nginx-proxy-manager icon indicating copy to clipboard operation
nginx-proxy-manager copied to clipboard

Published 20 hours ago verified publisher icon NginxProxyManager

Ssl passthrough hosts - updated

Open acul009 opened this issue 1 year ago • 5 comments

Hi,

This PR updates the original Request: SSL passthrough hosts #1479

My use case is passing data to hosts which can handle certificate request for themselves. In those cases I'd use the http proxy to only forward the requests to /.well-known/acme-challenge.

Additional traffic then has to arrive over TLS to work. This makes reusing Port 443 for multiple services a breeze.

@chaptergy If you have some time, I'd really appreciate if you could check that I didn't botch any of your work :)

This would resolve Ticket #853 and allow for more secure data handling inside local networks.

acul009 avatar Nov 17 '23 15:11 acul009

Docker Image for build 2 is available on DockerHub as jc21/nginx-proxy-manager:github-pr-3331

Note: ensure you backup your NPM instance before testing this PR image! Especially if this PR contains database changes.

I'd like to test the feature. I did pull the image 3331, the stack is starting without problems, but within NPM - SSL P Hosts there is a message "SSL Passthrough Hosts are not enabled in the environment. Please see the docs for more information." Cloud you please provide some information on how to enable SSL P in the environment?

cj0duke avatar Jan 09 '24 03:01 cj0duke

Right, the documentation is only contained in the branch, so you wouldn't see that normally.

The corresponding Environment Variable is: ENABLE_SSL_PASSTHROUGH

Just set that to true and the new option can be found in the webinterface.

acul009 avatar Jan 09 '24 09:01 acul009

Just set that to true and the new option can be found in the webinterface.

Thank you for the quick update. It works.

Unfortunately when accessing a passthrough host, firefox is returning "SSL_ERROR_UNRECOGNIZED_NAME_ALERT". Which point am I missing?

(Maybe I need a coffee or two)

cj0duke avatar Jan 09 '24 12:01 cj0duke

Can you describe your configuration a bit?

You might already know this, but I'll describe how this works a bit so we're on the same page. Its hard to know how much the person on the other end of the line knows on the internet ;)

This is only a SSL/TLS passthrough which uses the SNI from the TLS protocoll to route the raw traefik. Your error sounds like a problem with the hosts certificate. It's important, that the connection with your given address (test.example.com) would work if you just route the whole port through.

So you can't just add test2.example.com as a passthrough if you target system doesnt have the required certificate.

If that helped, great. In case you already know all that you'll have to share a bit more information to find the cause :)

acul009 avatar Jan 16 '24 10:01 acul009

Docker Image for build 5 is available on DockerHub as jc21/nginx-proxy-manager:github-pr-3331

Note: ensure you backup your NPM instance before testing this PR image! Especially if this PR contains database changes.

nginxproxymanagerci[bot] avatar Jan 30 '24 12:01 nginxproxymanagerci[bot]

If that helped, great. In case you already know all that you'll have to share a bit more information to find the cause :)

I tried it once again, with fresh docker images, but same result.

Setup as follows: vm with working ssl cert serving with apache (private network, no NAT, no public access) bind running (seperate) to serve domain

Did the following steps:

  • bind entry pointing to vm
  • changed entry to point to npm
  • setup npm for passthrough (see pic) npm

Still getting the firefox error of "SSL_ERROR_UNRECOGNIZED_NAME_ALERT"

cj0duke avatar Feb 09 '24 23:02 cj0duke

unfortunately it seems like this won't be merged anytime soon, even if I updated it.

In case anyone direly needs a solution for TLS forwarding, I created another project (WIP):

https://github.com/Rahn-IT/traefik-gui.git

acul009 avatar May 29 '24 23:05 acul009