Join Log in
Score:0
Aisteru Firë avatar Server

Nginx reverse proxy: no certificate on proxy, use the backend one

in flag
Aisteru Firë

I have a small machine that serves as an entry point to my network, let's call it A. I also have two servers on my private network which are not accessible from outside, let's call them B1 and B2.

We will assume that B1 has the private address 1.1.1.1 and B2 the private address 2.2.2.2.

I would like for A to have a basic nginx configuration that proxies any request to b1.com and *.b1.com to B1, and requests to b2.com and *.b2.com to B2. B1 and B2 are responsible for handling the required certificates and the endpoints they wish to expose. A would have no ssl certificates stored, and would pass B1 or B2's certificate when they are queried.

Is there a way to achieve this with nginx?

Current config

I used the following configurations in A, where A has certificates for all necessary domain names. Those are included in the http block.

  • B1.conf 
    server {
  server_name b1.com;
  server_name *.b1.com;

  listen 80;
  listen [::]:80;

  location / {
    return 301 https://$host$request_uri;
  }
}

server {
  server_name b1.com;
  server_name *.b1.com;

  listen 443 ssl;
  listen [::]:443 ssl;

  ssl_certificate /etc/letsencrypt/live/b1/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/b1/privkey.pem;
  include /etc/letsencrypt/options-ssl-nginx.conf;
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

  location / {
    proxy_pass https://1.1.1.1;

    proxy_pass_request_headers on;
    proxy_pass_header Content-Type;

    proxy_set_header Host $host;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $http_host;

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
  }
}
  • B2.conf: identical to above, with b1 replaced with b2, and 1.1.1.1 replaced with 2.2.2.2.

Desired behaviour

I would like to be able to remove the ssl section of the configuration, so that when I connect to b1.com, A returns the ssl certificate served by B1 directly. In a sense, I'd like A to be completely transparent, as it would only pass the requests and replies around.

This way, I can have A configured once and for all, and any change I wish to make would only have to be made on B1 or B2. For example, if I want a new domain name new.b1.com, I would only need to update the certificate on B1, whereas now I also need to update the certificate on A.

Possible solution

I know that one solution would be to make the proxy connections to B1 and B2 through HTTP, but I would like to know if it is possible to do something else for the following reasons:

  • B1 and B2 are owned by different people, who are OK with sharing, but would like to keep their configuration as close to home as possible, i.e. avoid making changes on A if possible,
  • having HTTPS connections between A and B1/B2 would allow the traffic in the private network to stay encrypted.

I was also wondering if streams could do something like this?

23
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.