I’m setting up a small network with multiple web services, including an OpenVPN Access Server. I’ve got one public IP and want to use subdomains to point to different services. I’ve tried using NGINX as a reverse proxy, which works fine for HTTP, but I’m running into issues with HTTPS and self-signed certificates.
My main problem is getting NGINX to accept self-signed certs from backend servers, especially for the OpenVPN web interface. I can access it directly via HTTPS, but through the proxy, I get a security error.
Here’s a simplified version of my current NGINX config:
server {
listen 443 ssl;
server_name vpn.example.com;
location / {
proxy_pass https://192.168.1.10:443;
proxy_ssl_verify off;
}
}
server {
listen 80;
server_name site.example.com;
location / {
proxy_pass http://192.168.1.20:80;
}
}
How can I make this work with self-signed certs? Also, is NGINX the best tool for this setup, especially if I need to scale in the future? Any advice on alternative solutions would be appreciated.
NGINX is indeed a solid choice for your reverse proxy setup, but you’re right to be concerned about the SSL certificate issues. For your self-signed certificates, you might want to add the ‘proxy_ssl_verify off;’ directive to your location block. This tells NGINX to skip verification of the backend’s certificate.
Additionally, consider adding ‘proxy_ssl_server_name on;’ to enable SNI support, which can help with multiple backend servers. If you’re still facing issues, you may need to specify the backend’s certificate with ‘proxy_ssl_certificate’ and ‘proxy_ssl_certificate_key’ directives.
For future scalability, you might want to look into containerization with Docker and orchestration with Kubernetes. This approach can make scaling and managing multiple services much easier as your network grows.
hey, have you tried using let’s encrypt for your certs?
if still on self-signed, try adding ‘proxy_ssl_trusted_certificate’.
curious, what othr services r u prototyping? maybe haproxy might be cool for scaling.
oh btw, have u checked selinux settings?
yo, have u tried adding proxy_ssl_session_reuse on; to ur config? it might help. also, check if ur backend server’s using the right cipher suites. for scaling, maybe look into traefik - it’s pretty neat for container setups. good luck with ur project!