Nginx as Reverse Proxy – Setup for Multiple Domains & Hosts

fedoralets-encryptnginxreverse-proxyssl

This question has probably been asked several times, but with all results I can find and my little knowledge, I'm kind of lost. I'm using Fedora 29.

What I try to do with nginx :

Use one let's encrypt ssl certificate with several domain names
map each domain to a particular internal host (DNS or IP in config file, I don't mind, whatever will work)
all hosts use ssl internally already (no http available – several listening ports)
if you use http from the outside, I would like to have a redirection to https

Sample :

application.domain.com –> https://hostname1.domain.local (or IP 1)
test.domain.com –> https://hostname2.domain.local:1234 (or IP 2)
www.domain.com –> https://hostname3.domain.local (or IP 3)
etc…

How would I be able to do that? Let's encrypt configured me the nginx config automatically but it seems a bit too much.

Many thanks for the answer, I feel I get some progress, even if not working for the moment.
I post here my full config file be cause I have now a "502 Bad Gateway" error. The IP is not in the same subnet as the reverse proxy, but fully accessible, no firewall or routing issue.

Any idea where I can look to move forward ? In original config, there is also a certbot conf file that include cyphers and protocols. Maybe I need to re-include it ?

Also : the internal servers I try to access have certificates signed ith my own AD CS, but no root certificate has been installed on the reverse proxy. Maybe I should ?

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen 80;
        server_name  _;
        return 301 https://$host$request_uri;
    }

    server {
        listen  443 ssl;
        server_name scans.domain.com;
        ssl  on;
        ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; # managed by Certbot

        location  / {
                proxy_pass  https://192.168.XX.YY/;
        }
    }
}

Best Answer

In order to have NGINX resolve multiple domain names to independent proxies, you will need to setup a server block for each domain that you are using (and yes, you need that include provided by LE):

server { listen 443 ssl; server_name application.domain.com; ssl on; ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; location / { proxy_pass https://hostname1.domain.local:80/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } } server { listen 443 ssl; server_name test.domain.com; ssl on; ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; location / { proxy_pass https://hostname3.domain.local:80/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } } server { listen 443 ssl; server_name www.domain.com; ssl on; ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; location / { proxy_pass https://hostname2.domain.local:1234/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } }

Related Solutions

NGINX Reverse Proxy – URL Rewrite

Any redirect to localhost doesn't make sense from a remote system (e.g. client's Web browser). So the rewrite flags permanent (301) or redirect (302) are not usable in your case.

Please try following setup using a transparent rewrite rule:

location  /foo {
  rewrite /foo/(.*) /$1  break;
  proxy_pass         http://localhost:3200;
  proxy_redirect     off;
  proxy_set_header   Host $host;
}

Use curl -i to test your rewrites. A very subtle change to the rule can cause nginx to perform a redirect.

Nginx – Properly setting up a “default” nginx server for https

I managed to configure a shared dedicated hosting on a single IP with nginx. Default HTTP and HTTPS serving a 404 for unknown domains incoming.

1 - Create a default zone

As nginx is loading vhosts in ascii order, you should create a 00-default file/symbolic link into your /etc/nginx/sites-enabled.

2 - Fill the default zone

Fill your 00-default with default vhosts. Here is the zone i am using:

server {
    server_name _;
    listen       80  default_server;
    return       404;
}


server {
    listen 443 ssl;
    server_name _;
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;
    return       404;
}

3 - Create self signed certif, test, and reload

You will need to create a self signed certificate into /etc/nginx/ssl/nginx.crt.

Create a default self signed certificate:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

Just a reminder:

Test the nginx configuration before reloading/restarting : nginx -t
Reload a enjoy: sudo service nginx reload

Hope it helps.