Nginx Plugin and Use

Started by spetrillo, August 17, 2024, 05:51:53 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 17, 2024, 05:51:53 PM
Hello all,

I have two Plesk servers that I manage, one test and one production. Each server has a Nginx/Apache deployment. I cannot seem to figure out how to allow the websites from each server to peacefully coexist thru one public IP, so my thought was to move the Nginx processing up to the firewall, which would then have access to both servers.

I am not a web guy at all. I am a lower level infrastructure guy, so Nginx/Apache is Greek to me. I have the Nginx configuration from my test server and am trying to see how it lines up to the Nginx plugin on OPNsense. Is there anyone out there who is using the Nginx plugin with vhosts? I would love to have a dicussion on how I can try to implement the plugin.

Thanks,
Steve
August 17, 2024, 07:58:10 PM #1
The problem with two managed plesk server through one public IP is that traffic has to be sent to each server determined by SNI and Host Header.

The problem here is, when both plesk servers have users puttinf random new domains in them, you have no control from a reverse proxy which server should receive them while they are created.

In Caddy plugin for example there is a new Layer 4 module since 1.6.2, it allows to match SNI and send traffic directly to a server.

Though for managed domains, it could just send all unknown SNI to one of them. The other server would always have to match the SNI directly.

So, there really is no way to use one IP for two Hosting Panels with a reverse proxy when the domains are not controlled.

For that you would need to use the API and reconfigure the reverse proxy whenever a user on one of these servers makes a change.

https://docs.opnsense.org/manual/how-tos/caddy.html#caddy-layer4-routes
Hardware:
DEC740
August 17, 2024, 08:18:09 PM #2
@monviech welcome and good luck in your new role!

I have a /27 of public IPs, so I could use another out of this block for my test Plesk server. The question is how do I tell OPNsense that I have a second WAN IP? I do not see anyway of configuring OPNsense. These are static IPs.
August 17, 2024, 08:23:51 PM #3
Thank you.

You just put a second static IP on your WAN interface via virtual IP.

https://docs.opnsense.org/manual/firewall_vip.html
Hardware:
DEC740
August 18, 2024, 02:18:18 AM #4
Quote from: Monviech on August 17, 2024, 08:23:51 PM
Thank you.

You just put a second static IP on your WAN interface via virtual IP.

https://docs.opnsense.org/manual/firewall_vip.html

So I added the virtual IP but I see no place to add it to the existing WAN interface?
August 18, 2024, 05:57:45 AM #5
So I was able to figure out how to add the virtual IP and then associate it to the upstream gateway. Now the question is how to get Let's Encrypt to successfully drop a cert down on the test server. It's failing, saying the public IP does not match the server IP.

My port forwards are defined for the test server, using the virtual IP as the WAN virtual IP address, not the WAN interface name. I think I did that right.
August 18, 2024, 08:10:15 AM #6
Better use a 1:1 NAT so the Server answers from the right source IP, too.
Hardware:
DEC740
August 18, 2024, 08:20:17 AM #7
Should I also do a 1:1 NAT for the prod server also?
August 18, 2024, 08:35:31 AM #8
I do not know what you should do, you have to decide that for yourself.

You just have to make sure the servers always answer from their correct IP.

And for that you either use correct port forward and outbound nat per server, or 1:1 NAT.
Hardware:
DEC740
August 27, 2024, 03:40:17 PM #9
If I go down the path of a 1:1 NAT do I:

1) Use BiNAT or NAT
2) Do I turn off all other port forwards
3) Do I need a fw rule still?
4) Is there anything else I need when defining the interface alias

Thanks,
Steve
Print
Go Up Pages1
User actions