Amin El-Zein
asked on
nginx Reverse proxy
Hello,
i have Ubuntu Linux 16.10 and i installed nginx
i want to make it work as reverse proxy for my backend sites
the revers proxy name is : rp.example.com
and i generate let encrypt cert from that.
the network map is:
wan connection --- nginx revers proxy https: --- web site name : example1.com http:
the example1.com is point to nginx revers proxy ip.
i want we the client request example1.com connect as https
in this case the request will be :
client--- https--- nginx server --- http--- exmple1.com
in short i want to make like the cloud flare that is secure the website without required to issue a certificate for website domain.
thanks.
i have Ubuntu Linux 16.10 and i installed nginx
i want to make it work as reverse proxy for my backend sites
the revers proxy name is : rp.example.com
and i generate let encrypt cert from that.
the network map is:
wan connection --- nginx revers proxy https: --- web site name : example1.com http:
the example1.com is point to nginx revers proxy ip.
i want we the client request example1.com connect as https
in this case the request will be :
client--- https--- nginx server --- http--- exmple1.com
in short i want to make like the cloud flare that is secure the website without required to issue a certificate for website domain.
thanks.
ASKER
i already use it but when i redirect to backend server it's give error certificate name !
how they generate a certificate for my domain !
thanks.
how they generate a certificate for my domain !
thanks.
Yes because you need to generate a wildcard ssl certificate. With a *.yourdomain.com as a CN field with OpenSSL.
ASKER
you mean ineternal certificate form open ssl that is installed on nginx ?
how the configuration will be ? i dont want to show a certificate trust error on client side like a cloude flare.
thanks.
how the configuration will be ? i dont want to show a certificate trust error on client side like a cloude flare.
thanks.
Your proxy should serve a wildcard ssl certificate.
https://www.digicert.com/csr-creation.htm
https://www.digicert.com/csr-creation.htm
ASKER
if my domain name example.com and i have wildcard ssl.
how the revers proxy will handle the example1.com with out have any cert on it and without any error.
cloud flare secuse my website without install any ssl on my server.
thanks.
how the revers proxy will handle the example1.com with out have any cert on it and without any error.
cloud flare secuse my website without install any ssl on my server.
thanks.
CloudFlare takes over DNS for your domain name, this way they direct traffic for records that you activate the "orange cloud option". On their end they do generate a wildcard certificate to have the SSL connection going,.
ClouFlare SSL options are explained here:
https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-
https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-
ASKER
Hello
i already know about thier option but how they gerate a certificate for my domain !
is there any way to do somting like them from my side for many domains ?
thanks.
i already know about thier option but how they gerate a certificate for my domain !
is there any way to do somting like them from my side for many domains ?
thanks.
The certificates you generate will not be trusted by a browser. You will need to have your WildCard certificate CSR signed by certification authority such as VeriSign, GeoTrust, and or DigiCert, which is not a FREE service. I have provided the link above how to generate a CSR based on your server NGINX.
Example. I have a domain: testing.com. I have delegated by DNS records (pointed by NS records to CloudFlare as requested). Now they have full control of my domain. I can control which records go through CloudFlare through their control panel under the "DNS" option. On a free tier plan, CloudFlare could generate a multiple WildCard and place multiple domains in the same certificate such as *.testing.com and *.anothersite.com. Since they control your DNS records, they technically have control of your domain and can issue the SSL certificates on your behalf. However, they would not do anything like since the reputation is important to them.
In summary, you need to generate a CSR and a Private key using openssl, submit it to a certification authority as mention above, pay the fee, receive a CRT back, install the private key and the CRT file on your NGINX server. Thats about the only way to do what you want. Aside note: If you want to have a free certificate you can use something like https://letsencrypt.org
Example. I have a domain: testing.com. I have delegated by DNS records (pointed by NS records to CloudFlare as requested). Now they have full control of my domain. I can control which records go through CloudFlare through their control panel under the "DNS" option. On a free tier plan, CloudFlare could generate a multiple WildCard and place multiple domains in the same certificate such as *.testing.com and *.anothersite.com. Since they control your DNS records, they technically have control of your domain and can issue the SSL certificates on your behalf. However, they would not do anything like since the reputation is important to them.
In summary, you need to generate a CSR and a Private key using openssl, submit it to a certification authority as mention above, pay the fee, receive a CRT back, install the private key and the CRT file on your NGINX server. Thats about the only way to do what you want. Aside note: If you want to have a free certificate you can use something like https://letsencrypt.org
ASKER
hello,
sorry but i have some question to understand more.
first i will sign a certificate for nginx server domain name for lets encrypt. nginxdoamin.com
then i will point clientdoamin.com to nginxdomain.com ip
then ?
thanks.
sorry but i have some question to understand more.
first i will sign a certificate for nginx server domain name for lets encrypt. nginxdoamin.com
then i will point clientdoamin.com to nginxdomain.com ip
then ?
thanks.
1) generate certificate
2) sign it install on nginx
3) use DNS to point it to your proxy
2) sign it install on nginx
3) use DNS to point it to your proxy
ASKER
generate from local open ssl ?
in this case the clientdomain.com will be appear as untrusted cert !
thanks.
in this case the clientdomain.com will be appear as untrusted cert !
thanks.
ASKER
Hello,
any update please ?
thanks.
any update please ?
thanks.
Post the nginx.confn file.
