1

I'm very new to this, so I apologize if I may not even get the terms right. What I'm trying to accomplish is a reverse proxy with Nginx where I listen to https (port 443) and MQTT (port 8883) and pass those through to their respective back end servers. I was working through this tutorial:

https://www.nginx.com/blog/nginx-and-iot-adding-protocol-awareness-for-mqtt/

And I was able to get things working for MQTT to my aws backend. I was having issues though with sending https requests over to google cloud platform. Here is my nginx.conf:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

stream {
    upstream gcp_backend {
         server mysite.appspot.com:443;
    }

    server {
        listen 443;
        #proxy_pass gcp_backend;
        proxy_pass mysite.appspot.com:443;
    }

    upstream mqtt_backend {
         server mysite.iot.us-west-1.amazonaws.com:8883;
    }

    server {
        listen 8883; # (tcp)
        proxy_pass mqtt_backend;
    }
}

I'm running nginx -v and get "nginx/1.10.3". I'm running this on a raspberry pi, and I have a domain name through dyndns.org. When I go to https://somewhere.dyndns.org/api-name-here I am getting a 404 error. I though at one point it may be because of a firewall preventing incomming requests on Google Cloud, but I'm not sure. I also tried working with custom domains on Google Cloud, but I then thought those would not be what I want. I want to be going through Nginx on the raspberry pi and have it proxy_pass over to the Google Cloud backend.

As mentioned, the MQTT has worked for me with this setup over port 8883 but maybe AWS isn't rejecting for some reason. Google Cloud I believe is giving an error because my dyndns.org is not one of the allowed domain names like appspot.com.

Thanks for any help you can give me or what terms I should research/search for.

Justin

Misha Brukman
  • 768
  • 8
  • 22
Eradicatore
  • 111
  • 1
  • 3

1 Answers1

2

MQTT needs the stream protocol so you need to separate your HTTPS and stream configurations. Something like this should do it:

stream {

    upstream mqtt_backend {
         server mysite.iot.us-west-1.amazonaws.com:8883;
    }

    server {
        listen 8883; # (tcp)

        location / { 
           proxy_pass mqtt_backend;
        }
    }
}

http {
    upstream gcp_backend {
         server mysite.appspot.com:443;
    }
    server {
        listen 443;
        #proxy_pass gcp_backend;

     location / {
        proxy_pass mysite.appspot.com:443;
      }
    }
}

Also to listen over ssl you would need to enable ssl and have certificates installed or you will get a protocol error. You would at least need:

    server {
        listen 443 ssl;
        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

        ...
    }

and probably:

server {
    listen 8883 ssl; # (tcp)
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ...
}
Simon Greenwood
  • 1,343
  • 9
  • 12
  • Thanks Simon for the comments. So I tried this, and got errors about the proxy_pass not being allowed there. I've kept looking for more help and found that this may be what I'm trying to do: https://serversforhackers.com/c/tcp-load-balancing-with-nginx-ssl-pass-thru . But now my issue I think is more that Google Cloud Platform won't allow this dyndns.org domain as a ingress. – Eradicatore Jan 31 '18 at 14:11
  • Ah, `proxy_pass` should be in a `location`. Let me correct that. – Simon Greenwood Jan 31 '18 at 14:15
  • FYI, this page here really helped. https://www.radomirml.com/blog/2011/01/30/reverse-proxy-for-gae-application-using-nginx-and-ssl/. But only for the case when you are doing SSL termination (since that allows you to update the header). Adding these to the location body: proxy_pass https://.appspot.com; proxy_set_header Host .appspot.com – Eradicatore Feb 01 '18 at 23:20
  • GCP shouldn't reject your request based on the domain name. Make sure you have a firewall rule that allows traffic on port 443 to your backend – Patrick W Feb 15 '18 at 14:49