I'd like to have a reverse HTTPS proxy that CANNOT decrypt proxied traffic (ie an HTTPS passthrough/tunnel). The idea is to run this proxy on a VPS and point a domain to it, allowing for the IP address of the origin server to remain unexposed while maintaining end-to-end encryption.
Is this possible? I could probably proxy requests without difficulty since the destination address in that direction is fixed, but proxying responses seems problematic given that the proxy would be unable to read the client IP within an encrypted response.
A potential solution is to have the origin server package the encrypted response and destination address in a request made to the proxy, but I am unsure as to how I might generate the encrypted request without sending it (using node.js, which is the application running on the origin server).
From your question, I got that you want to listen to requests from your VPC server and pass the request to your other server which has to remain unexposed.
This can be configured with the web server which you are using for proxy ( considering AWS allows port forwarding from a VPN server to non-VPN server ).
I prefer doing this with Nginx as it is easy, open-source with less code and more functionality.
There is a concept of load balancing which does the same as you mentioned above.
steps :
Install Nginx and keep it active.
Create a new configuration file in /etc/nginx/sites-enabled
write the below code with modifications:
http {
upstream myapp1 {
server srv1.example.com;
server srv2.example.com;
server srv3.example.com;
}
server {
listen 80;
location / {
proxy_pass http://myapp1;
}
}
}
and at the place of srv1.example.com and srv2.example.com add the domain to which you want to redirect requests
Save the file and restart the Nginx
Boom!! it should redirect all incoming requests to your application.
Related
This question has been asked awhile ago but I am not sure it fits my needs so I want to explain my usage.
First warn, I am a noob.
We have an nginx reverse proxy with a cert. It directs to another nginx app server without a cert (internal communications don't need to be over https). Basically want to off load from https to http internally.
How do we configure it so we hit the app server on port 80? It still appears to be hitting the app server on 443. Getting an ERR_CERT_COMMON_NAME_INVALID error. I assume that it is being thrown by the app server.
In proxy.conf we have set:
proxy_pass http://<app server ip address>
You don't want to redirect, you want to proxy.
It sounds like the certificate on the nginx proxy server is not correct. Specifically that the certificate and the domain don't match
location /some/path/ {
proxy_pass http://www.example.com/link/;
}
https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/
I have a server over HTTPS on NodeJS with Express.
When uploading a file, I have used the req.protocol directive in the controller to get either the HTTP or HTTPS "part" of the URL, so that I can save the file with the absolute URL. The problem is that without enabling the "trust proxy" setting of express (http://expressjs.com/en/api.html#trust.proxy.options.table), HTTPS doesn't get detected.
I thought this setting was used in the case of the actual redirect (when using the HTTP URL and the server doing the 301 redirect to HTTPS).
So this is more of an explanation question, rather than a solution one:
Why doesn't the HTTPS get detected when calling the URL through that?
trust proxy has nothing to do with 301 redirects.
That settings is important when running your node server behind a proxy:
+----------HTTPS--------+---HTTP---+
| | |
client --> internet --> proxy --> node.js
It is typical that you have some sort of proxy between the internet and your node server; for example a CDN server, a load balancer, or simply an nginx instance or such. The HTTPS connection is established between the client and that proxy. The proxy cares about the necessary wrangling of the SSL certificate and encrypting the connection and doesn't burden your application server (node) with those details. It is then forwarding only the relevant details of the request via plain HTTP to your node server. Your server only sees the proxy as the origin of the request, not the client.
Since the node server didn't itself handle the HTTPS connection, how could it know whether the connection between the client and the proxy was HTTPS? It can't. The proxy needs to voluntarily forward that information too. It does so in the X-Forwarded-* HTTP headers. The information whether it was specifically HTTP or HTTPS is sent in the X-Forwarded-Proto header.
The thing is, those are just HTTP headers. Anyone can set those headers. The client itself could set those headers. That's why you need to explicitly opt into using those headers with the trust proxy setting, iif and when you know your app will be running behind a proxy which sets those headers. When you're not running behind a proxy but your node server is directly exposed to the internet, you must switch that setting off; otherwise anyone could set those headers, your server would obey those headers and be lead to use false information.
I want to use Nginx to expose my NodeJS server listening on port 443.
I don't want to manage the SSL certificate with Nginx. I would rather do that on the NodeJS server using the SNICallback option of https.createServer.
How do I setup the nginx.conf to support this?
You're looking for ssl pass-through. You'll set up your nginx to use TCP load balancing (even if you only have one server it's still thought of as load balancing) and ssl passthrough.
Note that nginx will be unable to access any of the content and that you will lose almost all of the advantages of using a proxy other than the ability to do load balancing.
See these instructions for a specific configuration example.
You can configure nginx to pass the encrypted traffic to the node.js server.
stream {
server {
listen 443;
proxy_pass your.node.js:443;
}
}
Note that you will have no access-log or any other means of access to the data.
I'm struggling to find a solution to this, or even get information if it is even possible.
I have a NodeJS backend, which currently accesses APIs on a SSL protected server (let's call it https://whatever.com).
I would like to proxy those http calls through Nginx so I could better collect rich log data, which is very easy for to get from Nginx. (Not so easy from Node, which would require a change in the backend, plugins and whatnot).
It seems, from the "solutions" I've found, that this is not possible unless I have a domain name to use for this Nginx, so I could get a proper (and not self-signed) certificate. Is this accurate? It is only an internal webserver, to proxy outgoing connections, it would not be publicly available.
If I do something and straightfoward (which I would if it was pure 'http') as
upstream apigw {
server whatever.com:443;
}
server {
listen 8088;
server_name nodeapiproxy;
location / {
proxy_pass https://apigw;
}
}
I get a weird 'Unknown domain' error which tells me very little.
Ideally, I would like to make port-80 calls to this Nginx, and it would forward them to whatever.com. But port-443-https would be fine too, if only I could get it working with a self-signed certificate or, even better, with no certificate at all.
Suppose I have 1 nginx server and many Websocket servers:
server1.exmaple.com
server2.example.com
server3.example.com
When there is only a few concurrent connection Nginx can handle the traffic to and from the servers using upstream and proxy_pass.
Because users can send much more Websocket message than HTTP request in a given time, there is going to be a turning point when Nginx can't handle anymore message because it is out of network resources.
Adding more upstream servers won't help because the bottleneck is the server all users conenct to, the Nginx server.
If Nginx can do redirection when the Websocket handshake happens the browser can use that direct connection to each server and leave Nginx out of this.
If these servers can't handle the traffic I can just add more.
Is it possible to do redirection with Nginx instead of proxying, I can't find any demo or documentation about it?