I need to implement a reverse web proxy.
This is normally done with
nginx forwarding request to configured backends.
My current (working) architecture has:
- Ipfire forward all web packets (80 and 443) to a server on ORANGE.
- Web server on ORANGE uses
nginxto implements several virtual servers.
- SSL is handled with letsencrypt/
certbotdirectly on Web server.
I need to change things in two respects:
- I need to split virtual servers unto several machines (and/or different containers, which is logically equivalent); this is doable without architectural changes just implementing
nginxreverse proxy directly on Web server and forward request where needed… if Web server can reach backend.
- Expose a couple of “sites” residing on a NAS in GREEN (essentially NAS web interface and Webmail, both over non-standard ports); AFAIK this cannot be done changing Web server configuration because it cannot access NAS (or anything else) on GREEN.
To further complicate matter there’s issue about
certbot requiring access via standard ports for certificate renewal.
What is “best practice” to handle this use case?
My guess would be to move reverse proxy to Ipfire and let it do all frontend stuff, including SSL and certificate renewal and forward requests (possibly unencrypted) directly to backend handler, but I’m unsure if this is supported.
Any hint welcome.