Nginx Question

Hello, community. This is a fairly nginx-heavy question so if it's not appropriate to put here, please let me know and I will close it.

I've followed the OpenWrt nginx guide to set up a reverse proxy.

This is what I am trying to achieve. I have my DNS A record pointed at my public IP. When I hit example.com (redacted URL), I'd like to forward the request to 192.168.1.3:12345 without any changes to the URL the user sees in the browser.

I've also gone ahead and installed the necessary opkg packages to use acme and have set it up as such:

config cert 'EXAMPLE'
	option use_staging '0'
	option keylength '2048'
	list domains 'example.com'
	option update_uhttpd '1'
	option update_nginx '1'
	option validation_method 'standalone'
	option enabled '1'

I've added the following .conf file to /etc/nginx/conf.d/:

server {
  listen 443 ssl;
  listen [::]:443 ssl;
  server_name example.com;
  
  location / {
    proxy_set_header X-Forwarded-Host $host:$server_port;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_pass https://192.168.1.3:12345/;
  }
}

As you can guess, the browser just hangs. A few questions I had were...

  1. How does acme talk to nginx? There's an option for nginx in the acme configs and I'm trying to understand if I need to still add the cert information to the location?
  2. I'd like internal network traffic to directly go to the right host rather than hitting my domain name server and then looping back. Right now, I've set up "host names" for IP addresses as a workaround, but there are no port capabilities.

Thank you, in advance, for all of the help!

Just pushing to top once and only time. Thanks, everyone.

Are you sure that you want to proxy_pass to https://, not http:// ?

The internal traffic will hit your router (not your domain name server) and then be proxied back. You can set up host name overrides (effectively split horizon DNS, where your internal DNS differs from the public DNS) but there's nothing you can do about the port - DNS can't help you with that. I would suggest that you just live with the internal proxying.

1 Like