1y ago

NGINX config for TLS passthrough with multiple services?

I am trying to set up a reverse proxy server, with TLS passthrough.

I am behind CGNAT, so I cannot forward any ports from my home server. So, my current workaround was that I connected my home server to a VPS via WireGuard and used Nginx Proxy Manager (NPM) to proxy services running on different docker containers to the VPS, so that they are accessible publicly. But now I want to use TLS passthrough for better privacy. But I cannot find any guides for my case.

I need help with 2 issues, basically. Let's take a look at my passthrough.conf file, which I have included in nginx.conf file.

 undefined

    
stream {
    # Listen for incoming TLS connections on service1.domain.me
    server {
        listen 443;
        proxy_pass service1.domain.me;
        proxy_ssl on;
        proxy_ssl_protocols TLSv1.2 TLSv1.3;
        proxy_ssl_name $ssl_preread_server_name;
    }

    # Listen for incoming TLS connections on service2.domain.me
#    server {
#        listen 443;
#        proxy_pass service2.domain.me;
#        proxy_ssl on;
#        proxy_ssl_protocols TLSv1.2 TLSv1.3;
#        proxy_ssl_name $ssl_preread_server_name;
#    }

    # Define the backend server for service1.domain.me
    upstream service1.domain.me {
        server homeserverIP:port;
    }

    # Define the backend server for service2.domain.me
#    upstream service2.domain.me {
#        server homeserverIP:port;
#    }
}

The services are running in docker containers on different ports. When I used two server blocks and two upstream blocks, I got this error while testing NGINX config: nginx: [emerg] duplicate "0.0.0.0:443" address and port pair in /etc/nginx/passthrough.conf:13. So, I commented out the other server block and tested it again. The test was successful, but NGINX failed to restart. When I checked the systemctl status I saw: nginx[2480644]: nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use). This is because I am already hosting multiple WordPress sites on this VPS.

Here's my nginx.conf file:

 undefined

    
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
}

http {

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;


        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        gzip on;

        gzip_vary on;
        gzip_proxied any;
        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;

        client_max_body_size 100M;
        server_tokens off;

}

#include /etc/nginx/passthrough.conf;

I do not know much about NGINX configuration, any help or article links would help.

19 comments

I am running a similar setup to yours. The issue is that only one server block can listen to an address+port pair. You ought to do something like this:
undefined

map $ssl_preread_server_name $proxy_backend_router { serviceA.example.com upstreamA:12346; serviceB.example.com upstreamB:12346; default $ssl_preread_server_name.invalid_proxy:443; } server { listen 443; ssl_preread on; proxy_pass $proxy_backend_router; }
- Can you link some documentation or a guide that can explain all this?
  
  The nginx documentation for the ssl preread module has an almost identical example.