Nginx as Reverse Proxy traffice via Green interface

Hi Guys,
I need some assistance …
I have deployed nginx as Reverse Proxy and the current configuration like below.
www.test.co.th (Internet) <-> Red0 interface <-> Internal Web Server.

Is it possible to avoid the Red interface connect directly to the internal Web Server? like below.
www.test.co.th (Internet) <-> Red0 interface <->Green0 Interface <-> Internal Web Server.
#Red and Green ip are the same subnet.
So, anyone running a similar requand can provide an appropriate nginx.conf?

Any comment / help are welcome.
Thank you so much for your assistance!!

Regrade,
Somchai

Hi,

welcome to the IPFire community. :slight_smile:

To rule out misunderstandings, where is the Nginx reverse proxy placed exactly in this setup? On IPFire as an add-on, or somewhere else?

They must not be, otherwise, your firewall can be short-circuited.

In general, I am getting the impression that placing the web server into a DMZ would make sense, so it is neither directly reachable from the internet, nor from internal networks - in both cases, connections will have to go through the firewall, where a strict firewall policy can be enforced as well as robust screening of the traffic by using the IPS.

Let me know if I misunderstood you. :slight_smile:

Thanks, and best regards,
Peter Müller

To rule out misunderstandings, where is the Nginx reverse proxy placed exactly in this setup? On IPFire as an add-on, or somewhere else?
Great to hear from you!

  • It’s on IPFire as an add-on. also there are firewall between the IPFire as well. example below.
    Internet public IP<->FW<-> NAT as 192.168.22.22/24 Red <-> 192.168.22.24/24 Green <-> FW <-> Internal web server.
    So our internal FW allow 443 port only traffic from 192.168.22.24/24 and 192.168.22.22/24 didn’t allow to access internal network. And i checked the packet from tshark it seems the packet will go through the Red interface to Internal network directly. Could we configure the traffic go through the green interfac before go to Internal network, Please?

    I’m a newly for IPFire and not expert for the network security :blush:

Best Regards,
Somchai