reverse-proxy ============= LILiK's reverse proxy without SSL termination. Usint nginx with the options `--with-stream` and `--with-stream-ssl_preread` we are able to be a reverse proxy without being a SSL termination. This configuration enable us to keep SSL certificates on the hosts, not on the router. Every incoming HTTPS(S) connection must be - upgraded to HTTPS - mapped to an `upstream` pool using SNI - streamed to the designated host To achieve this with a little modularity we split this configuration in different directories nginx.conf ---------- Using the `stream` directive and SNI variables we can proxy without terminating the SSL connection. ```nginx ``` http.conf.d ----------- Incoming HTTP connections will be upgraded to HTTPS using a HTTP redirect; this snippet will handle both GET and POST requests. Because we like to have free SSL certificates from Let's Encrypt we must handle their HTTP authentication scheme. ```nginx server { listen 150.217.18.45:80; server_name bla.lilik.it www.bla.lilik.it; # handle Let's Encrypt challenges location /.well-known/acme-challenge/ { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header X-NginX-Proxy true; # proxy this connection to the host internal ip # 10.150.42.40 proxy_pass http://10.150.42.40; } # redirect correctly both GET and POST requests location / { if ($request_method = POST) { return 307 https://$server_name$request_uri; } return 301 https://$server_name$request_uri; } } ``` map.conf.d ----------- This will map the domains to the upstream ```nginx # domain_name upstream_name; bla.lilik.ti bla_https; www.bla.lilik.it bla_https; ``` upstream.conf.d --------------- ```nginx stream bla_https { server 10.150.42.40:443; } ```