NGINX + LetsEncrypt(ACME) Plugin help

[seion]

So the jist of what I am trying to do is setup the OPNSense NGINX plugin as a reverse proxy so that I can forward all my subdomains to the correct ip/port, all over HTTPS.

I setup the ACME plugin and have that working fine with letsencrypt and cloudflare.

I turned on the WAP stuff.

I setup a upsteam server / upstream / location / http server and when I try to navigate to the subdomain I get this.



Upstream Server


Upstream


Location
- URL Pattern = /
- Enable Security Rules = Checked
- Upstream Servers = SeionServer NodeRed
- Force HTTPS = Checked

HTTP Server
- HTTP Listen Address = 80,[::]:80
- HTTPS Listen Address = 443,[::]:443
- Server Name = {MySubdomain.domain here}
- Locations = NodeRed Location (Location above)
- TLS Certificate = mysubdomain.doman (ACME Client)
- Client CA Certificate = R3 (ACME Client)
- HTTPS Only = Checked

Cloudflare has SSL Strict Mode on and Proxy "Cloud" off

I put the ACME Client Cert and Key on the upstream server and told nodered to use them also.

I need to know how to do this properly because I have a bunch of services running on the upstream server on different ports.

I had NGINX running on the upstream server just fine doing reverse proxy, so trying to transfer that config to the OPNSense NGINX Proxy Plugin.

[seion]

One additional note, if I do a TCPDUMP of that port on the upstream server, I see traffic when I attempt to go to the subdomain.

also the HTTP Access logs give a 502 status code

[Fright]

nginx and backend error logs may give more info but i would start by enabling SNI in Location settings (TLS SNI Forwarding checkbox in Advanced settings) and setting sni name in Upstream settings (TLS: Servername override), so the Upstream knows what vhost is requested and what cert to use