NGINX config for TLS passthrough with multiple services?
I am trying to set up a reverse proxy server, with TLS passthrough.
I am behind CGNAT, so I cannot forward any ports from my home server. So, my current workaround was that I connected my home server to a VPS via WireGuard and used Nginx Proxy Manager (NPM) to proxy services running on different docker containers to the VPS, so that they are accessible publicly. But now I want to use TLS passthrough for better privacy. But I cannot find any guides for my case.
I need help with 2 issues, basically. Let's take a look at my passthrough.conf file, which I have included in nginx.conf file.
stream {
# Listen for incoming TLS connections on service1.domain.me
server {
listen 443;
proxy_pass service1.domain.me;
proxy_ssl on;
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_name $ssl_preread_server_name;
}
# Listen for incoming TLS connections on service2.domain.me
# server {
# listen 443;
# proxy_pass service2.domain.me;
# proxy_ssl on;
# proxy_ssl_protocols TLSv1.2 TLSv1.3;
# proxy_ssl_name $ssl_preread_server_name;
# }
# Define the backend server for service1.domain.me
upstream service1.domain.me {
server homeserverIP:port;
}
# Define the backend server for service2.domain.me
# upstream service2.domain.me {
# server homeserverIP:port;
# }
}
The services are running in docker containers on different ports. When I used two server blocks and two upstream blocks, I got this error while testing NGINX config: nginx: [emerg] duplicate "0.0.0.0:443" address and port pair in /etc/nginx/passthrough.conf:13. So, I commented out the other server block and tested it again. The test was successful, but NGINX failed to restart. When I checked the systemctl status I saw: nginx[2480644]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use). This is because I am already hosting multiple WordPress sites on this VPS.
As has been mentioned, put the WordPress sites on different internal ports or different internal IPs (easier if they are dockerised on a docker network).
Then have nginx have the external 80/443 port binds, and reverse proxy to the WordPress instances.
This looks like a really great tool, but I cannot seem to find TLS pass through options in here. Or maybe I am too dumb to understand. I do not want the proxy server to generate or keep any certificates, all that will be done by my home server. All I want the proxy server to do is pass through the TCP connection.
If you are forwarding to multiple services, TCP proxying isnt going to work.
The proxy server has to know where to send the connection, so it has to be protocol-aware. In this case, http/https is the protocol.
Luckily TLS/HTTPS has functionality for this without having to terminate encryption, called SNI.
Only one service can bind to each address-port pair, as the message suggests. Either pick a different one, or use nginx to proxy the wordpress service too.
I am running a similar setup to yours. The issue is that only one server block can listen to an address+port pair. You ought to do something like this:
I don't know how to do TLS pass-through, but I think you could just run NAT (configure the firewall on your VPS) and host your reverse proxy at home. No need for TLS pass-through in such a case, unless you absolutely need to host the proxy on the VPS.
I am not sure how to do that. Can you, please, link a guide or any documentation?
Does this method prevent the VPS provider from looking into the data being passed through?
I don't have any guide (haven't looked for one). The concept is simple:
Configure Wireguard server on the VPS.
Connect to server using your router/home firewall as a client (I believe you've done this already).
Configure nftables or iptables to forward traffic coming from a certain IP/port through your VPN connection to your router.
Since you have hosted your proxy at home, that's where TLS termination happens, which means your traffic is encrypted in transit (NAT does not decrypt packets). So yes, you're (in theory) safe from the VPS provider.
I believe there are ways to encrypt one's RAM on a VPS but you likely don't need it here, and that might be beyond the scope of this discussion anyway.
Cheers. I was given this idea by another person on Lemmy, I'm just pushing this wonderful idea forward.