[TUTORIAL] Nginx as simple reverse proxy with web application firewall and SSL

[wbk]

Hi Fright,

Thank you for your time and explanation!

it looks like http\https methods and ports messed up:

(\x00k\xC0#\xC0'\x00g\xC0" 400 166

its 400 response code to http connection attempt on https port

Ah! I looked up some of the strings, and found more people complaining about similarly looking log records (so I did not look at the details). It explains why they did not appear anymore after ticking the 'HTTPS Only' box: now all traffic from nginx is sent as HTTPS to the upstream server.

and it is possible that the connection to the upstream is not fully configured:
it is better to set up a separate upstream for each site and specify the name in the TLS: Servername override field (don't forget to enable TLS SNI forwarding in Location settings)

Do I understand correctly that I will get:

• 2 x Upstream Server (one for port 80, one for port 443)
• 8 x Upstream (one for each of two domains, and six subdomains)
• 1 x HTTP(S) Location (duplicate locations / are not allowed) (I think I can only select 1 upstream here, which one?)
• 1 x HTTP(S) HTTP Server (with 8 labels in the 'Server Name' field)

for the debugging, you can try to disable the TLS: Verify Certificate in upstream settings. you can enable it later

This setting is absent in my version of OPNsense. I do have 'TLS: Trusted Certificate' set to 'Nothing selected', is that the same setting?

If you can find the time to guide me in the above questions, I will be looking forward to your reply. In the mean time I try to change the configuration to reflect that situation.

[wbk]

and it is possible that the connection to the upstream is not fully configured:
it is better to set up a separate upstream for each site and specify the name in the TLS: Servername override field (don't forget to enable TLS SNI forwarding in Location settings)

Do I understand correctly that I will get:

• 1 x HTTP(S) Location (duplicate locations / are not allowed) (I think I can only select 1 upstream here, which one?)

Last night I realized: I might need a unique path to distinguish a location for each website. Is that correct?

[fabian]

No, you can also have a different subdomain.

[Fright]

1 x HTTP(S) Location (duplicate locations / are not allowed)

sorry, why you think so?
you can create several Locations with the same URL Pattern pointing to different Upstreams with diiferent naxsi policies etc

[fabian]

Yes, but you should not assign them to the same HTTP server. Otherwise the behavior is undefined or it will not even start.

[Fright]

yep. in general: separate Server for each subdomain + separate locations (for each) pointing to separate Upstreams with specific names in TLS: Servername override field

[wbk]

Hi, thanks both for your input!

1 x HTTP(S) Location (duplicate locations / are not allowed)

sorry, why you think so?
you can create several Locations with the same URL Pattern pointing to different Upstreams with diiferent naxsi policies etc

Yes, but you should not assign them to the same HTTP server. Otherwise the behavior is undefined or it will not even start.

I thought it was not possible to have multiple identical locations (with only '/' in my case), because it gave an error when I assigned more than one of them to a single HTTP Server record. That won't be necessary of course, when I make 8 HTTP Server-records, each with its own Server Name.

To prevent HTTP/HTTPS mismatches, should I tick "HTTPS Only" where available, and leave "HTTPS Listen port" empty in HTTP Server?

[Fright]

That won't be necessary of course, when I make 8 HTTP Server-records, each with its own Server Name

yes. in general (without knowing backend SNI config, certificates names and your upstream certs verifying requirements) it's more convenient to make separate Server for each subdomain

To prevent HTTP/HTTPS mismatches, should I tick "HTTPS Only" where available, and leave "HTTPS Listen port" empty in HTTP Server?

usually ports 80 and 443 are set on the Server and the "HTTPS Only"  option is enabled.
it is more important that the Location and Upstream and Upstream Server settings are correct (this is where you had an error message, if I understood correctly): the port specified in the Upstream Server settings must correspond to the protocol specified in the Upstream settings

[wbk]

Hi Fright, Fabian,

Thank you so much for the time you invested to explain this to me.

I still have not been able to make it work last week and postponed further experimentation to this weekend, but the weekend is almost over and I have not yet been able to return to the Nginx configuration.

For the time being I will be running with fewer websites and no reverse proxy.

I will return to the topic later on and in case I find the problem(s) and a working solution, I will post here for sure (as will I with more questions ;-) )

Thanks again!

[@lex]

Hello !

Any progress ?

I'm struggling on my side.

Thanks !

[wbk]

Any progress ?

I'm struggling on my side.

Sorry for not writing any more. I have not been able to match the labels in the web interface with tutorials for Nginx. I hate to admit I threw in the towel (always carry a towel) and found a low budget VPS to host the service that I intended to proxy :-(

[ccj47]

Hi, how do I set proxy_hide_header Upgrade;?

I tried to add this proxy_hide_header Upgrade; manually to /usr/local/etc/nginx/nginx.conf but of course it will be removed by the plugin.

background:
iOS Nextcloud app cannot access the Nextcloud hosted behind the nginx reverse proxy plugin of opnsense.
https://help.nextcloud.com/t/unable-to-login-access-to-nextcloud-server-21-from-both-ios-app-and-ios-web-browsers/111911/2

My current solution:
For the Apache server behind nginx, add Header unset Upgrade in the corresponding VirtualHost section.

[Fright]

Hi
like https://forum.opnsense.org/index.php?topic=31234.0