So the jist of what I am trying to do is setup the OPNSense NGINX plugin as a reverse proxy so that I can forward all my subdomains to the correct ip/port, all over HTTPS.
I setup the ACME plugin and have that working fine with letsencrypt and cloudflare.
I turned on the WAP stuff.
I setup a upsteam server / upstream / location / http server and when I try to navigate to the subdomain I get this.
(https://i.postimg.cc/tZsMgwmZ/Screenshot-2023-09-01-at-1-57-55-PM.png) (https://postimg.cc/tZsMgwmZ)
Upstream Server
(https://i.postimg.cc/PCmLgqXN/Screenshot-2023-09-01-at-2-00-34-PM.png) (https://postimg.cc/PCmLgqXN)
Upstream
(https://i.postimg.cc/PvpJ2XVX/Screenshot-2023-09-01-at-2-01-28-PM.png) (https://postimg.cc/PvpJ2XVX)
Location
- URL Pattern = /
- Enable Security Rules = Checked
- Upstream Servers = SeionServer NodeRed
- Force HTTPS = Checked
HTTP Server
- HTTP Listen Address = 80,[::]:80
- HTTPS Listen Address = 443,[::]:443
- Server Name = {MySubdomain.domain here}
- Locations = NodeRed Location (Location above)
- TLS Certificate = mysubdomain.doman (ACME Client)
- Client CA Certificate = R3 (ACME Client)
- HTTPS Only = Checked
Cloudflare has SSL Strict Mode on and Proxy "Cloud" off
I put the ACME Client Cert and Key on the upstream server and told nodered to use them also.
I need to know how to do this properly because I have a bunch of services running on the upstream server on different ports.
I had NGINX running on the upstream server just fine doing reverse proxy, so trying to transfer that config to the OPNSense NGINX Proxy Plugin.
One additional note, if I do a TCPDUMP of that port on the upstream server, I see traffic when I attempt to go to the subdomain.
also the HTTP Access logs give a 502 status code
nginx and backend error logs may give more info but i would start by enabling SNI in Location settings (TLS SNI Forwarding checkbox in Advanced settings) and setting sni name in Upstream settings (TLS: Servername override), so the Upstream knows what vhost is requested and what cert to use