nginx as reverse proxy with several domains & hosts

Question

This question has probably been asked several times, but with all results I can find and my little knowledge, I'm kind of lost. I'm using Fedora 29.

What I try to do with nginx :

Use one let's encrypt ssl certificate with several domain names
map each domain to a particular internal host (DNS or IP in config file, I don't mind, whatever will work)
all hosts use ssl internally already (no http available - several listening ports)
if you use http from the outside, I would like to have a redirection to https

Sample :

application.domain.com --> https://hostname1.domain.local (or IP 1)
test.domain.com --> https://hostname2.domain.local:1234 (or IP 2)
www.domain.com --> https://hostname3.domain.local (or IP 3) etc...

How would I be able to do that? Let's encrypt configured me the nginx config automatically but it seems a bit too much.

Many thanks for the answer, I feel I get some progress, even if not working for the moment. I post here my full config file be cause I have now a "502 Bad Gateway" error. The IP is not in the same subnet as the reverse proxy, but fully accessible, no firewall or routing issue.

Any idea where I can look to move forward ? In original config, there is also a certbot conf file that include cyphers and protocols. Maybe I need to re-include it ?

Also : the internal servers I try to access have certificates signed ith my own AD CS, but no root certificate has been installed on the reverse proxy. Maybe I should ?

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen 80;
        server_name  _;
        return 301 https://$host$request_uri;
    }

    server {
        listen  443 ssl;
        server_name scans.domain.com;
        ssl  on;
        ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; # managed by Certbot

        location  / {
                proxy_pass  https://192.168.XX.YY/;
        }
    }
}

Nginx is very flexible, and you can do many things. I see no problems with what you're trying to do. Suggest you need to read some tutorials and experiment. It's not that difficult, I spent a few months learning Linux, building all my software from source, learning Nginx configuration, that kind of thing. — Tim, Nov 03 '18 at 03:59

score 4 · Accepted Answer · answered Nov 04 '18 at 12:54

In order to have NGINX resolve multiple domain names to independent proxies, you will need to setup a server block for each domain that you are using (and yes, you need that include provided by LE):

server { listen 443 ssl; server_name application.domain.com; ssl on; ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; location / { proxy_pass https://hostname1.domain.local:80/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } } server { listen 443 ssl; server_name test.domain.com; ssl on; ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; location / { proxy_pass https://hostname3.domain.local:80/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } } server { listen 443 ssl; server_name www.domain.com; ssl on; ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; location / { proxy_pass https://hostname2.domain.local:1234/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } }

@ All, thank you so much for helping me through this. I ended up with 502 error, wich I could fix with the following command, but I couldn't get there ebfore your help. The command on Fedory that "unlocked" : setsebool -P httpd_can_network_connect 1 — EHRETic, Nov 05 '18 at 11:02

score 1 · Answer 2 · answered Nov 02 '18 at 19:14

1

in your http.conf config you can specify a rule to redirect all traffic that comes on port 80 to be forwarded (domain agnostic): server { listen 80; server_name _; return 301 https://$host$request_uri; }

in case you are trying to forward https > http you will also need a reverse proxy configuration, something like this would work:

server { listen 443 ssl; server_name application.domain.com; ssl on; ssl_certificate /etc/ssl/public/application.domain.com.combined; ssl_certificate_key /etc/ssl/private/application.domain.com.key; location / { proxy_pass http://hostname1.domain.local:80/; } }

Please note that you don't necessarily need to place each of the websites on the different port, nginx knows what content to provide to your client based on the domain name.

Regards,

answered Nov 02 '18 at 19:14

Dmitriy Kupch

471
2
6

Hi Dimitri, Many thanks, I did some progress here, but now I'm getting a 502 bad gateway error. I posted above the full config (you'll find it in the first post - an admin did move it there, I think I'll have to read the rules... ;-) ) If you can have a quick look, I feel I need to add my root CA, I guess, but please confirm ! ;-) Thx ! – EHRETic Nov 04 '18 at 08:54
Your location section is off for me. – Dmitriy Kupch Nov 05 '18 at 14:28
Your location section looks a bit off for me. You can't specify ```https://192.168.XX.YY```, as https, relies on ssl, which relies on the domain name. It actually needs to check if that domain is bonded with the corresponding IP address. The whole point of SSL is to validate the provider of the content. Using http://192.168.XX.YY instead might fix the issue, depending on the configuration of your '192.168.XX.YY' webserver. It's still better to replace that line with the actual domain name, that is resolvable by the nginx server. – Dmitriy Kupch Nov 05 '18 at 14:35
This is the change I would purpose: ``` location / { proxy_pass http://192.168.XX.YY/; } ``` OR ``` ``` location / { proxy_pass http://domainname.localnet/; } ``` Where domainname.local name resolves to your actual http webserver (192.168.XX.YY) – Dmitriy Kupch Nov 05 '18 at 14:37
@ All, thank you so much for helping me through this. I ended up with 502 error, wich I could fix with the following command, but I couldn't get there before your help. The command on Fedory that "unlocked" : setsebool -P httpd_can_network_connect 1 – EHRETic Nov 08 '18 at 20:55

nginx as reverse proxy with several domains & hosts

2 Answers2

Linked