Nginx reverse proxy SSL using different domain on each side

vic vic

1/26/24, 6:06 PM

I need a little tip on how to solve a setup I came across where client wants to access an HTTPs API hosted on api.foo.com (our domain, with *.foo.com certificate) using api.bar.com (client's domain name).

The request is routed through a point to point VPN from their infrastructure to ours using internal static IP addressing.

So client makes a request on their side to https://api.bar.com and reaches an static IP on our side of the tunnel where we have put a reverse proxy using nginx that forwards that request to https://api.foo.com

In this scenario, proxy responses have CN=*.foo.com and since client expects *.bar.com TLS handshake fails on verifying ownership.

The only solutions I've thought is to:

Do not use HTTPs between client and proxy, relying security on the VPN itself
Use client certificate on our side proxy, but that will require to request their private key to make that setup, and seems wrong from obvious reasons.

Any help that can shed some light is welcome,

thank you!

147

0 + 6

vpn

ssl

nginx

domain

proxy

garethTheRed

1/26/24, 7:23 PM

How many devices/users at the client site are accessing your API? Is the current certificate from a commercial CA or from a corporate/internal CA?

vic vic

1/26/24, 7:33 PM

At the client side we don't know, probably the will access our API from one single point. The current certificate is issued by Amazon (our infrastructure is on aws)

Tero Kilkanen

1/26/24, 10:34 PM

Can you explain more details of the "reverse proxy" you have set up?

vic vic

1/26/24, 11:26 PM

It's just a simple stream with proxy_pass listening on port 443, it has nothing fancy

garethTheRed

1/27/24, 7:05 AM

The problem here is that your CA has certified you as __foo.com__ only, but your client is accessing you with the incorrect name (__bar.com__). Why can't the client access you by your correct name in the 1st place?

vic vic

1/27/24, 8:32 AM

Exactly! and the API we are providing is already publicly accessible! they requested as mandatory to access through private VPN and through a domain of it's own, that's why I'm lost, I guess It has something to do with their security compliance but It's something I've never seen. I don't think that I can deploy a service on our side answering HTTPs requests for a domain we don't own without been insecure by nature... that's why I'm asking if someone has faced a similar situation

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Nginx reverse proxy SSL using different domain on each side

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.