nginx Reverse proxy

Hello,
i have Ubuntu Linux 16.10 and i installed nginx
i want to make it work as reverse proxy for my backend sites
the revers proxy name is : rp.example.com
and i generate let encrypt cert from that.

the network map is:
wan connection --- nginx revers proxy https: --- web site name : example1.com http:

the example1.com is point to nginx revers proxy ip.
i want we the client request example1.com  connect as https
in this case the request will be :
client--- https--- nginx server --- http--- exmple1.com

in short i want to make like the cloud flare that is secure the website without required to issue a certificate for website domain.
thanks.
Amin El-ZeinAsked:
Who is Participating?
 
Dmitri FarafontovConnect With a Mentor Linux Systems AdminCommented:
https://en.m.wikipedia.org/wiki/Subject_Alternative_Name
Please have a look at what a SAN is in regards to SSL certificates.
0
 
Dmitri FarafontovLinux Systems AdminCommented:
You can use something like proxy_pass directive to pass along to your backend:
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass

CloudFlare actually generates a WildCard for the domain that is setup with them.
Once you import your records into their DNS they handle it accordingly.
0
 
Amin El-ZeinAuthor Commented:
i already use it but when i redirect to backend server it's give error certificate name !
how they generate a certificate for my domain !
thanks.
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Dmitri FarafontovLinux Systems AdminCommented:
Yes because you need to generate a wildcard ssl certificate. With a *.yourdomain.com as a CN field with OpenSSL.
0
 
Amin El-ZeinAuthor Commented:
you mean ineternal certificate form open ssl that is installed on nginx ?
how the configuration will be ? i dont want to show a certificate trust error on client side like a cloude flare.
thanks.
0
 
Dmitri FarafontovLinux Systems AdminCommented:
Your proxy should serve a wildcard ssl certificate.
https://www.digicert.com/csr-creation.htm
0
 
Amin El-ZeinAuthor Commented:
if my domain name example.com and i have wildcard ssl.
how the revers proxy will handle the example1.com with out have any cert on it and without any error.
cloud flare secuse my website without install any ssl on my server.
thanks.
0
 
Dmitri FarafontovLinux Systems AdminCommented:
CloudFlare takes over DNS for your domain name, this way they direct traffic for records that you activate the "orange cloud option". On their end they do generate a wildcard certificate to have the SSL connection going,.
0
 
Dmitri FarafontovLinux Systems AdminCommented:
0
 
Amin El-ZeinAuthor Commented:
Hello
i already know about thier option but how they gerate a certificate for my domain !
is there any way to do somting like them from my side for many domains ?
thanks.
0
 
Dmitri FarafontovLinux Systems AdminCommented:
The certificates you generate will not be trusted by a browser. You will need to have your WildCard certificate CSR signed by certification authority such as VeriSign, GeoTrust, and or DigiCert, which is not a FREE service. I have provided the link above how to generate a CSR based on your server NGINX.

Example. I have a domain: testing.com. I have delegated by DNS records (pointed by NS records to CloudFlare as requested). Now they have full control of my domain. I can control which records go through CloudFlare through their control panel under the "DNS" option. On a free tier plan, CloudFlare could generate a multiple WildCard and place multiple domains in the same certificate such as *.testing.com and *.anothersite.com. Since they control your DNS records, they technically have control of your domain and can issue the SSL certificates on your behalf. However, they would not do anything like since the reputation is important to them.

In summary, you need to generate a CSR and a Private key using openssl, submit it to a certification authority as mention above, pay the fee, receive a CRT back, install the private key and the CRT file on your NGINX server. Thats about the only way to do what you want. Aside note: If you want to have a free certificate you can use something like https://letsencrypt.org
0
 
Amin El-ZeinAuthor Commented:
hello,
sorry but i have some question to understand more.
first i will sign a certificate for nginx server domain name for lets encrypt. nginxdoamin.com
then i will point clientdoamin.com to nginxdomain.com ip
then ?
thanks.
0
 
Dmitri FarafontovLinux Systems AdminCommented:
1) generate certificate
2) sign it install on nginx
3) use DNS to point it to your proxy
0
 
Amin El-ZeinAuthor Commented:
generate from local open ssl ?
in this case the clientdomain.com will be appear as untrusted cert !
thanks.
0
 
