1.9 KiB
reverse-proxy
LILiK's reverse proxy without SSL termination.
Usint nginx with the options --with-stream and --with-stream-ssl_preread we are able to be a reverse proxy without being a SSL termination.
This configuration enable us to keep SSL certificates on the hosts, not on the router.
Every incoming HTTPS(S) connection must be
- upgraded to HTTPS
- mapped to an
upstreampool using SNI - streamed to the designated host
To achieve this with a little modularity we split this configuration in different directories
nginx.conf
Using the stream directive and SNI variables we can proxy without
terminating the SSL connection.
http.conf.d
Incoming HTTP connections will be upgraded to HTTPS using a HTTP redirect; this snippet will handle both GET and POST requests.
Because we like to have free SSL certificates from Let's Encrypt we must handle their HTTP authentication scheme.
server {
listen 150.217.18.45:80;
server_name bla.lilik.it www.bla.lilik.it;
# handle Let's Encrypt challenges
location /.well-known/acme-challenge/ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
# proxy this connection to the host internal ip
# 10.150.42.40
proxy_pass http://10.150.42.40;
}
# redirect correctly both GET and POST requests
location / {
if ($request_method = POST) {
return 307 https://$server_name$request_uri;
}
return 301 https://$server_name$request_uri;
}
}
map.conf.d
This will map the domains to the upstream
# domain_name upstream_name;
bla.lilik.ti bla_https;
www.bla.lilik.it bla_https;
upstream.conf.d
stream bla_https {
server 10.150.42.40:443;
}