URL to local IP

I am fooling around for month's with rewrite, reverse proxy etc. but I still do not have a solution for this Problem:

I have a platform of Servers in 10.0.100.x
Access ist from a public IP to local net via and apache proxy
(ispconfig) the customers network.

The platform is accessed via router / who redirects to nginx proxy

I am able to access all servers via http but NOT https as the SSL-Certificate shall be hosted at as "director" for the backend servers.

So, a true passthrough at apache proxy for http and https is required OR
the simple method would be an URL to IP pass like:

at router

at router (SSL-Certificate Server)

Thank you all for ideas. I am sure mod_rewrite and its parameter passthrough
will not work.

And I am in darely hope for an OpenWrt module that solves it.

You need to handle both ports redirect 80 and 443 in order to work.
80 is http, 443 is https.

1 Like

Yes but unfortunately it is not that easy. I managed it today by
ordering 2 letsencrypt certificates for the same domain.

One at proxy .0.250 and one at roxy .100.250 but for me this is a really stupid workaround.

A lean solution ought to be:

at router

at router (SSL-Certificate Server)

Sorry unfortunately I misinterpret your question since it was somewhat unclear, so your problem is actually not related to OpenWrt, it is related to ssl-certificate.
You may need to find a solution to sync certificate, you should get only one per domain, and Eg. on cloud environments people usually push the cert to an s3 and later get them from other hosts, using a cronjob task or something, you may use rsync or scp for that, private key will remain the same so you can copy it once. since it is a small file you can even put it on your openwrt box, but having other hosts will be better to use push/pull from/to the main one (the one with the letsencrypt auto renewal script)

The whole point of this setup is that the certificate server is not directly reachable from the Internet so that it is harder to hack.

You can copy certificates around your LAN. The private key for the site should be online only on one machine, the certificate server.

Hmm yes it is soo easy to deny a feature request.
BUT! Think it over.

This really would be a cool feature.

The router catches the URL Request and opens the connection to the
local Server without any other features(that causes configuring to death)
Maybe as an addon to an SSO Server with maybe flask, nginx and acme

Yes , as I said I managed to use 2x certbot on both proxies to "create" or better download the certificate from letsencrypt. I will check if the auto-renewal will be on both servers.

But, as I said the other solution would be a really cool feature as the proxy configurations on nginx and apache2 are ... well only one possible word: horrible and bloody useless when the router enables trespassing with one single line of configuration.