1

I have a reverse proxy running on port 80 to serve as a "gateway" to update Let's Encrypt certificates on VMs inside my network. This reverse proxy is only exposed for 5 minutes per week on port 80 for this reason. I have a number of domains that pass through this server to be forwarded to their internal IP addresses. This all works fine, however there is one server exposed to the internet on port 443. When I make a request to the correct domain name using https, all is fine. When I use one of the other domains, I of course get an invalid certificate error. That is why I was thinking of routing port 443 traffic through the reverse proxy so I'll be able to block traffic not targetting the one domain that is exposed and running on 443. Nginx however expects a valid certificate which I can't give it because it's on another server.

The server I'm running on port 443 is Kerio Mailserver.. maybe there is something I can do there to force the use of only one domain name?

Is there a way of handling this? Just in case you're wondering: the other servers don't need exposing.

vespino
  • 111
  • 3

2 Answers2

1

I see no reason why you can't proxy both HTTP and HTTPS traffic through NGINX. So you can:

  • keep and renew all the certificates on the NGINX host,
  • proxy the requests to the VMs through HTTP. If I understand correctly they are all on the same physical host, so the plaintext traffic would go only through virtual network interfaces,
  • keep the HTTP port on NGINX open at all times and use it to renew the certificates and (HTTP) redirect plain traffic to the HTTPS port.

Edit: If you also want to encrypt the traffic between NGINX and the VMs or, as you remark in a comment, you don't want to use NGINX for connections from the local network, you can use a local Certification Authority for the internal servers.

From your perspective it is much safer, since a local CA is more trustworthy than an external authority. You just need to add it to all computers in the local network and you can issue long term certificates without renewing them every 60 days.

Piotr P. Karwasz
  • 5,292
  • 2
  • 9
  • 20
  • What you are proposing is switching to http on the VMs and have the reverse proxy handle all certificates instead of each VM individually? – vespino Dec 25 '20 at 11:03
  • Yes, that's exactly what I propose. – Piotr P. Karwasz Dec 25 '20 at 11:09
  • Guess that is worth trying. I hadn't thought of that. Will look into that. Thank you, Merry Xmas. – vespino Dec 25 '20 at 11:14
  • Just thinking about this, and this would mean having to route my internal traffic through my firewall too or else I would have to be using http internally. Since some services only run on https and I won't have the SSL certificate, I will still be presented with the invalid certificate screen. I have added some custom DNS rules so the internal VMs can be reached via their internal IP. So I don't see how your solution would work for me. – vespino Dec 25 '20 at 11:38
  • You can use a local CA for the internal traffic, just add it to NGINX's trusted authorities. (I modified the answer accordingly). Merry Christmas! – Piotr P. Karwasz Dec 25 '20 at 14:40
0

I fixed this as following: I first installed nginx on my Kerio VM and configured a reverse proxy routing port 443 to 444 (where Kerio now lives). Next I created a wildcard SSL certificate on the VM that I used on 2 hosts, 1 for the webmail and Kerio as a whole and 1 for redirecting all other domain names pointed at my public IP without getting a certificate error.

Now all I have to figure out is how to fix the 504 gateway timeout issue for real, so not by just adding a huge timeout limit. And hope certbot does renew using the DNS challenge without issues.

Now it's time for bed.

vespino
  • 111
  • 3