How to set up domain addressing in nginx to different local IP addresses depending on the domain being accessed?

A

Anton Klimenko2017-05-14 11:56:54

Nginx

Anton Klimenko, 2017-05-14 11:56:54

Available:
At the Mikrotik input (external IP 1.1.1.1; local IP 192.168.0.1)
Web server NGINX (local IP 192.168.0.2)
srv1 (local IP 192.168.0.3)
srv2 (local IP 192.168.0.4)
and so on, depending from needs.
srv1 and srv2 are configured to receive certificates from LetsEncrypt.
The task is to set up a redirect from NGINX to srv1 or srv2, depending on the address of the call srv1.example.org or srv2.example.org.
So far, it has been possible to configure only the redirection of all traffic from NGINX to srv1, as well as obtaining a certificate from letsencrypt and checking sll on the NGINX side.
Settings:
On Mikrotik, connections are forwarded on 80 and 443 ports to local IP 192.168.0.2 (NGINX)
On NGINX:
server {
listen 80;
server_name example.org srv1.example.org srv2.example.org;
# Lets encrypt
location ^~ /.well-known/acme-challenge/ {
alias /usr/local/www/acme/;
}
# Redirect other HTTP connections to HTTPS
location / {
return 301 https://srv1.example.org$request_uri;
}
}
server {
listen 443 ssl;
server_name srv1.example.org;
ssl_certificate /usr/local/etc/ssl/acme/fullchain.pem;
ssl_certificate_key /usr/local/etc/ssl/acme/private/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!kEDH';
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
location / {
proxy_pass https://192.168.0.3/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass_header Set-Cookie;
}
}
With this setting, when accessing any of the domains, srv1 opens.
Please help.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

K

ky0, 2017-05-14
@IsNoGood

What you need is not a redirect, but a proxy, something like this:

server {
listen 80;

location / {
return 301 https://$server_name$request_uri;
}}

server {
listen 443;
server_name srv1.example.org;

location / {
proxy_pass https://192.168.0.3;
}}

server {
listen 443;
server_name srv2.example.org;

location / {
proxy_pass https://192.168.0.4;
}}

Everything is correct with LE, but again - the corresponding location will need to be added to all configs or moved to a separate one and added to the configs.

A

Anton Klimenko, 2017-05-14
@IsNoGood

As far as I understand it is necessary in the line
location / {
return 301 https://srv1.example.org$request_uri;
}
do not substitute the fixed address https://srv1.example.org, but replace it with the address of the request, and below specify
server {
listen 443 ssl;
server_name srv1.example.org;
...}
server {
listen 443 ssl;
server_name srv2.example.org;
...}
server {
listen 443 ssl;
server_name srv*.example.org;
...}
But I still don't understand how.

D

Dmitry MiksIr, 2017-05-14
@miksir

1. Terminate SSL at 192.168.0.2 and then proxy to 0.3 and 0.4, as indicated in ky0
's answer this (depending on the application)
1.2 - proxy via https, in the minuses an overhead to install an additional tls, maybe not critical
2. Proxy before reaching the L7 level using SNI for routing. nginx does not know how to do this, you can use haproxy https://www.haproxy.com/blog/enhanced-ssl-load-bal...