问题
Dear all
I have following situation.
I have several ISS Webservers hosting multiple web applications on each IIS server. The do have a public certificate on each system. Every IIS has an unique IP. All IIS Server are placed in the same DMZ
I have setup an nginx System in another DMZ. My goal is, to have nginx handle all the requests to the IIS from the Internet and JUST passthrough all the SSL and certificates checking to the IIS. So as it was before nginx. I don't want to have nginx break up the certificates, or offloads them etc..
Before I try to rumble with nginx reverse proxy to get it done (since I'm not very familiar with nginx), my question would be, if this is possible?
Believe me I've googled times and times and could not find something which answers my question(s) Or maybe I'm too dumb google correctly. I've searched even for passthrough, or reverse proxy, offloading.
So far I've gathered, nginx needs probably some extra mods. Since I have a "apt-get" Installation, I don't even know how to add them.
Your help would be most appreciated.
Many Thanks
Haydar
回答1:
nevermind I found the solution:
Issue:
- Several Webservers with various applications on each are running behind a FW and responding only on Port 443
- The Webservers have a wildcard Certificate, they are IIS Webservers(whoooho very brave), have public IP addresses on each
- It is requested, that all webserver should not be exposed to the Internet and moved to a DMZ
- Since IP4 addresses are short these days, it is not possible get more IPs addresses
- Nginx should only passthrough the requests. No Certificate break, decrypt, re-encrypt between webserver and reverse proxy or whatsoever.
Solution:
- All websservers should be moved to a internal DMZ
- A single nginx reverse proxy should handle all requests based on the webservers DNS entries and map them. This will make the public IP4 address needs obsolete
- All webservers would get a private IP
- A wild certificate would be just fine to handle all aliases for DNS forwarding.
Steps to be done:
1. A single nginx RP should be placed on the external-DMZ.
2. Configure nginx:
- Install nginx on a fully patched debian with apt-get install nginx
. At this Point
you'll get Version 1.14 for nginx. Of course you may compile it too
- If you have installed nginx by the apt-get way, it will be configured with the following modules, which you will need later:
ngx_stream_ssl_preread, ngx_stream_map, and stream
. Don't worry, they are already in the package. You may check withnginx -V
4. external DNS Configuration: - all DNS request from the Internet should point the nginx.
E.g webserver1.domain.com --> nginx webserver2.domain.com --> nginx webserver3.domain.com --> nginx
5. Configuration nginx reverse-proxy
- CD to
/etc/nginx/modules-enabled
- vi a filename of your choice (e.g. passtru) Content of this file:
enter code here
stream {
map $ssl_preread_server_name $name {
webserver01.domain.com webserver01_backend;
webserver02.domain.com webserver02_backend;
}
upstream support_backend {
server 192.168.0.1:443; # or DNS Name
}
upstream intranet_backend {
server 192.168.0.2:443; # or DNS Name
}
log_format basic '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time "$upstream_addr" '
'"$upstream_bytes_sent" "$upstream_bytes_received"
"$upstream_connect_time"';
access_log /var/log/nginx/access.log basic;
error_log /var/log/nginx/error.log;
server {
listen 443;
proxy_pass $name; # Pass allrequests to the above defined variable container $name
ssl_preread on;
}
}
6. Unlink the default virtual webserver
rm /etc/nginx/sites-enabled/default
7. Redirect all http traffic to https:
- create a file vi /etc/nginx/conf.d/redirect.conf add following code
enter code here
server {
listen 80;
return 301 https://$host$request_uri;
}
- test
nginx -t
- reload
systemctl reload nginx
Open up a browser and check the
/var/log/nginx/access.log
while calling the webserversFinish
来源:https://stackoverflow.com/questions/59624481/reverse-proxy-with-nginx-ssl-passthrough