What is a reverse proxy (taken from wikipedia):
“In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client like they originated from the proxy server itself”
So why do you want to use a reverse proxy? In my case it’s because I want to hide ports and instead forward request based on domain name. I also want to handle SSL encryption at one place. So even if I have a self signed certificate internally it will still show a green URL if NGINX is setup properly with a SSL CA.
Prerequisites
This config example assumes you have a DNS or DDNS already setup and a existing signed certificate from a CA (chained.pem and domain.key). The ports 80 and 433 on your router also need to forward request to your NGINX instance (in this example running on 192.168.2.1).
What I want to accomplish:
# Setup routing for Nas Management 192.168.1.4 (home.filegott.se)
http://home.filegott.se –(reverse proxy)–> http://192.168.1.4
https://home.filegott.se –(reverse proxy)–> https://192.168.1.4
# Setup routing for UniFi Controller 192.168.2.2 (unifi.filegott.se)
http://unifi.filegott.se –(redirect)–> https://unifi.filegott.se
https://unifi.filegott.se –(reverse proxy)–> https://192.168.2.2:8443
My nginx.config:
user nginx;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name home.filegott.se;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://192.168.1.4/;
}
}
server {
listen 443 ssl;
server_name home.filegott.se;
ssl_certificate /etc/nginx/certs/chained.pem;
ssl_certificate_key /etc/nginx/certs/domain.key;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://192.168.1.4/;
}
}
server {
listen 80;
server_name unifi.filegott.se;
return 301 https://unifi.filegott.se$request_uri;
}
server {
listen 443 ssl;
server_name unifi.filegott.se;
ssl_certificate /etc/nginx/certs/chained.pem;
ssl_certificate_key /etc/nginx/certs/domain.key;
location / {
# redirect all HTTPS traffic to 192.168.2.2:8443
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass https://192.168.2.2:8443/;
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
}
I had to add three extra lines for support of webSockets for my UniFi Controller. Also worth mentioning is that the certificate used is signed for use of both domains: home.filegott.se and unifi.filegott.se.
Hi does this still work for you? I have also nginx with simillar setup, but I have 404 on reditect to “redirect.html?count=0.xxxx”
I have this exactly today: server { listen 443 ssl; server_name unifi.filegott.se; ssl_certificate /etc/nginx/certs/chained.pem; ssl_certificate_key /etc/nginx/certs/domain.key; location / { # redirect all HTTPS traffic to 192.168.2.2:8443 proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_pass https://192.168.2.2:8443/; proxy_ssl_verify off; # WebSocket support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }As you can see I’ve added the line “proxy_ssl_verify off;”. This is because I want to ignore the self-signed internal certificates.
Also I’ve removed the redirect rows:
server { listen 80; server_name unifi.filegott.se; return 301 https://unifi.filegott.se$request_uri; }As I only want Unifi controller to be available over HTTPS