Amin El-ZeinAuthor Commented:
Hello,
any update please ?
thanks.
0
 
Dmitri FarafontovLinux Systems AdminCommented:
Post the nginx.confn file.
0
 
Amin El-ZeinAuthor Commented:
i am wrote because i want it !
0
 
Dmitri FarafontovLinux Systems AdminCommented:
What do you mean? Post your basic nginx.conf and we can troubleshoot from there. Or you can start a Gigs project and we can address any of your custom requirements.
0
 
Amin El-ZeinAuthor Commented:
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}

server {
listen 443 ssl;
server_name example.com
error_log /var/log/nginx/example.com.error.log warn;
access_log /var/log/nginx/example.com.access.log warn;
ssl on;
ssl_certificate /etc/nginx/ssl/<yourkeys>.crt;
ssl_certificate_key /etc/nginx/ssl/<yourkeys>.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

location / {
proxy_pass http://reverseexample.com;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_cache_key backend$request_uri;
proxy_cache_valid 200 301 302 20m;
proxy_cache_valid 404 1m;
proxy_cache_valid any 15m;
proxy_cache_use_stale error timeout invalid_header updating;

}
}
0
 
Dmitri FarafontovLinux Systems AdminCommented:
You have not defined your upstream as per:
http://nginx.org/en/docs/http/ngx_http_upstream_module.html

Please read up on how proxy_pass works with NGINX:
https://www.digitalocean.com/community/tutorials/understanding-nginx-http-proxying-load-balancing-buffering-and-caching

Finally, what is the error that you get with your current setup?
0
 
Amin El-ZeinAuthor Commented:
Hello,
my current configuration:
upstream backend1 {
    server test.clientdomain.com;  
}

server {
    listen 80;
    listen 443 ssl;
    server_name rpn.mydomain.com;
    ssl on;
         ssl_certificate /etc/letsencrypt/live/rpn.mydomain.com/fullchain.pem; # managed by Certbot
      ssl_certificate_key /etc/letsencrypt/live/rpn.mydomain.com/privkey.pem; # managed by Certbot
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 10m;

    ssl_prefer_server_ciphers       on;
    ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers                     ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

    add_header Strict-Transport-Security "max-age=31536000";

    location / {
       proxy_pass http://backend1;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
    }
}
 
error: Error code: SSL_ERROR_BAD_CERT_DOMAIN
0
 
Dmitri FarafontovLinux Systems AdminCommented:
As mentioned before you need to create a wildcard SSL certificate and have nginx serve it.
0
 
Amin El-ZeinAuthor Commented:
wildcard ssl for mydomian.com ?
0
 
Amin El-ZeinAuthor Commented:
what i dint understand when i am use cloud flare i used their cert to protect my domain!
i shot words i want to create like a cloudflare service in our company dc.
0
 
Amin El-ZeinAuthor Commented:
when i open any websites that is secure with cloud flare the ssl certificate for domain requested for example is:\
cn: sni150734.cloudflaressl.com
but the requested domain is different !
thanks.
0
 
Dmitri FarafontovLinux Systems AdminCommented:
You cannot just proxy SSL with nginx and expect it to work.

You either need a 1) wildcard certificate or 2) the one that matches the CN field.

At any rate those certificates must be signed by a trusted authority for your browser to trust them. This is just how SSL chain of trust works. There are no workarounds.

Now in the case of CloudFlare they issue a wildcard certificate signed by Comodo for their free tier customers.
0
 
Dmitri FarafontovLinux Systems AdminCommented:
The certificate must be issued for the domain you are serving. It must either be a wildcard (easiest) or an exact FQDN under the CN field of an SSL certificate issued.
0
 
Amin El-ZeinAuthor Commented:
hello,
regarding my replies the rpn.mydomain.com that is the reverse proxy domain is issue from lets encrypt
regarding the could flare certificate in general case is not for exact domain name its for exmaple.com for
cn: sni150734.cloudflaressl.com  !!!
so how they do it ...
in short words the certificate of cloudflare customers is not match the requested domain !
thanks.
0
 
Dmitri FarafontovConnect With a Mentor Linux Systems AdminCommented:
It has to match otherwise you get a browser error. They use a SAN certificate where the domains match not on CN but rather an additional field designed for it. If you can provide a real name behind CloudFlare, I can demonstrate this aspect.

There seems to be much confusion on your part on how SSL certificates work in general. If you want we can do Live Chat here on EE and I can explain to you what is happening.
0
 
Dmitri FarafontovLinux Systems AdminCommented:
Please accept the answer that qualifies and assign points accordingly. Otherwise post back and I will be more than welcome to clarify any additional questions / concerns.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.