Hi All,
Looking to use NGINX as a WAF for my selfhosted Wordpress site (running in a Turnkey LXC container) and am completely lost in regard to getting TLS to work all the way through to my internal server without unchecking
Configuration>Upstream>TLS:Verify Certificate option which is also accompanied with the text, "
Don't turn it off unless you really know what you are doing! Never do it because a random website tells you to do."
What I have done so far on my Opnsense Router;
- Setup ACME Wildcard cert to have a single cert in use for all the various subdomains I'll run.
- Configured ACME Automations to upload certs to my Wordpress LXC and restart Apache.
- Configured NGINX with Upstream Servers for port 80 & 443,
- Created an NGINX upstream service including both HTTP and HTTPS Upstream Servers
- Created an NGNIX Location with WAF in learning mode only
- Created an NGNIX HTTP Server with the server name set the same as the FQDN of the website.
Seems to work fine on HTTP, however HTTPS only seems to work with the above-mentioned
TLS: Verify Certificate option disabled. NGNIX HTTPS Error logs have entries including text such as
SSL_do_handshake() failed (SSL: error:0A00010B:SSL routines::wrong version number) while SSL handshaking to upstreamIs this referring to the Apache web server my Wordpress LXC is using. Are there certain upstream Apache configuration items that have to be set for this to work? What are the implications of having this
TLS: Verifiy Certificate option turned off?
I'm not using Turnkey LXC Container, but docker. I think your container has no SSL certificate and gives nginx the error "SSL routines::wrong version number) while SSL handshaking to upstream"
when you set upstream - upstream Enable TLS (HTTPS) [to disable, not selected]
(and your https - http server - [your servername] - HTTPS Only [enabled] )
you should get nginx to handle the ssl and get an https connection to your container.