From fa46c46b21d3b608e4239ce311c94e96144c9187 Mon Sep 17 00:00:00 2001
From: Edoardo Putti <edoardo.putti@gmail.com>
Date: Sun, 20 Feb 2022 12:20:50 +0100
Subject: [PATCH] add reverse-proxy package readme

---
 bundle/reverse-proxy/README.md | 84 ++++++++++++++++++++++++++++++++++
 1 file changed, 84 insertions(+)
 create mode 100755 bundle/reverse-proxy/README.md

diff --git a/bundle/reverse-proxy/README.md b/bundle/reverse-proxy/README.md
new file mode 100755
index 0000000..698e136
--- /dev/null
+++ b/bundle/reverse-proxy/README.md
@@ -0,0 +1,84 @@
+reverse-proxy
+=============
+
+LILiK's reverse proxy without SSL termination.
+
+Usint nginx with the options `--with-stream` and `--with-stream-ssl_preread` we are able to be a reverse proxy without being a SSL termination.
+
+This configuration enable us to keep SSL certificates on the hosts, not on the router.
+
+Every incoming HTTPS(S) connection must be
+
+- upgraded to HTTPS
+- mapped to an `upstream` pool using SNI
+- streamed to the designated host
+
+To achieve this with a little modularity we split this configuration
+in different directories
+
+nginx.conf
+----------
+
+Using the `stream` directive and SNI variables we can proxy without
+terminating the SSL connection.
+
+
+```nginx
+```
+
+http.conf.d
+-----------
+
+Incoming HTTP connections will be upgraded to HTTPS using a
+HTTP redirect; this snippet will handle both GET and POST requests.
+
+Because we like to have free SSL certificates from Let's Encrypt
+we must handle their HTTP authentication scheme.
+
+
+```nginx
+server {
+    listen 150.217.18.45:80;
+
+    server_name bla.lilik.it www.bla.lilik.it;
+
+    # handle Let's Encrypt challenges
+    location /.well-known/acme-challenge/ {
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header Host $host;
+      proxy_set_header X-NginX-Proxy true;
+      # proxy this connection to the host internal ip
+      # 10.150.42.40
+      proxy_pass http://10.150.42.40;
+    }
+
+    # redirect correctly both GET and POST requests
+    location / {
+      if ($request_method = POST) {
+        return 307 https://$server_name$request_uri;
+      }
+      return 301 https://$server_name$request_uri;
+    }
+}
+```
+
+map.conf.d
+-----------
+
+This will map the domains to the upstream
+
+```nginx
+# domain_name upstream_name;
+bla.lilik.ti bla_https;
+www.bla.lilik.it bla_https;
+```
+
+upstream.conf.d
+---------------
+
+```nginx
+stream bla_https {
+        server 10.150.42.40:443;
+}
+```