Chaining proxies

This is an old revision of the document!

The idea is having TWO NGINX proxy linked by a WireGuard channel.

External NGINX

wireshark setup

Internal server config into /etc/wireguard/:

[Interface]
PrivateKey = << here my private key >>
Address = 10.100.0.1/24 # choose a subnet for the scope

[Peer] # this is external server
PublicKey = << here external public key >>
Endpoint = << external server IP >>:5790
AllowedIPs = 10.100.0.2/24
PersistentKeepAlive = 25

External server config into /etc/wireguard/:

wg0.conf

[Interface]
PrivateKey = << external server private key >>
Address = 10.100.0.2/24
ListenPort = 5790

[Peer] # this is internal server
PublicKey = << internal server public key >>
#Endpoint =  # internal server has no public IP, leave this commented.
AllowedIPs = 10.100.0.1/32 # Only allow internal server packets trough the wireguard tunnel!
PersistentKeepAlive = 25

Start both on boot, so on both servers:

ln -s /etc/init.d/wg /etc/init.d/wg.wg0
rc.update add wg.wg0 default
/etc/init.d/wg.wg0 start

External NGINX

nginx.conf

        server {
                server_name *.mydomain.com;
                listen 4443 ssl;
                include proxy-chain.conf;
                ssl_certificate /etc/letsencrypt/live/home.mydomain.com/fullchain.pem;
                ssl_certificate_key /etc/letsencrypt/live/home.mydomain.com/privkey.pem;
        }

        server {
                server_name otherdomain.whatever;
                listen 4443 ssl;
                include proxy-chain.conf;
                ssl_certificate /etc/letsencrypt/live/otherdomain.whatever/fullchain.pem;
                ssl_certificate_key /etc/letsencrypt/live/otherdomain.whatever/privkey.pem;
        }

proxy-chain.conf

location / {
        proxy_pass https://10.100.0.1:8443/;
}

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
proxy_set_header   Host $host;
proxy_set_header   ProxyHost $proxy_host;
proxy_set_header   X-Real-IP $remote_addr;
proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;

Certificates

Needs to be shared between the internal server and the external server. You cannot use certbot on both, because ports 80&443 of external are redirected to the internal and certbot on external would not work.

So, on internal zip che certs after any update, edit crontab like:

47 5 * * * /etc/letsencrypt/certbot-renew.sh && (cd /etc && tar cJf /home/user/certs-copy.tar.xy letsencrypt) &>> /root/certbot.log
31 16 * * * /etc/letsencrypt/certbot-renew.sh && (cd /etc && tar cJf /home/user/certs-copy.tar.xy letsencrypt) &>> /root/certbot.log

On external, copy that file over and replace certs, again in crontab:

10 6 * * * sftp -P 5022 user@127.0.0.1:/home/user/certs-copy.tar.xy /root/certs-copy.tar.xy && cd /etc &&  tar xvf /root/certs-copy.tar.xy && chown root:root -R letsencrypt && /etc/init.d/nginx restart
50 16 * * * sftp -P 5022 user@127.0.0.1:/home/user/certs-copy.tar.xy /root/certs-copy.tar.xy && cd /etc &&  tar xvf /root/certs-copy.tar.xy && chown root:root -R letsencrypt && /etc/init.d/nginx restart

Of course, add the external root SSH public key to user file /home/use/.ssh/authorized_keys for passwordless access.

Willy's Wiki

User Tools

External NGINX

External NGINX

Certificates