincewind Member
    edited December 2015

    If you just want to reverse proxy HTTP/HTTPS, just add multiple server blocks in your NGINX config file. Depending on your Linux distribution, all the server blocks go into one nginx.conf file, or split into multiple files under /etc/nginx/sites-enabled. Examples: Merged NGINX config or Split NGINX config. You can also use location to split your proxies, eg- send www.domain.com/prefix1 and www.domain.com/prefix2 to different internal servers.

    Handling both HTTP(s) and VPN(s) on ports 80/443 requires some deep-packet inspection. You first need to figure out which protocol it is. If HTTP(s) then forward to Apache/NGINX which will in turn send it to your internal server. If its VPN traffic then forward to VPN server. Take a look at this discussion. If both VPN and HTTP are encrypted I am not sure if this is even possible, or if your VPN traffic is obfuscated.

    Thanked by 1timnboys
  • vestacp with apache as webserver and nginx as reverse proxy?

  • PieHasBeenEatenPieHasBeenEaten Member, Host Rep

    The more i read the op's post the more confused I get. WTF! Good time for a beer! Who wants one?

  • @timnboys - I would suggest not use nginx to forward smtp mail ports in the situation you describe. Just use iptables on the node (edge server) to forward port 25 and 465 to the internal ip of the mail server. You'll need to have a dns ptr record for the edge IP that matches the mail server hostname anyway.

  • Use nginx to catch all http and https request then forward it to apache where you set ssl for any of your domain

  • @rincewind said:
    If you just want to reverse proxy HTTP/HTTPS, just add multiple server blocks in your NGINX config file. Depending on your Linux distribution, all the server blocks go into one nginx.conf file, or split into multiple files under /etc/nginx/sites-enabled. Examples: Merged NGINX config or Split NGINX config. You can also use location to split your proxies, eg- send www.domain.com/prefix1 and www.domain.com/prefix2 to different internal servers.

    Handling both HTTP(s) and VPN(s) on ports 80/443 requires some deep-packet inspection. You first need to figure out which protocol it is. If HTTP(s) then forward to Apache/NGINX which will in turn send it to your internal server. If its VPN traffic then forward to VPN server. Take a look at this discussion. If both VPN and HTTP are encrypted I am not sure if this is even possible, or if your VPN traffic is obfuscated.

    I have looked at the documentation you provided and I am not using openvpn I am using mainly microsoft's ssl vpn implementation through rras(routing and remote access service).
    but your documentation seems most likely to get what I want working(close at least)
    please see if you find more information on that as your on the right track of trying to help me get what I need/want
    as I use microsoft's ssl vpn implementation with a valid ca signed ssl cert from namecheap to encrypt the ssl vpn tunnel.

  • @timnboys :

    So you want to handle both encrypted HTTP and VPN on port 443?

    It is unlikely that the SYN packet will have enough info to differentiate the type of traffic. So IPTable rules are probably out of the question.

    On the other hand, your OP suggests that each internal website has its own certificate. Maybe you can use HAProxy for SSL termination and the matching certificate for incoming traffic will tell you what service was requested. Talk to someone who has experience with HAProxy, maybe the LES folks?

    If HAProxy does not allow brute-force searches among your private keys, then another way would be to write some sort of buffering application that captures enough data, searches among your private keys and then forwards it to the right internal server. Messy!

Sign In or Register to comment.