Edoardo Putti
2 years ago
1 changed files with 84 additions and 0 deletions
Split View
Diff Options
+ 84
- 0
bundle/reverse-proxy/README.md
View File
| @ -0,0 +1,84 @@ | |||
| reverse-proxy | |||
| ============= | |||
| LILiK's reverse proxy without SSL termination. | |||
| Usint nginx with the options `--with-stream` and `--with-stream-ssl_preread` we are able to be a reverse proxy without being a SSL termination. | |||
| This configuration enable us to keep SSL certificates on the hosts, not on the router. | |||
| Every incoming HTTPS(S) connection must be | |||
| - upgraded to HTTPS | |||
| - mapped to an `upstream` pool using SNI | |||
| - streamed to the designated host | |||
| To achieve this with a little modularity we split this configuration | |||
| in different directories | |||
| nginx.conf | |||
| ---------- | |||
| Using the `stream` directive and SNI variables we can proxy without | |||
| terminating the SSL connection. | |||
| ```nginx | |||
| ``` | |||
| http.conf.d | |||
| ----------- | |||
| Incoming HTTP connections will be upgraded to HTTPS using a | |||
| HTTP redirect; this snippet will handle both GET and POST requests. | |||
| Because we like to have free SSL certificates from Let's Encrypt | |||
| we must handle their HTTP authentication scheme. | |||
| ```nginx | |||
| server { | |||
| listen 150.217.18.45:80; | |||
| server_name bla.lilik.it www.bla.lilik.it; | |||
| # handle Let's Encrypt challenges | |||
| location /.well-known/acme-challenge/ { | |||
| proxy_set_header X-Real-IP $remote_addr; | |||
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |||
| proxy_set_header Host $host; | |||
| proxy_set_header X-NginX-Proxy true; | |||
| # proxy this connection to the host internal ip | |||
| # 10.150.42.40 | |||
| proxy_pass http://10.150.42.40; | |||
| } | |||
| # redirect correctly both GET and POST requests | |||
| location / { | |||
| if ($request_method = POST) { | |||
| return 307 https://$server_name$request_uri; | |||
| } | |||
| return 301 https://$server_name$request_uri; | |||
| } | |||
| } | |||
| ``` | |||
| map.conf.d | |||
| ----------- | |||
| This will map the domains to the upstream | |||
| ```nginx | |||
| # domain_name upstream_name; | |||
| bla.lilik.ti bla_https; | |||
| www.bla.lilik.it bla_https; | |||
| ``` | |||
| upstream.conf.d | |||
| --------------- | |||
| ```nginx | |||
| stream bla_https { | |||
| server 10.150.42.40:443; | |||
| } | |||
| ``` | |||