About Nginx+HTTPS+SSL certs in Jails

K

kalleboy

Hi everyone. I'd like to set two jails with each hosting a domain of mine, with HTTPS/TLS support on nginx.

My case is;

My Dedicated Server/Host IP: 134.42.22.11 (External Public IP Addr) (has also PF activated and running without Jails' support, anything with any jail, at the moment)
Jail 1 - 10.10.10.2 - nginx: would host mydomain1.com - Port: 80/443
Jail 2 - 10.10.10.3 - nginx: would host myotherdomain.com - Port: 80/443

I'd like to know if not only HTTP but HTTPS traffic (and obviously SSL certs) is also supported. How to achieve this with nginx?

Would Nginx support HTTP/HTTPS redir, without using haproxy? Like using "proxy_pass" tags.

I generate my SSL certs by acme.sh, should I generate the SSL certificates within each jail or on the main host and put them into the jails' own related folders?

Best.
 
The 'nginx' part is easy to set up. (I am on my phone, I will share a config if you need it)
I do not find a way to redirect traffic according to port+domain.
So a nginx as proxy (or HA Proxy) is needed. If there is a better solution, I am interested to.
 
Hakaba said:
The 'nginx' part is easy to set up. (I am on my phone, I will share a config if you need it)
I do not find a way to redirect traffic according to port+domain.
So a nginx as proxy (or HA Proxy) is needed. If there is a better solution, I am interested to.
Click to expand...

Thanks a lot, well, I'm able to set nginx, with SSL support and virtualhosts and so on, on a real host. That's no problem.

I just want to learn the possibility of having them in each jail and, main host redirecting the HTTPS/TLS requests according to domain, to jails.
 
So you want to use nginx as a reverse proxy for these two jails? The reverse proxy will then need both certificates (with private keys), but apart from that, a straight-forward config with two server blocks and the respective server_name properties will do, nginx supports SNI to determine the correct virtual server on TLS handshake.
 
Well, imagine a jail with internal vLAN IP like: 192.168.1.2, and the nginx server conf is;

NGINX: 
server {
    listen              192.168.1.2:443 ssl;
    server_name         www.example.com;
    ssl_certificate         www.example.com.crt;
    ssl_certificate_key www.example.com.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ...
}

How would such traffic pass to the external, public IP traffic of the host server?
 
I think I answered that above? Typically with a reverse proxy listening on that public address, and you could also use nginx for that. And again, this reverse proxy will need all the certificates.

You might question whether you need TLS internally at all, depends on your scenario and threat models...

BTW, enabling anything older than TLS1.2 is probably not a good idea.
 
Thanks Zirias. Oh, the sample code was from nginx documentation, I have only TLSv1.2 and TLSv1.3 activated, so no problem with that.

Hosted domains are not internal ones, so TLS requests would come from browsers of my website visitors.

So nginx would handle this itself with its proxy? Any example config in such case?

Thanks.
 
kalleboy said:
Hosted domains are not internal ones, so TLS requests would come from browsers of my website visitors.
Click to expand...
That's not the issue. You want to host two different domains (with two different certificates) on a single IP address. This requires SNI, and therefore, the reverse proxy must terminate TLS anyways (and, needs all the certificates and private keys).

The proxied request will be in your local network (between your jails) only, so whether you need TLS there or not depends on your assessment of the threat of someone being able to eavesdrop connections inside your local network. On my private server, only my reverse proxy does TLS, requests are proxied using plain http internally.

kalleboy said:
So nginx would handle this itself with its proxy? Any example in such case?
Click to expand...
See above, it's straight forward. Add a server block for each domain on port 443 (and, if you want/need it, another one on port 80), inside add the correct server_name, the certificate configuration for the TLS servers, and some proxy_pass directive.
 
there is more than on solution.
I have a jail that respond on 80 (for all acme domain) and 443 that resolve certificate and call non HTTPS internal jails ( port 8080, 8081 and so on) for page content depending on domain.
I change my mind and I create one jails by domain and on 'primary' jails to proxy pass the traffic.
(Between this two config, I use ovh-dns, but acme stop working without error...)
For me the second solution is easiest to handle and probably more robust. But if there is a tool that pass the trafic into a jail according to the domain name, this will be a better solution than the jail with nginx that made proxy pass...
 
