Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| router:proxy_chain [2025/02/06 10:22] – willy | router:proxy_chain [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | The idea is having TWO NGINX proxy linked together. | ||
| - | Currently, i am not using this approach. It's written here just as a concept and because it can be a neat way to host public only services on the external server and public/ | ||
| - | |||
| - | ==== External NGINX ==== | ||
| - | |||
| - | <file - nginx.conf> | ||
| - | server { | ||
| - | server_name *.mydomain.com; | ||
| - | listen 4443 ssl; | ||
| - | include proxy-chain.conf; | ||
| - | ssl_certificate / | ||
| - | ssl_certificate_key / | ||
| - | } | ||
| - | |||
| - | server { | ||
| - | server_name otherdomain.whatever; | ||
| - | listen 4443 ssl; | ||
| - | include proxy-chain.conf; | ||
| - | ssl_certificate / | ||
| - | ssl_certificate_key / | ||
| - | } | ||
| - | </ | ||
| - | |||
| - | <file - proxy-chain.conf> | ||
| - | location / { | ||
| - | proxy_pass https:// | ||
| - | } | ||
| - | |||
| - | include / | ||
| - | ssl_dhparam / | ||
| - | proxy_set_header | ||
| - | proxy_set_header | ||
| - | proxy_set_header | ||
| - | proxy_set_header | ||
| - | proxy_set_header X-Forwarded-Proto $scheme; | ||
| - | proxy_set_header X-Forwarded-Host $server_name; | ||
| - | proxy_set_header X-Forwarded-Ssl on; | ||
| - | proxy_set_header Upgrade $http_upgrade; | ||
| - | proxy_set_header Connection " | ||
| - | proxy_http_version 1.1; | ||
| - | </ | ||
| - | |||
| - | If using SSH tunnel, rememeber to use **127.0.0.1** instead of **10.100.0.1** in the // | ||
| - | |||
| - | |||
| - | ==== Certificates ==== | ||
| - | |||
| - | Needs to be shared between the internal server and the external server. You cannot use certbot on both, because ports 80&443 of external are redirected to the internal and certbot on external would not work. | ||
| - | |||
| - | So, on internal zip che certs after any update, edit crontab like: | ||
| - | < | ||
| - | 47 5 * * * / | ||
| - | 31 16 * * * / | ||
| - | </ | ||
| - | |||
| - | On external, copy that file over and replace certs, again in crontab: | ||
| - | < | ||
| - | 10 6 * * * sftp -P 5022 user@127.0.0.1:/ | ||
| - | 50 16 * * * sftp -P 5022 user@127.0.0.1:/ | ||
| - | </ | ||
| - | |||
| - | Of course, add the external root SSH public key to user file / | ||
| - | |||
| - | **Note:** it should be possible to avoid this by using certbot on both internal and external server at the same time, but i have not attempted yet. | ||