This question has been asked awhile ago but I am not sure it fits my needs so I want to explain my usage.
First warn, I am a noob.
We have an nginx reverse proxy with a cert. It directs to another nginx app server without a cert (internal communications don't need to be over https). Basically want to off load from https to http internally.
How do we configure it so we hit the app server on port 80? It still appears to be hitting the app server on 443. Getting an ERR_CERT_COMMON_NAME_INVALID error. I assume that it is being thrown by the app server.
In proxy.conf we have set:
proxy_pass http://<app server ip address>
You don't want to redirect, you want to proxy.
It sounds like the certificate on the nginx proxy server is not correct. Specifically that the certificate and the domain don't match
location /some/path/ {
proxy_pass http://www.example.com/link/;
}
https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/
Related
I have an Ubuntu VPS, and I have dockerized a simple Vue App, which is served by Nginx. I have set up SSL for it.
On same host, I have a container running Nodejs Express, which is routing simple queries to MySql database. Express is listening port 8080.
Everything works invidually - I can access the site with 443, and separately I can access the rest api with http://domain:8080 in Postman.
I have however been stuck with how to get Express to listen for https requests so I can use the rest api within the site.
Do I need another SSL cert for the Express? Or is enough if I bypass some url to the localhost:8080? Obviously I still want the site to be accessible with https://domain
What did I miss? Or did I miss it totally?
What I tried was something like:
location /api {
proxy_pass http://localhost:8080;
}
Within both 80 and 443 nginx listeners.
I however always get 502 badateway, if I try to access https://domain/api/foo. I expected it to return response from http://domain:8080/foo.
What I was doing wrong was that the nginx container passed proxy to localhost, which of course I realized a bit late that was pointing to nginx container localhost, not the actual host.
I rewrote my compose.yml, the containers are now in the same network, which provides access to nodejs container in the nginx conf.
Now it works as expected.
I'd like to have a reverse HTTPS proxy that CANNOT decrypt proxied traffic (ie an HTTPS passthrough/tunnel). The idea is to run this proxy on a VPS and point a domain to it, allowing for the IP address of the origin server to remain unexposed while maintaining end-to-end encryption.
Is this possible? I could probably proxy requests without difficulty since the destination address in that direction is fixed, but proxying responses seems problematic given that the proxy would be unable to read the client IP within an encrypted response.
A potential solution is to have the origin server package the encrypted response and destination address in a request made to the proxy, but I am unsure as to how I might generate the encrypted request without sending it (using node.js, which is the application running on the origin server).
From your question, I got that you want to listen to requests from your VPC server and pass the request to your other server which has to remain unexposed.
This can be configured with the web server which you are using for proxy ( considering AWS allows port forwarding from a VPN server to non-VPN server ).
I prefer doing this with Nginx as it is easy, open-source with less code and more functionality.
There is a concept of load balancing which does the same as you mentioned above.
steps :
Install Nginx and keep it active.
Create a new configuration file in /etc/nginx/sites-enabled
write the below code with modifications:
http {
upstream myapp1 {
server srv1.example.com;
server srv2.example.com;
server srv3.example.com;
}
server {
listen 80;
location / {
proxy_pass http://myapp1;
}
}
}
and at the place of srv1.example.com and srv2.example.com add the domain to which you want to redirect requests
Save the file and restart the Nginx
Boom!! it should redirect all incoming requests to your application.
I got a nodeJS express API /w nginx up and running on an ubuntu server. I've set up everything but when I try to access the API (https://167.xx.xx.xx:80/get-all-products) directly or through my client I get this error:
ERR_SSL_PROTOCOL_ERROR
I've did some searching and I found out that this could be because my server does not have a valid ssl certificate but for a ssl certificate I would need to have a domain / be the owner of the ip adress which I guess i'm not as the server is hosted by another company.
How can I fix this error without having to buy a domain for my server?
https://167.xx.xx.xx:80/... ...
I've did some searching and I found out that this could be because my
server does not have a valid ssl certificate
This isn't the case here yet. The problem instead is that you are simply trying to switch from http:// on port 80 to https:// on port 80 without having the server setup for HTTPS. Thus the client will try to speak HTTPS while the server only understands HTTP - and this causes the failure you see.
To be able to use https:// in the URL you need to setup the server for this and the configuration must use a certificate which matches the URL (domain or IP) - no way around this.
I want to use Nginx to expose my NodeJS server listening on port 443.
I don't want to manage the SSL certificate with Nginx. I would rather do that on the NodeJS server using the SNICallback option of https.createServer.
How do I setup the nginx.conf to support this?
You're looking for ssl pass-through. You'll set up your nginx to use TCP load balancing (even if you only have one server it's still thought of as load balancing) and ssl passthrough.
Note that nginx will be unable to access any of the content and that you will lose almost all of the advantages of using a proxy other than the ability to do load balancing.
See these instructions for a specific configuration example.
You can configure nginx to pass the encrypted traffic to the node.js server.
stream {
server {
listen 443;
proxy_pass your.node.js:443;
}
}
Note that you will have no access-log or any other means of access to the data.
Suppose I have 1 nginx server and many Websocket servers:
server1.exmaple.com
server2.example.com
server3.example.com
When there is only a few concurrent connection Nginx can handle the traffic to and from the servers using upstream and proxy_pass.
Because users can send much more Websocket message than HTTP request in a given time, there is going to be a turning point when Nginx can't handle anymore message because it is out of network resources.
Adding more upstream servers won't help because the bottleneck is the server all users conenct to, the Nginx server.
If Nginx can do redirection when the Websocket handshake happens the browser can use that direct connection to each server and leave Nginx out of this.
If these servers can't handle the traffic I can just add more.
Is it possible to do redirection with Nginx instead of proxying, I can't find any demo or documentation about it?