Score:0

Nginx Different Certificate Based on Client IP or Existence of X-Forwarded-For Header?

us flag

So I have Nginx Proxy Manager setup to proxy a bunch of servers. It has two certificates on it. One is the Cloudflare Origin and the other is a letsencrypt. Mostly all of my sites are internal only, thus using the letsencrypt is good. But for 2 of them I use the cloudflare proxy and thus need to use the origin certificate.

I'm trying to also allow direct access if I'm local, but currently the proxy is giving me back the origin certificate. Is it possible to assign ssl settings in nginx based on the source ip or the existence of the header?

Something like this

if (header exists or source IP != 10.0.0.0/24) { SSL Certa } else { SSL Certb }

dave_thompson_085 avatar
jp flag
It certainly can't look at a header, because headers are sent only after the SSL/TLS handshake is completed. I don't know if it can look at client-IP. But private addresses are very cheap -- why don't you assign a different address to be used for local access (possibly setting internal DNS and/or hosts files to map to it automatically), and use the desired cert on that listen?
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.