You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 

1.9 KiB

reverse-proxy

LILiK's reverse proxy without SSL termination.

Usint nginx with the options --with-stream and --with-stream-ssl_preread we are able to be a reverse proxy without being a SSL termination.

This configuration enable us to keep SSL certificates on the hosts, not on the router.

Every incoming HTTPS(S) connection must be

  • upgraded to HTTPS
  • mapped to an upstream pool using SNI
  • streamed to the designated host

To achieve this with a little modularity we split this configuration in different directories

nginx.conf

Using the stream directive and SNI variables we can proxy without terminating the SSL connection.

http.conf.d

Incoming HTTP connections will be upgraded to HTTPS using a HTTP redirect; this snippet will handle both GET and POST requests.

Because we like to have free SSL certificates from Let's Encrypt we must handle their HTTP authentication scheme.

server {
    listen 150.217.18.45:80;

    server_name bla.lilik.it www.bla.lilik.it;

    # handle Let's Encrypt challenges
    location /.well-known/acme-challenge/ {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $host;
      proxy_set_header X-NginX-Proxy true;
      # proxy this connection to the host internal ip
      # 10.150.42.40
      proxy_pass http://10.150.42.40;
    }

    # redirect correctly both GET and POST requests
    location / {
      if ($request_method = POST) {
        return 307 https://$server_name$request_uri;
      }
      return 301 https://$server_name$request_uri;
    }
}

map.conf.d

This will map the domains to the upstream

# domain_name upstream_name;
bla.lilik.ti bla_https;
www.bla.lilik.it bla_https;

upstream.conf.d

stream bla_https {
        server 10.150.42.40:443;
}