LILiK
/
openwrt-packages
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
23 Commits
1 Branch
42 KiB
Tree: fa46c46b21
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'fa46c46b21'
${ noResults }
openwrt-packages/bundle/reverse-proxy/README.md

84 lines
1.9 KiB
Raw Normal View History

add reverse-proxy package readme
2 years ago
 
  1. reverse-proxy
  2. =============
  3. 

  4. LILiK's reverse proxy without SSL termination.
  5. 

  6. Usint nginx with the options `--with-stream` and `--with-stream-ssl_preread` we are able to be a reverse proxy without being a SSL termination.
  7. 

  8. This configuration enable us to keep SSL certificates on the hosts, not on the router.
  9. 

  10. Every incoming HTTPS(S) connection must be
  11. 

  12. - upgraded to HTTPS
  13. - mapped to an `upstream` pool using SNI
  14. - streamed to the designated host
  15. 

  16. To achieve this with a little modularity we split this configuration
  17. in different directories
  18. 

  19. nginx.conf
  20. ----------
  21. 

  22. Using the `stream` directive and SNI variables we can proxy without
  23. terminating the SSL connection.
  24. 

  25. 

  26. ```nginx
  27. ```
  28. 

  29. http.conf.d
  30. -----------
  31. 

  32. Incoming HTTP connections will be upgraded to HTTPS using a
  33. HTTP redirect; this snippet will handle both GET and POST requests.
  34. 

  35. Because we like to have free SSL certificates from Let's Encrypt
  36. we must handle their HTTP authentication scheme.
  37. 

  38. 

  39. ```nginx
  40. server {
  41.     listen 150.217.18.45:80;
  42. 

  43.     server_name bla.lilik.it www.bla.lilik.it;
  44. 

  45.     # handle Let's Encrypt challenges
  46.     location /.well-known/acme-challenge/ {
  47.       proxy_set_header X-Real-IP $remote_addr;
  48.       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  49.       proxy_set_header Host $host;
  50.       proxy_set_header X-NginX-Proxy true;
  51.       # proxy this connection to the host internal ip
  52.       # 10.150.42.40
  53.       proxy_pass http://10.150.42.40;
  54.     }
  55. 

  56.     # redirect correctly both GET and POST requests
  57.     location / {
  58.       if ($request_method = POST) {
  59.         return 307 https://$server_name$request_uri;
  60.       }
  61.       return 301 https://$server_name$request_uri;
  62.     }
  63. }
  64. ```
  65. 

  66. map.conf.d
  67. -----------
  68. 

  69. This will map the domains to the upstream
  70. 

  71. ```nginx
  72. # domain_name upstream_name;

  73. bla.lilik.ti bla_https;
  74. www.bla.lilik.it bla_https;
  75. ```
  76. 

  77. upstream.conf.d
  78. ---------------
  79. 

  80. ```nginx
  81. stream bla_https {
  82.         server 10.150.42.40:443;
  83. }
  84. ```