Nginx, single IPv4, IPv6, SSL/TLS, jails, one machine

[Moviuro]

Hi all! I'm trying to build a good webserver that can serve over HTTPS only:

• My blog as static HTML (Jekyll, Hugo or whatever)
• Nagios
• Transmission
• Possibly some other web applications

So far I have no encryption (nginx is just serving on port 80) and the following constraints:

• Only one IPv4 address
• A ton of IPv6 addresses (a /48, courtesy of Hurricane Electric)

Then, of course, I know that I should use jails. So I have one nginx jail that only listens on its 10.10.10.1:80 address, and then redirects to the other jails that contain the web application/website (www. goes to 10.10.10.2:80; nagios. goes to 10.10.10.3; etc.). This nginx jail has no IPv6, since the www. jail has one and nagios. has one as well, so my IPv6 clients can connect to them directly, avoiding the nginx jail altogether.

Now the interesting part: I want to set up HTTPS (with letsencrypt). How can I do that? My current setup doesn't look like it could have SSL introduced easily. How do you manage your own setup with multiple sites and only one nginx? Perhaps my model is crap and I should rebuild it entirely. If you have pointers and other documentation to point me at, I'm all ears.

Cheers,

 

[SirDice]

The way I've set up my host is by using net/haproxy on the host. HAProxy then redirects, based on the Host: header, to specific jails. The nice part about HAProxy is that you can offload SSL there too. The connection between HAProxy and the webserver in a jail will remain HTTP.

This setup also allows you to run everything on one single internet IP address and run different webservers inside the jails. For example, one site could run on an Apache instance in jail1 and another site runs on NGINX in jail2. Due to the vast configuration possibilities of HAProxy you can even run half of the same site (dynamic content) on jail1 and the other half (static content) on jail2.