Hakaba said:
But if there is a tool that pass the trafic into a jail according to the domain name, this will be a better solution than the jail with nginx that made proxy pass...
Click to expand...
net/haproxy (can do SSL termination too). On my VPS I have HAProxy running on the host and various websites in jails. HAProxy will proxy based on the URL to a specific jail backend.
 
Maybe not answering any questions but I'd like to share how I handle this sort of things: I run a bunch of jails with www/nginx or other web servers in them (i.e. also www/gitea). None of these webservers does SSL. Instead, traffic is plain and I run net/haproxy in front of them which does SSL termination and redirects the plain text traffic to each jail based on the URL in the request header. This is easy to setup and easy to maintain.

Edit: Seems like SirDice covered this technique in the meantime - sorry.
 
It doesn't really matter WHICH reverse proxy you use, that's why I mentioned nginx will do just fine. Of course, haproxy is another alternative and offers additional features you might or might not need ;)

What's important is: In this scenario, hosting multiple TLS-domains on a single IP address, the reverse proxy MUST terminate TLS (and, therefore, must have all the certs and keys).
 
Using HAProxy or NGinX for the proxy reverse is ok for me.
But I feel like a more elegant solution exists.
So my first approach was the good one, but as we lost HTTPS inside the jails, we have CORS errors in local browsing.
 
kalleboy operating at 100% CPU usage is not a scenario you want in production anyways, so it doesn't matter too much. It's no surprise a scenario where nginx looks better is presented on nginx' site though ;)

Feature-wise, HAProxy is designed for "high availability", offering load balancing, down detection etc... if you need that, use HAProxy. Otherwise, it doesn't matter much, and IMHO, nginx is just fine.
 
I usually run a single jail with nginx as reverse proxy for all webservers on that server (or network). This jails handles all SSL/TLS and cert stuff (or the jailhost is running acme.sh, depending on requirements), the other webservers only need a minimal non-SSL config.
This way I have only one "moving target" when it comes to certificates and all TLS-config is at one point, not scattered over probably dozens of jails/servers. This way it's easy to apply new TLS-configs and add/remove/modify domains/wildcards from certs.

As for the acme-http-validation: I abandoned this path a long time ago in favor of DNS-APIs. This way you can just 301 all requests on port 80 to port 443. Usually those "wellknown" configs on port 80 get very ugly very fast if you need to handle multiple domains and possibly even certs/acme clients on backend servers.
I use security/acme.sh everywhere; primarily because it doesn't drag in tons of dependencies like e.g. certbot, and because it is dead-simple to configure and automate, even for dozens of domains on the same host.
 
sko said:
As for the acme-http-validation: I abandoned this path a long time ago in favor of DNS-APIs.
Click to expand...
Unfortunately, this stop working one cold winter day with OVH DNS-API.
I do not find why and I configure the wellknow on port 80 in emergency.
I do not find the time to retest the DNS-API, so I let my server in this state.
Did you have a fallback ? Did you encounter issue with DNS-API ?
 
Hakaba said:
Unfortunately, this stop working one cold winter day with OVH DNS-API.
I do not find why and I configure the wellknow on port 80 in emergency.
I do not find the time to retest the DNS-API, so I let my server in this state.
Did you have a fallback ? Did you encounter issue with DNS-API ?
Click to expand...
No, I don't use a fallback - the certs are renewed several days before they expire, so if it fails I can still react to the mail I receive from cron.

I only had a failure once when I accidentaly revoked the wrong api-key at digitalocean. Received an error message via email from cron 2 days in a row, so I intervened. The certs that were in place were still valid for several days, so no need to panic if it fails once or twice... (IIRC they are normally renewed 14 days prior to expiration).
 
You must log in or register to reply here.
Back
Top