|
|
@ -0,0 +1,84 @@ |
|
|
|
reverse-proxy |
|
|
|
============= |
|
|
|
|
|
|
|
LILiK's reverse proxy without SSL termination. |
|
|
|
|
|
|
|
Usint nginx with the options `--with-stream` and `--with-stream-ssl_preread` we are able to be a reverse proxy without being a SSL termination. |
|
|
|
|
|
|
|
This configuration enable us to keep SSL certificates on the hosts, not on the router. |
|
|
|
|
|
|
|
Every incoming HTTPS(S) connection must be |
|
|
|
|
|
|
|
- upgraded to HTTPS |
|
|
|
- mapped to an `upstream` pool using SNI |
|
|
|
- streamed to the designated host |
|
|
|
|
|
|
|
To achieve this with a little modularity we split this configuration |
|
|
|
in different directories |
|
|
|
|
|
|
|
nginx.conf |
|
|
|
---------- |
|
|
|
|
|
|
|
Using the `stream` directive and SNI variables we can proxy without |
|
|
|
terminating the SSL connection. |
|
|
|
|
|
|
|
|
|
|
|
```nginx |
|
|
|
``` |
|
|
|
|
|
|
|
http.conf.d |
|
|
|
----------- |
|
|
|
|
|
|
|
Incoming HTTP connections will be upgraded to HTTPS using a |
|
|
|
HTTP redirect; this snippet will handle both GET and POST requests. |
|
|
|
|
|
|
|
Because we like to have free SSL certificates from Let's Encrypt |
|
|
|
we must handle their HTTP authentication scheme. |
|
|
|
|
|
|
|
|
|
|
|
```nginx |
|
|
|
server { |
|
|
|
listen 150.217.18.45:80; |
|
|
|
|
|
|
|
server_name bla.lilik.it www.bla.lilik.it; |
|
|
|
|
|
|
|
# handle Let's Encrypt challenges |
|
|
|
location /.well-known/acme-challenge/ { |
|
|
|
proxy_set_header X-Real-IP $remote_addr; |
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
|
|
|
proxy_set_header Host $host; |
|
|
|
proxy_set_header X-NginX-Proxy true; |
|
|
|
# proxy this connection to the host internal ip |
|
|
|
# 10.150.42.40 |
|
|
|
proxy_pass http://10.150.42.40; |
|
|
|
} |
|
|
|
|
|
|
|
# redirect correctly both GET and POST requests |
|
|
|
location / { |
|
|
|
if ($request_method = POST) { |
|
|
|
return 307 https://$server_name$request_uri; |
|
|
|
} |
|
|
|
return 301 https://$server_name$request_uri; |
|
|
|
} |
|
|
|
} |
|
|
|
``` |
|
|
|
|
|
|
|
map.conf.d |
|
|
|
----------- |
|
|
|
|
|
|
|
This will map the domains to the upstream |
|
|
|
|
|
|
|
```nginx |
|
|
|
# domain_name upstream_name; |
|
|
|
bla.lilik.ti bla_https; |
|
|
|
www.bla.lilik.it bla_https; |
|
|
|
``` |
|
|
|
|
|
|
|
upstream.conf.d |
|
|
|
--------------- |
|
|
|
|
|
|
|
```nginx |
|
|
|
stream bla_https { |
|
|
|
server 10.150.42.40:443; |
|
|
|
} |
|
|
|
``` |