Nginx reverse proxy config for backend server

I successfully using nginx reverse proxy for some of my servers on LAN. Together with SSL and ACME (Letsencrypt). It is very easy and hand'y to get my local web services https ready to internet.

It is o'k while I can live in LAN with http only, but there are many VMSes and dokerized solutions that also using some kind of ACME (Letsencrypt) or other solutions, that works in similar way to get a certificicate, but they need to get to public internet both http (80 port) and https(443 port) without taking care from nginx that is on my OpenWrt router.

How could it be configured on UCI so that it will not use routers nginx SSL certificates?

brgds

No idea about uci, but you can do ssl on router with http proxy_pass and with socket proxy_pass

The easiest method is probably to keep Nginx as a reverse proxy, but pass traffic to those servers unaltered.

Extending on that - make a new container pool (lets-)encrypting and make router divert connections via firewall rule. Rationale: router will be very slow at encrypting, but ideal forwarding 10s of ks of connections at once.

Thanks for your answers.

Currently I have following configs:

some server without https:
config server 'www_myserv1_lv'
        list listen '80'
        list listen '[::]:80'
        option server_name 'www.myserv1.lv'
        option include 'conf.d/www.myserv1.lv.location'
                location / {
                        # app1 reverse proxy
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header Host $host;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_pass http://172.148.1.132:3670;
                        # this is mandatory for web sockets
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "Upgrade";
                }
config server 'www_myserv2_lv'
        list listen '443 ssl'
        list listen '[::]:443 ssl'
        option server_name 'www.myserv2.lv'
        list include 'conf.d/www.myserv2.lv.location'
        option ssl_session_cache 'shared:SSL:32k'
        option ssl_session_timeout '64m'
        option uci_manage_ssl 'acme'
        option ssl_certificate '/etc/acme/www.myserv2.lv/fullchain.cer'
        option ssl_certificate_key '/etc/acme/www.myserv2.lv/mail.emuari.lv.key'
                location / {
                        # app1 reverse proxy
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header Host $host;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_pass https://172.148.1.190;
                        # this is mandatory for web sockets
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "Upgrade";
                }

So the questions is:
How could I configure a server like myserv1 for https like myserv2, but so that it will take certificate info/communication from that local server e.g. 172.148.1.190 (but not from nginx) ?
Can I configure it in one config for multiple ports f.ex. both 80 and 443 ?

Hmm, sounds interesting ...

Did you mean - to take out dedicated nginx on a dedicated container just for encrypting?

I had some sample container installations that have nginx already configured. So forming nginx(owrt)-nginx-server chain...

Yup, it would be a simplest of containers that does letsencrypt, then up to you if you want http with cache or sockets. http while possible, router does not have memory for cache at all.

You can have unlimited server_name-s in http config.

Did you mean to make separate config for each port?
And just the same config for 443 like for simple 80 (http)?

You need distinct proxy_pass for each hostname, if http is only redirecting you can reuse it nicely.

Hmm, not so simple.

Now I have following configs - should they work?

config server 'mail_myserv_com'                                              
        list listen '80'                                                    
        list listen '[::]:80'                                               
        option server_name 'mail.myserv.com'                                 
        list include 'conf.d/mail.myserv.com.location'                       
                                                                            
config server 'ssl_mail_myserv_com'                                          
        list listen '443'                                                   
        list listen '[::]:443'                                              
        option server_name 'mail.myserv.com'                                 
        list include 'conf.d/ssl.mail.myserv.com.location' 

and for locations:

                location / {
                        # app1 reverse proxy
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header Host $host;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_pass http://172.158.1.140:80;
                        # this is mandatory for web sockets
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "Upgrade";
                }

                location / {
                        # app1 reverse proxy
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header Host $host;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_pass https://172.158.1.140:443;
                        # this is mandatory for web sockets
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "Upgrade";
                }

Hmm, it worked - at least now my https://github.com/LukeSmithxyz/emailwiz script went well...
:slight_smile:

It will not work.
in socket{} context you cannot set headers
in http{} context you have to encrypt

Add this to etc/config/firewall and edit to your needs. No nginx involved. You can have nginx quick-returning redirect on 80/tcp but stll consider letsencrypt proxypass or dns auth for same.

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'https'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.1.43'
        option dest_port '8443'
        option limit '1000/second'
        option limit_burst '100'
        option enabled '0'

Probably worth setting wan zone input/forward to drop ipo reset

How will it live together with ngnix - will it not conflict with that port?

Firewall will pull all connections off nginx and forward to DMZ-ed backend container.
Your router cannot encrypt at any modern speed (like sub 100Mbps), but it can handle lots of connections.
You can sure pretend your router is "crypto accelerator" until somebody else notices.
firewall needs 1 rule for each port separate for ip4 and ip6 backend, but takes ~200B per forwarded connection vs nginx 8-12kB.
I am just trying to convince you to use router at its best ability, not for everything.