I am trying to convert an old infrastructure featuring several webservers into a virtualized environment with a single public IP address.
All servers are relatively low-traffic, so performance isn't an issue.
I currently have nginx installed directly on my firewall/bastion-host reverse proxying to a few servers (three, at the moment).
I have everything working with plain HTTP.
My current HTTP configuration is (simplified):
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name mydom.com www.mydom.com;
location / {
proxy_pass http://192.168.99.20:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 80;
server_name redmine.mydom.com git.mydom.com;
location / {
proxy_pass http://192.168.99.30:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 80;
server_name mail.mydom.com email.mydom.com webmail.mydom.com;
location / {
proxy_pass http://192.168.99.10:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
}
Question is: How should I configure nginx to forward HTTPS/SSL?
I tried something along the lines:
server {
listen 443 ssl;
server_name mydom.com www.mydom.com;
location / {
proxy_pass https://192.168.99.20;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
but this does not work for lack of ssl_… stanzas.
The "real" (proxyed) servers already have their certificates, but nginx seems to need "local" certificates (which I wouldn't like to provide).
What is "best practice" in this usage case?
NOTE: as said I need to deploy the reverse-proxy on my firewall (IPFire) so I'm rather limited in my choices; nginx and haproxy are supprted, sniproxy isn't.
Best Answer
Try haproxy
I had success in using it. I portfoward all my incoming traffic to the haproxy VM then it carried over the SSL connections to my websites running in other VMs.
Here is a good start using haproxy