I am trying to set up a reverse proxy server, with TLS passthrough.
I am behind CGNAT, so I cannot forward any ports from my home server. So, my current workaround was that I connected my home server to a VPS via WireGuard and used Nginx Proxy Manager (NPM) to proxy services running on different docker containers to the VPS, so that they are accessible publicly. But now I want to use TLS passthrough for better privacy. But I cannot find any guides for my case.
I need help with 2 issues, basically. Let’s take a look at my passthrough.conf file, which I have included in nginx.conf file.
stream {
# Listen for incoming TLS connections on service1.domain.me
server {
listen 443;
proxy_pass service1.domain.me;
proxy_ssl on;
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_name $ssl_preread_server_name;
}
# Listen for incoming TLS connections on service2.domain.me
# server {
# listen 443;
# proxy_pass service2.domain.me;
# proxy_ssl on;
# proxy_ssl_protocols TLSv1.2 TLSv1.3;
# proxy_ssl_name $ssl_preread_server_name;
# }
# Define the backend server for service1.domain.me
upstream service1.domain.me {
server homeserverIP:port;
}
# Define the backend server for service2.domain.me
# upstream service2.domain.me {
# server homeserverIP:port;
# }
}
The services are running in docker containers on different ports. When I used two server blocks and two upstream blocks, I got this error while testing NGINX config: nginx: [emerg] duplicate "0.0.0.0:443" address and port pair in /etc/nginx/passthrough.conf:13. So, I commented out the other server block and tested it again. The test was successful, but NGINX failed to restart. When I checked the systemctl status I saw: nginx[2480644]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use). This is because I am already hosting multiple WordPress sites on this VPS.
Here’s my nginx.conf file:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
client_max_body_size 100M;
server_tokens off;
}
#include /etc/nginx/passthrough.conf;
I do not know much about NGINX configuration, any help or article links would help.
Hi OP,
I don’t know how to do TLS pass-through, but I think you could just run NAT (configure the firewall on your VPS) and host your reverse proxy at home. No need for TLS pass-through in such a case, unless you absolutely need to host the proxy on the VPS.
Cheers
I am not sure how to do that. Can you, please, link a guide or any documentation? Does this method prevent the VPS provider from looking into the data being passed through?
I don’t have any guide (haven’t looked for one). The concept is simple:
nftablesoriptablesto forward traffic coming from a certain IP/port through your VPN connection to your router.I believe there are ways to encrypt one’s RAM on a VPS but you likely don’t need it here, and that might be beyond the scope of this discussion anyway.
Cheers. I was given this idea by another person on Lemmy, I’m just pushing this wonderful idea forward.