ASKER
i am wrote because i want it !
What do you mean? Post your basic nginx.conf and we can troubleshoot from there. Or you can start a Gigs project and we can address any of your custom requirements.
ASKER
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name example.com
error_log /var/log/nginx/example.com .error.log warn;
access_log /var/log/nginx/example.com .access.lo g warn;
ssl on;
ssl_certificate /etc/nginx/ssl/<yourkeys>. crt;
ssl_certificate_key /etc/nginx/ssl/<yourkeys>. key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://reverseexample.com;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
proxy_cache_key backend$request_uri;
proxy_cache_valid 200 301 302 20m;
proxy_cache_valid 404 1m;
proxy_cache_valid any 15m;
proxy_cache_use_stale error timeout invalid_header updating;
}
}
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name example.com
error_log /var/log/nginx/example.com
access_log /var/log/nginx/example.com
ssl on;
ssl_certificate /etc/nginx/ssl/<yourkeys>.
ssl_certificate_key /etc/nginx/ssl/<yourkeys>.
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://reverseexample.com;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
proxy_cache_key backend$request_uri;
proxy_cache_valid 200 301 302 20m;
proxy_cache_valid 404 1m;
proxy_cache_valid any 15m;
proxy_cache_use_stale error timeout invalid_header updating;
}
}
You have not defined your upstream as per:
http://nginx.org/en/docs/http/ngx_http_upstream_module.html
Please read up on how proxy_pass works with NGINX:
https://www.digitalocean.com/community/tutorials/understanding-nginx-http-proxying-load-balancing-buffering-and-caching
Finally, what is the error that you get with your current setup?
http://nginx.org/en/docs/http/ngx_http_upstream_module.html
Please read up on how proxy_pass works with NGINX:
https://www.digitalocean.com/community/tutorials/understanding-nginx-http-proxying-load-balancing-buffering-and-caching
Finally, what is the error that you get with your current setup?
ASKER
Hello,
my current configuration:
upstream backend1 {
server test.clientdomain.com;
}
server {
listen 80;
listen 443 ssl;
server_name rpn.mydomain.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/rpn. mydomain.c om/fullcha in.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/rpn. mydomain.c om/privkey .pem; # managed by Certbot
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH +AES256:DH +AES256:EC DH+AES128: DH+AES:ECD H+3DES:DH+ 3DES:RSA+A ESGCM:RSA+ AES:RSA+3D ES:!aNULL: !MD5:!DSS;
add_header Strict-Transport-Security "max-age=31536000";
location / {
proxy_pass http://backend1;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
}
}
error: Error code: SSL_ERROR_BAD_CERT_DOMAIN
my current configuration:
upstream backend1 {
server test.clientdomain.com;
}
server {
listen 80;
listen 443 ssl;
server_name rpn.mydomain.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/rpn.
ssl_certificate_key /etc/letsencrypt/live/rpn.
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH
add_header Strict-Transport-Security "max-age=31536000";
location / {
proxy_pass http://backend1;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
}
}
error: Error code: SSL_ERROR_BAD_CERT_DOMAIN
As mentioned before you need to create a wildcard SSL certificate and have nginx serve it.
ASKER
wildcard ssl for mydomian.com ?
ASKER
what i dint understand when i am use cloud flare i used their cert to protect my domain!
i shot words i want to create like a cloudflare service in our company dc.
i shot words i want to create like a cloudflare service in our company dc.
ASKER
when i open any websites that is secure with cloud flare the ssl certificate for domain requested for example is:\
cn: sni150734.cloudflaressl.co m
but the requested domain is different !
thanks.
cn: sni150734.cloudflaressl.co
but the requested domain is different !
thanks.
You cannot just proxy SSL with nginx and expect it to work.
You either need a 1) wildcard certificate or 2) the one that matches the CN field.
At any rate those certificates must be signed by a trusted authority for your browser to trust them. This is just how SSL chain of trust works. There are no workarounds.
Now in the case of CloudFlare they issue a wildcard certificate signed by Comodo for their free tier customers.
You either need a 1) wildcard certificate or 2) the one that matches the CN field.
At any rate those certificates must be signed by a trusted authority for your browser to trust them. This is just how SSL chain of trust works. There are no workarounds.
Now in the case of CloudFlare they issue a wildcard certificate signed by Comodo for their free tier customers.
The certificate must be issued for the domain you are serving. It must either be a wildcard (easiest) or an exact FQDN under the CN field of an SSL certificate issued.
ASKER
hello,
regarding my replies the rpn.mydomain.com that is the reverse proxy domain is issue from lets encrypt
regarding the could flare certificate in general case is not for exact domain name its for exmaple.com for
cn: sni150734.cloudflaressl.co m !!!
so how they do it ...
in short words the certificate of cloudflare customers is not match the requested domain !
thanks.
regarding my replies the rpn.mydomain.com that is the reverse proxy domain is issue from lets encrypt
regarding the could flare certificate in general case is not for exact domain name its for exmaple.com for
cn: sni150734.cloudflaressl.co
so how they do it ...
in short words the certificate of cloudflare customers is not match the requested domain !
thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Please accept the answer that qualifies and assign points accordingly. Otherwise post back and I will be more than welcome to clarify any additional questions / concerns.
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
CloudFlare actually generates a WildCard for the domain that is setup with them.
Once you import your records into their DNS they handle it accordingly.