Nginx without Let's Encrypt for multiple webservers

Started by gustaf, April 14, 2024, 01:41:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 14, 2024, 01:41:22 PM Last Edit: April 14, 2024, 04:33:57 PM by gustaf
Hello, I'm trying to setup Nginx as a transparent reverse proxy on OPNsense (if I understand terminology correctly, I'm a newbie at web stuff...)
What I want to achieve:


  • VPN provider with 1 static IP
  • OpenVPN instance on OPNsense
    • Nginx on OPNsense

      • Main webserver for "production" @ 192.168.1.10 www.prodsite.tld
      • Test webserver @ 192.168.1.15 www.testsite.tld
Reasoning:
- The webservers are NOT for real word production. Security is welcome but not paramount
- My ISP won't provide a static IP, hence the VPN which is up and running with the new instance config
- The VPN provider also supplies PTR records, enabling the webservers to each provide mail services in addition to websites
- A full test server is nice because I can test stuff without worrying about downtime on the production machine, so I won't migrate testsite.tld to the main webserver
- Each webserver takes care of their own certificates, so adding Let's Encrypt would just increase overhead. I want to passthrough the existing certificates
- Up until now I had 2 OPNsense boxes each with their own VPN and IP, but this is cumbersome and costly to maintain, hence my interest for Nginx, which to me looks like the most capable reverse proxy available in OPNsense
- I might setup other web facing services if this goes well, such as an Owncloud/Nextcloud
- I have looked at various tutorials such as https://forum.opnsense.org/index.php?topic=24778.0, but they all use Let's Encrypt. I'm not versed in this tuff enough to understand what I need to change and how. It looks like I might need to use the Data Stream section (see https://forum.opnsense.org/index.php?topic=10523.0 )?

The question: how am I supposed to set nginx up?

Thank you for your support :)
April 14, 2024, 02:00:19 PM #1
Not trying to get you away from using nginx, it is a very powerful plugin.

But maybe caddy can serve your more simple usecase better? Its just a few clicks and its running. (Only not when you want to serve OpenVPN on TCP 443 on the same OPNsense.)

https://docs.opnsense.org/manual/how-tos/caddy.html#caddy-tutorials
Hardware:
DEC740
April 14, 2024, 03:26:21 PM #2
Thank you Monviech for your sugggestion.

I had a look at the docu you linked, and I have a few questions:
- I need to forward traffic on a whole array of ports, does caddy support this? Here's the list:
Code Select
Enjoy your accelerated Internet by
                CyberPanel & OpenLiteSpeed                                     
###################################################################
Please make sure you have opened following port for both in/out:
TCP: 8090 for CyberPanel
TCP: 80, TCP: 443 and UDP: 443 for webserver
TCP: 21 and TCP: 40110-40210 for FTP
TCP: 25, TCP: 587, TCP: 465, TCP: 110, TCP: 143 and TCP: 993 for mail service
TCP: 53 and UDP: 53 for DNS service
- It looks like caddy relies on external dns resolution. Both my webservers are the authoritative DNS servers for their domains. Glue records are set at the registrar, will these suffice?
April 14, 2024, 03:28:01 PM #3
No it doesn't, that's only possible with TCP/UDP streams. From what you have written, I thought it would just be a few web apps that you want to proxy.

Nginx is the best choice for you.
Hardware:
DEC740
April 14, 2024, 04:42:56 PM #4
Gotta learn how to stream then. Thank you for confirming I was more or less headed the right way Monviech.

If you or other forum members could give suggestions, or guidance of any kind, it's going to be a lot of help :)
Print
Go Up Pages1
User actions