reverse-proxy
=============

LILiK's reverse proxy without SSL termination.

Usint nginx with the options `--with-stream` and `--with-stream-ssl_preread` we are able to be a reverse proxy without being a SSL termination.

This configuration enable us to keep SSL certificates on the hosts, not on the router.

Every incoming HTTPS(S) connection must be

- upgraded to HTTPS
- mapped to an `upstream` pool using SNI
- streamed to the designated host

To achieve this with a little modularity we split this configuration
in different directories

nginx.conf
----------

Using the `stream` directive and SNI variables we can proxy without
terminating the SSL connection.


```nginx
```

http.conf.d
-----------

Incoming HTTP connections will be upgraded to HTTPS using a
HTTP redirect; this snippet will handle both GET and POST requests.

Because we like to have free SSL certificates from Let's Encrypt
we must handle their HTTP authentication scheme.


```nginx
server {
    listen 150.217.18.45:80;

    server_name bla.lilik.it www.bla.lilik.it;

    # handle Let's Encrypt challenges
    location /.well-known/acme-challenge/ {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $host;
      proxy_set_header X-NginX-Proxy true;
      # proxy this connection to the host internal ip
      # 10.150.42.40
      proxy_pass http://10.150.42.40;
    }

    # redirect correctly both GET and POST requests
    location / {
      if ($request_method = POST) {
        return 307 https://$server_name$request_uri;
      }
      return 301 https://$server_name$request_uri;
    }
}
```

map.conf.d
-----------

This will map the domains to the upstream

```nginx
# domain_name upstream_name;
bla.lilik.ti bla_https;
www.bla.lilik.it bla_https;
```

upstream.conf.d
---------------

```nginx
stream bla_https {
        server 10.150.42.40:443;
}
```