I am trying to set up a reverse proxy server, with TLS passthrough.

I am behind CGNAT, so I cannot forward any ports from my home server. So, my current workaround was that I connected my home server to a VPS via WireGuard and used Nginx Proxy Manager (NPM) to proxy services running on different docker containers to the VPS, so that they are accessible publicly. But now I want to use TLS passthrough for better privacy. But I cannot find any guides for my case.

I need help with 2 issues, basically. Let’s take a look at my passthrough.conf file, which I have included in nginx.conf file.

stream {
    # Listen for incoming TLS connections on service1.domain.me
    server {
        listen 443;
        proxy_pass service1.domain.me;
        proxy_ssl on;
        proxy_ssl_protocols TLSv1.2 TLSv1.3;
        proxy_ssl_name $ssl_preread_server_name;
    }

    # Listen for incoming TLS connections on service2.domain.me
#    server {
#        listen 443;
#        proxy_pass service2.domain.me;
#        proxy_ssl on;
#        proxy_ssl_protocols TLSv1.2 TLSv1.3;
#        proxy_ssl_name $ssl_preread_server_name;
#    }

    # Define the backend server for service1.domain.me
    upstream service1.domain.me {
        server homeserverIP:port;
    }

    # Define the backend server for service2.domain.me
#    upstream service2.domain.me {
#        server homeserverIP:port;
#    }
}

The services are running in docker containers on different ports. When I used two server blocks and two upstream blocks, I got this error while testing NGINX config: nginx: [emerg] duplicate "0.0.0.0:443" address and port pair in /etc/nginx/passthrough.conf:13. So, I commented out the other server block and tested it again. The test was successful, but NGINX failed to restart. When I checked the systemctl status I saw: nginx[2480644]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use). This is because I am already hosting multiple WordPress sites on this VPS.

Here’s my nginx.conf file:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
}

http {

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;


        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        gzip on;

        gzip_vary on;
        gzip_proxied any;
        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;

        client_max_body_size 100M;
        server_tokens off;

}

#include /etc/nginx/passthrough.conf;

I do not know much about NGINX configuration, any help or article links would help.

  • @DecronymAB
    link
    fedilink
    English
    4
    edit-2
    1 year ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    CGNAT Carrier-Grade NAT
    HTTP Hypertext Transfer Protocol, the Web
    HTTPS HTTP over SSL
    IP Internet Protocol
    NAT Network Address Translation
    SSL Secure Sockets Layer, for transparent encryption
    TCP Transmission Control Protocol, most often over IP
    TLS Transport Layer Security, supersedes SSL
    VPN Virtual Private Network
    VPS Virtual Private Server (opposed to shared hosting)
    nginx Popular HTTP server

    [Thread #135 for this sub, first seen 12th Sep 2023, 10:35] [FAQ] [Full list] [Contact] [Source code]