Web reverse proxy

I need to implement a reverse web proxy.
This is normally done with nginx forwarding request to configured backends.

My current (working) architecture has:

  • Ipfire forward all web packets (80 and 443) to a server on ORANGE.
  • Web server on ORANGE uses nginx to implements several virtual servers.
  • SSL is handled with letsencrypt/certbot directly on Web server.

I need to change things in two respects:

  1. I need to split virtual servers unto several machines (and/or different containers, which is logically equivalent); this is doable without architectural changes just implementing nginx reverse proxy directly on Web server and forward request where needed… if Web server can reach backend.
  2. Expose a couple of “sites” residing on a NAS in GREEN (essentially NAS web interface and Webmail, both over non-standard ports); AFAIK this cannot be done changing Web server configuration because it cannot access NAS (or anything else) on GREEN.

To further complicate matter there’s issue about certbot requiring access via standard ports for certificate renewal.

What is “best practice” to handle this use case?

My guess would be to move reverse proxy to Ipfire and let it do all frontend stuff, including SSL and certificate renewal and forward requests (possibly unencrypted) directly to backend handler, but I’m unsure if this is supported.

Any hint welcome.

Is there none who can help me?

I think nginx is a available as a plugin.
You can run it on a server and reverse proxy from there.
There are a group of peaple LSIO
" Linux server I O " They have a bunch of Docker.
One is called SWAG. That is what I would use.
You will need port forwards to your Nginx server.

I am having a look to LinuxServer.io (I don’t normally use Docker, but… :wink: )

I am also aware nginx is available as IPFire plugin and I have two questions there:

  1. is it “safe” to run it on Firewall?
  2. is there any GUI interface or have I to manually edit relevant config files?

Thanks in Advance

No GUI that I know of.
there are multiple addons in IPfire.
dehydrated is a client for signing certificates with a Let’s Encrypt server
HAProxy - TCP/HTTP load balancer
nginx is an HTTP and reverse proxy server, as well as a mail proxy server
the LSIO SWAG server is designed for easy setup of a docker network reverse proxy.
I would not see why it would not work for other servers.
I may by no means a Nginx expert. Somewhere less than a Noob.
h ttps://www.linuxserver.io/

Late answer, sorry, but:

I do run nginx as a reverse proxy on some firewalls. It can be configured in the normal nginx way but there is no GUI. I run it as both a hostname-to-internal-host-ip proxy, and clustered with one address round-robin-proxying to several hosts (clustering) on the same config. I proxy to both ORANGE and GREEN and I think I even proxied to some VPN remote network as a test.

It works fine, although generally it is much frowned upon to run software on your router. You could of course run nginx on a dedicated virtual machine, or so, instead. Proxying to different networks can be done with DMZ pinholes.

1 Like

…and yes, I run certbot on those IPFire/nginx machines. For locally running services you don’t port forward by the way (no NAT), you just open up ports directly on RED (Destination/Firewall/RED).