reverse proxy with nginx ssl passthrough

社会主义新天地 提交于 2020-01-24 20:37:40

问题


Dear all

I have following situation.

I have several ISS Webservers hosting multiple web applications on each IIS server. The do have a public certificate on each system. Every IIS has an unique IP. All IIS Server are placed in the same DMZ

I have setup an nginx System in another DMZ. My goal is, to have nginx handle all the requests to the IIS from the Internet and JUST passthrough all the SSL and certificates checking to the IIS. So as it was before nginx. I don't want to have nginx break up the certificates, or offloads them etc..

Before I try to rumble with nginx reverse proxy to get it done (since I'm not very familiar with nginx), my question would be, if this is possible?

Believe me I've googled times and times and could not find something which answers my question(s) Or maybe I'm too dumb google correctly. I've searched even for passthrough, or reverse proxy, offloading.

So far I've gathered, nginx needs probably some extra mods. Since I have a "apt-get" Installation, I don't even know how to add them.

Your help would be most appreciated.

Many Thanks

Haydar


回答1:


nevermind I found the solution:

Issue:

  1. Several Webservers with various applications on each are running behind a FW and responding only on Port 443
  2. The Webservers have a wildcard Certificate, they are IIS Webservers(whoooho very brave), have public IP addresses on each
  3. It is requested, that all webserver should not be exposed to the Internet and moved to a DMZ
  4. Since IP4 addresses are short these days, it is not possible get more IPs addresses
  5. Nginx should only passthrough the requests. No Certificate break, decrypt, re-encrypt between webserver and reverse proxy or whatsoever.

Solution:

  1. All websservers should be moved to a internal DMZ
  2. A single nginx reverse proxy should handle all requests based on the webservers DNS entries and map them. This will make the public IP4 address needs obsolete
  3. All webservers would get a private IP
  4. A wild certificate would be just fine to handle all aliases for DNS forwarding.

Steps to be done:

1. A single nginx RP should be placed on the external-DMZ.

2. Configure nginx: - Install nginx on a fully patched debian with apt-get install nginx. At this Point you'll get Version 1.14 for nginx. Of course you may compile it too

  1. If you have installed nginx by the apt-get way, it will be configured with the following modules, which you will need later: ngx_stream_ssl_preread, ngx_stream_map, and stream. Don't worry, they are already in the package. You may check with nginx -V

4. external DNS Configuration: - all DNS request from the Internet should point the nginx.

E.g   webserver1.domain.com --> nginx
      webserver2.domain.com --> nginx
      webserver3.domain.com --> nginx

5. Configuration nginx reverse-proxy

  • CD to /etc/nginx/modules-enabled
  • vi a filename of your choice (e.g. passtru) Content of this file:

enter code here

stream {

  map $ssl_preread_server_name $name {
      webserver01.domain.com webserver01_backend;
      webserver02.domain.com webserver02_backend;
}

upstream support_backend {
    server 192.168.0.1:443; # or DNS Name
}

upstream intranet_backend {
    server 192.168.0.2:443;  # or DNS Name
}

log_format basic '$remote_addr [$time_local] '
             '$protocol $status $bytes_sent $bytes_received '
             '$session_time "$upstream_addr" '
             '"$upstream_bytes_sent" "$upstream_bytes_received" 
              "$upstream_connect_time"';

access_log /var/log/nginx/access.log basic;
error_log  /var/log/nginx/error.log;

server {
    listen 443;
    proxy_pass $name;   # Pass allrequests to the above defined variable container $name
    ssl_preread on;

 }
}

6. Unlink the default virtual webserver rm /etc/nginx/sites-enabled/default

7. Redirect all http traffic to https:

  • create a file vi /etc/nginx/conf.d/redirect.conf add following code

enter code here

server {

listen 80;

return 301 https://$host$request_uri;

}
  1. test nginx -t
  2. reload systemctl reload nginx
  3. Open up a browser and check the /var/log/nginx/access.log while calling the webservers

  4. Finish



来源:https://stackoverflow.com/questions/59624481/reverse-proxy-with-nginx-ssl-passthrough

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!