NGINX config for TLS passthrough with multiple services?
I am trying to set up a reverse proxy server, with TLS passthrough.
I am behind CGNAT, so I cannot forward any ports from my home server. So, my current workaround was that I connected my home server to a VPS via WireGuard and used Nginx Proxy Manager (NPM) to proxy services running on different docker containers to the VPS, so that they are accessible publicly. But now I want to use TLS passthrough for better privacy. But I cannot find any guides for my case.
I need help with 2 issues, basically. Let's take a look at my passthrough.conf file, which I have included in nginx.conf file.
stream {
# Listen for incoming TLS connections on service1.domain.me
server {
listen 443;
proxy_pass service1.domain.me;
proxy_ssl on;
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_name $ssl_preread_server_name;
}
# Listen for incoming TLS connections on service2.domain.me
# server {
# listen 443;
# proxy_pass service2.domain.me;
# proxy_ssl on;
# proxy_ssl_protocols TLSv1.2 TLSv1.3;
# proxy_ssl_name $ssl_preread_server_name;
# }
# Define the backend server for service1.domain.me
upstream service1.domain.me {
server homeserverIP:port;
}
# Define the backend server for service2.domain.me
# upstream service2.domain.me {
# server homeserverIP:port;
# }
}
The services are running in docker containers on different ports. When I used two server blocks and two upstream blocks, I got this error while testing NGINX config: nginx: [emerg] duplicate "0.0.0.0:443" address and port pair in /etc/nginx/passthrough.conf:13. So, I commented out the other server block and tested it again. The test was successful, but NGINX failed to restart. When I checked the systemctl status I saw: nginx[2480644]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use). This is because I am already hosting multiple WordPress sites on this VPS.
I am running a similar setup to yours. The issue is that only one server block can listen to an address+port pair. You ought to do something like this: