0

I am migrating a machine that holds several (Apache) websites to a new machine where I want one frontend (I have chosen nginx) acting as a reverse proxy and many small lxc virtual machines, each dedicated to a specific website.

This is working perfectly in http but I now have a problem for certificate renewal : I use certbot/letsencrypt for most of the sites with autorenewal but the reverse proxy does not know about the certificates.

Here are the solutions I see:

  • cron a copy of the certificates (I don't like the idea because I find it fragile — permissions, renewal failure, etc.)
  • install the certificates on the reverse proxy (only) and make plain http connections to the various websites. This solution has many advantages: all certificates are in the same place, deployment of new services is simple, etc.

Is this a good solution? Will it work with Wordpress (Wordpress is a real pita regarding URLs)?

JC Boggio
  • 101
  • 1
    Your second solution seems fine. If you want to use HTTPS to the individual virtual machine web hosts, you can do that with internal certs / internal CA, but 100% that's significant additional complexity that you don't really need. – Slartibartfast Jun 17 '22 at 12:30
  • Thanks. It sort-of works but wp-admin insists (ie. redirects/302) on having an https protocol. – JC Boggio Jun 17 '22 at 14:32
  • Adding `define('FORCE_SSL_ADMIN', false);` to `wp-config.php` helps a little (page is accessible) but I get many warnings that the connection is insecure and still no CSS. – JC Boggio Jun 17 '22 at 14:40
  • To solve everything: * on the reverse proxy, add these 2 lines: `proxy_set_header X-Forwarded-Proto "https";` and `proxy_set_header X-Forwarded-Port "443";` * in the `wp-config.php` of the wordpress site, add this: `if (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') { $_SERVER['HTTPS'] = 'on'; }`. [Find the details here](https://wordpress.org/support/topic/wp-behind-reverse-proxy-all-content-insecure/) – JC Boggio Jun 17 '22 at 15:05
  • 1
    you can use also https on the reverse proxy, nginx don't check for validation or valid certificate,by default. so the certbot has to be on nginx as i use it and the behind nginx does not care about the certification anymore, i use a simple self signed one on the backends – djdomi Jun 17 '22 at 17:11

0 Answers0