Need help with Nginx Reverse Proxy

March 12, 2020

Im trying to Run Dual Webservers (both Apache2 port 444) WITH SSL and a Nginx RP (port 443) but when i go to my site (https://something.wa) It fully breaks and i get the error message : (something about the SSL certificate not valid) but when i hookup the site to port (On the router to Open internet) 443 (still internal port 444), Everything works fine but also if i use port 80 (non HTTPS) the site loads... like normal

Nginx conf

server {

listen 443 ssl;
server_name mydomain.net;

location /{
proxy_pass "https://192.168.0.146:444";
proxy_set_header Host $host;
}

}

Apache2 conf

listen 444
<IfModule mod_ssl.c>
<VirtualHost *:444>
ServerAdmin (my email)
ServerName mydomain.net
ServerAlias www.mydomain.net
DocumentRoot /var/www/(my domain)/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/(my domain)/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/(my domain)/privkey.pem
</VirtualHost>
</IfModule>

If any more info is needed, Let me know asap

colonel_mortis · March 12, 2020

The nginx reverse proxy needs to decrypt the traffic, but you haven't configured TLS in your nginx snippet. At a minimum you need to set up nginx with the same certificates that you're currently using for apache.

Another problem that you might be running into, if the TLS error is coming from Nginx rather than your browser, is that nginx is proxying from 192.168.0.146 rather than mydomain.net, so the certificate that it's presenting isn't valid (or it may even be hitting a different virtual host - passing the Host header only applies after TLS has been negotiated, which means Apache has already chosen the virtual host). Often the solution is just to use plain HTTP between nginx and apache, because it's within your trusted network, but if that's not something that you want to do then I think it's possible to tell nginx to use a different hostname for SNI so it requests it as mydomain.net.

March 12, 2020

6 minutes ago, colonel_mortis said:

The nginx reverse proxy needs to decrypt the traffic, but you haven't configured TLS in your nginx snippet. At a minimum you need to set up nginx with the same certificates that you're currently using for apache.

Another problem that you might be running into, if the TLS error is coming from Nginx rather than your browser, is that nginx is proxying from 192.168.0.146 rather than mydomain.net, so the certificate that it's presenting isn't valid (or it may even be hitting a different virtual host - passing the Host header only applies after TLS has been negotiated, which means Apache has already chosen the virtual host). Often the solution is just to use plain HTTP between nginx and apache, because it's within your trusted network, but if that's not something that you want to do then I think it's possible to tell nginx to use a different hostname for SNI so it requests it as mydomain.net.

By chance do you know how to use the Same TLS cert with nginx? (like where do i put it)

colonel_mortis · March 12, 2020

Just now, Nolanrulesroblox said:

By chance do you know how to use the Same TLS cert with nginx? (like where do i put it)

Inside the server block, add

ssl_certificate /etc/letsencrypt/live/(my domain)/fullchain.pem
ssl_certificate_key /etc/letsencrypt/live/(my domain)/privkey.pem

then reload nginx

March 12, 2020

39 minutes ago, colonel_mortis said:
Inside the server block, add
ssl_certificate /etc/letsencrypt/live/(my domain)/fullchain.pem
ssl_certificate_key /etc/letsencrypt/live/(my domain)/privkey.pem
then reload nginx

Holy crap! it worked!