nginx proxy forward 443

I have a reverse proxy running on port 80 to serve as a "gateway" to update Let's Encrypt certificates on VMs inside my network. This reverse proxy is only exposed for 5 minutes per week on port 80 for this reason. I have a number of domains that pass through this server to be forwarded to their internal IP addresses. This all works fine, however there is one server exposed to the internet on port 443. When I make a request to the correct domain name using https, all is fine. When I use one of the other domains, I of course get an invalid certificate error. That is why I was thinking of routing port 443 traffic through the reverse proxy so I'll be able to block traffic not targetting the one domain that is exposed and running on 443. Nginx however expects a valid certificate which I can't give it because it's on another server.

The server I'm running on port 443 is Kerio Mailserver.. maybe there is something I can do there to force the use of only one domain name?

Is there a way of handling this? Just in case you're wondering: the other servers don't need exposing.


Solution 1:

I see no reason why you can't proxy both HTTP and HTTPS traffic through NGINX. So you can:

  • keep and renew all the certificates on the NGINX host,
  • proxy the requests to the VMs through HTTP. If I understand correctly they are all on the same physical host, so the plaintext traffic would go only through virtual network interfaces,
  • keep the HTTP port on NGINX open at all times and use it to renew the certificates and (HTTP) redirect plain traffic to the HTTPS port.

Edit: If you also want to encrypt the traffic between NGINX and the VMs or, as you remark in a comment, you don't want to use NGINX for connections from the local network, you can use a local Certification Authority for the internal servers.

From your perspective it is much safer, since a local CA is more trustworthy than an external authority. You just need to add it to all computers in the local network and you can issue long term certificates without renewing them every 60 days.