I try to use nginx as a reverse SSL proxy as described in the IPFire Wiki (cf. https://wiki.ipfire.org/nginx) - but it is not working at all. I seems to be that the Wiki example is outdatet as it is still recomending the (deprecated) directive ssl on.
The command nginx -t tells me that the syntax of my nginx.conf is ok and I am able to start nginx with the message ok.
Hm… Nobody able to answer? Or is it a stupid question? I wonder what might be the reason why nobody wants to give any hint… Ok, I have not specified a lot of things (as config-files etc.), but the question is wether the wiki article should go as described or not (and may be, how it should work instead)… Pls, somebody any idea? Thanks a lot! Markus
I can verify that ports 80 and 443 from nginx at the ipfire-router are “open” and I am able to connecto to the 443 (for example via telnet) from the green zone, but I can’t connect to port 443 from the outside (is to say: from the internet to the server in the orange zone or DMZ).
If scanning with nmap from the green zone or the internet whether the ports of the server are open or not, I always get 443 closed (even if the ipfire shows with “nmap localhost” that it is still open).
There seems to be one instance that causes the “closed” of 443, but I cannot figure out which instance it is.
With the webinterface of the ipfire-router, I created new firewall-rules that permit tcp access to destination port 80 and 443 on the ipfire (red interface) from any network - but port 443 remains closed from outside.
May be the problem is that I try a portforwarding from the red to the orange zone? Or with other words: Isn’t it possible to access via a nginx reverse proxy on the ipfire a server connected to the orange zone / DMZ?
That are my actual questions… but I still have no answer.
If you have a regular web service, not configured as a reverse proxy just a web server, can you access port 443? I have an apache server in the orange zone and no problem accessing it from the wan interface with the port forward activated in the firewall. I would check if you can see that in your system. If it works, then you can exclude a wrong configuration of the firewall and focus on the reverse proxy configuration.
I have finally managed to get it work, but not with Nginx on IPFire. I installed a Nginx-Server on a new RaspberryPi4 and found a solution using the “upstream” directive. This is what finally worked: you can choose any intern IP for the “upstream” directive. The major problem was to understand, that the SLL-certificates have to be installed only on the Nginx-Server (i.e. the Rapi4), and this was -using Certbot- pretty easy. But I had to find that out… so I needed a lot of time to get it running. And I wonder, why there are no more descriptions: There should be a lot of people with the problem of just having one IP with the need to use several servers… And I learned years ago that it is not really a very good idea to use virtual servers with different operation systems in a production situation, because the problem of one server will probably be the problem of all the others too… So for my purpose it is better to use dedicated servers, and of course, those that spent less energy (not mentioning that we use 100% green energy at home).