I successfully using nginx reverse proxy for some of my servers on LAN. Together with SSL and ACME (Letsencrypt). It is very easy and hand'y to get my local web services https ready to internet.
It is o'k while I can live in LAN with http only, but there are many VMSes and dokerized solutions that also using some kind of ACME (Letsencrypt) or other solutions, that works in similar way to get a certificicate, but they need to get to public internet both http (80 port) and https(443 port) without taking care from nginx that is on my OpenWrt router.
How could it be configured on UCI so that it will not use routers nginx SSL certificates?
Extending on that - make a new container pool (lets-)encrypting and make router divert connections via firewall rule. Rationale: router will be very slow at encrypting, but ideal forwarding 10s of ks of connections at once.
some server without https:
config server 'www_myserv1_lv'
list listen '80'
list listen '[::]:80'
option server_name 'www.myserv1.lv'
option include 'conf.d/www.myserv1.lv.location'
location / {
# app1 reverse proxy
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://172.148.1.132:3670;
# this is mandatory for web sockets
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
config server 'www_myserv2_lv'
list listen '443 ssl'
list listen '[::]:443 ssl'
option server_name 'www.myserv2.lv'
list include 'conf.d/www.myserv2.lv.location'
option ssl_session_cache 'shared:SSL:32k'
option ssl_session_timeout '64m'
option uci_manage_ssl 'acme'
option ssl_certificate '/etc/acme/www.myserv2.lv/fullchain.cer'
option ssl_certificate_key '/etc/acme/www.myserv2.lv/mail.emuari.lv.key'
location / {
# app1 reverse proxy
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://172.148.1.190;
# this is mandatory for web sockets
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
So the questions is:
How could I configure a server like myserv1 for https like myserv2, but so that it will take certificate info/communication from that local server e.g. 172.148.1.190 (but not from nginx) ?
Can I configure it in one config for multiple ports f.ex. both 80 and 443 ?
Yup, it would be a simplest of containers that does letsencrypt, then up to you if you want http with cache or sockets. http while possible, router does not have memory for cache at all.
config server 'mail_myserv_com'
list listen '80'
list listen '[::]:80'
option server_name 'mail.myserv.com'
list include 'conf.d/mail.myserv.com.location'
config server 'ssl_mail_myserv_com'
list listen '443'
list listen '[::]:443'
option server_name 'mail.myserv.com'
list include 'conf.d/ssl.mail.myserv.com.location'
and for locations:
location / {
# app1 reverse proxy
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://172.158.1.140:80;
# this is mandatory for web sockets
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
location / {
# app1 reverse proxy
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://172.158.1.140:443;
# this is mandatory for web sockets
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
Add this to etc/config/firewall and edit to your needs. No nginx involved. You can have nginx quick-returning redirect on 80/tcp but stll consider letsencrypt proxypass or dns auth for same.
Firewall will pull all connections off nginx and forward to DMZ-ed backend container.
Your router cannot encrypt at any modern speed (like sub 100Mbps), but it can handle lots of connections.
You can sure pretend your router is "crypto accelerator" until somebody else notices.
firewall needs 1 rule for each port separate for ip4 and ip6 backend, but takes ~200B per forwarded connection vs nginx 8-12kB.
I am just trying to convince you to use router at its best ability, not for everything.