Guidelines request: moving from NAT to reverse proxy configuration

Started by shade_ch, January 29, 2025, 12:26:57 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 29, 2025, 12:26:57 PM
Hello,

Here is my context:
  • I'm currently running a Jitsi instance on server S1 which is located in a DMZ of my network.
  • The Jitsi instance (call it SE1) is accessible via https://olddomainname.com:custom_port/.
  • On S1, Another service is also running (call it SE2) which is listening to port 443.
  • Both SE1 and SE2 also use other ports for UDP.
  • My Opnsense firewall's NAT is configured to forward required ports.
  • Access from the WAN is limited to the ports required by these two services (i.e. all other incomming traffic is blocked).

Now I need to do the following:

  • SE1 has now to be accessible via https://meet.newdomainname.com/ (port 443).
  • As the port is already in use by SE2, and as SE1 and SE2 are to be reachable using different domain names, I need to use a reverse proxy and configure OpnSense accordingly.

So my question is: how do I have to configure Opnsense to achieve this ?

My guess is that I will need to install a reverse proxy plugin on Opnsense, however...:

  • Which plugin should I select and what criteria should I use to select it ? (haproxy, nginx, other ?)
  • Once installed, what do I have to configure exactly ? The plugin itself seems obvious, but what else should I be aware of ? I guess that I'll have to remove existing NAT and firewall rules corresponding to SE1 and SE2 for instance.
  • Will I have to create new rules in the firewall (or are the plugins creating them automagically as for NAT rule ?)
  • Will I have to configure Opnsense to handle the certificates for  meet.newdomain.com and olddomain.com (as currently this is handled on S1 and not on Opnsense)
  • Will I have to to reconfigure SE1 and SE2 to work in HTTP mode instead of HTTPS (as they will now be behind a reverse proxy) ?
  • Anything else ?

Note: The DNS is already pointing meet.newdomainname.com to my WAN IP.

Thanks in advance for your help !

Michel
January 29, 2025, 12:43:27 PM #1
The choice for a specific reverse proxy is up to you, the criteria have been discussed before. HAproxy is a little more complex to setup with more room for errors than Caddy, but offers more flexibility. Otherwise, they can do much the same thing - i.e. redirect name-based HTTP(S) requests to internal IPs and provide TLS termination.

For both plugins, there are detailed setup guides in the tutorial section, including all the aspects you asked for.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 440 up, Bufferbloat A+
January 29, 2025, 04:50:42 PM #2
Quote from: meyergru on January 29, 2025, 12:43:27 PMFor both plugins, there are detailed setup guides in the tutorial section, including all the aspects you asked for.

Thank you, installed Caddy according to the documentation and indeed the configuration was straightforward (ways easier compared to nginx).
Print
Go Up Pages1
User actions