Return to Level1Techs.com

Is it possible to pass ssl encrypted streams if it doesn't match a virtual host in nginx to another nginx


#1

i have a bunch of servers at home and i let one of my friends use my proxmox server in that server he has a nat and separate subnet and a nginx reverse proxy server for giving ssl to his website on port 80 and 443. for the last while i haven’t been active on my servers since i got busy but now i want to host sites again and i can’t figure out how. port 80 and 443 is forwarded to his virtual router which then forwards his nginx server that serves his ssl certs. but because hes using port 80 and 443 i cant run my own nginx and forward it withought breaking his websites. i was wondering if i could its possible to put something in between the router to the internet and his nginx which would then allow me to send the requests to my domain names to my nginx server on my network and forward anything that doesn’t match it to my friends network withought decrypting the ssl. i’ve tried doing it with nginx proxy pass but it would strip the ssl so it wasnt useable.

tldr: is it possible with nginx or anything else to check the domain name the request is going to then based on that forward it to separate nginx servers withought screwing with the ssl


#2

What you are asking about is TLS Server Name Indication, and nginx does support it (https://nginx.org/en/docs/http/configuring_https_servers.html#sni). And you can proxy the encrypted stream to a backend.

Your nginx config would look something like:

upstream backend {

   server IP_ADDRESS:80;
}

upstream ssl-backend {

   server IP_ADDRESS:443;
}

server {

    listen 80;
    server_name	DOMAIN.com

    proxy_pass backend;
    proxy_next_upstream on;
}

server {

    listen 443 ssl http2;

    server_name    DOMAIN.com; 

    proxy_pass ssl-backend;
    proxy_next_upstream on;
}