Tag: proxy

I have an IoT device system behind a NAT, so they are not accessible from the public Internet (although it is desirable).
To overcome this, I tied them to a VPN, with a member exposed to the public Internet to act as a gateway.
The VPN has an internal domain configured, and each member of the network has a subdomain based on a unique ID (we go with the MAC address), like this: 12a4f81ead4e.vpn.example.com

I want to create a reverse proxy in the Gatway to proxy requests, running nginx.

The plan is to create a DNS record for the gateway, *.gateway.com, and the route traffic (ahem, proxy) that goes to / from 12a4f81ead4e.gateway.com to 12a4f81ead4e.vpn.example.com. And then the end user would only need to write 12a4f81ead4e.gateway.com in your browser to access your device.
I would like to use nginx, since the gateway is already running nginx for other purposes.

I hope HTTP requests are easy and can be done with a carefully designed nginx proxy_pass directive.

But what about HTTPS requests? As I understand it, nginx now implements the SNI-based TLS handover, but all the examples I've seen so far create a static map to … map the incoming SNI well to an upstream target:

stream {
  map $ssl_preread_server_name $selected_upstream {
    example.org upstream_1;
    example.net upstream_2;
    example.com upstream_3;
    default upstream_4;
  }
  upstream upstream_1 { server 10.0.0.1:443; }
  upstream upstream_2 { server 10.0.0.2:443; }
  upstream upstream_3 { server 10.0.0.3:443; }
  upstream upstream_4 { server 10.0.0.4:443; }
  server {
    listen 10.0.0.5:443;
    proxy_pass $selected_upstream;
    ssl_preread on;
  }
}

The problem is that the devices are dynamically added / removed from the VPN, and I don't want to rewrite the nginx configuration files all the time. If it is possible to read the map of a file, that is a step in the right direction, although I think that nginx would need to be reloaded every time it changes, which raises permission issues, which could be avoided with sudo rules, of course, but not best solution.

Also, I just want the proxy requests to reach *.gateway.com, and the server other https requests normally to existing vhosts. If possible, I would like to avoid terminating the SSL connection. It is not really a difficult requirement, but I would like to implement it that way if it were technically feasible. Also just for the kicks.

I'm fine listening internally on an alternate port for the other vhosts, I did something similar for HTTP when I wanted to establish a "global" location, moved all HTTP vhosts to port 81 and implemented a global vhost on port 80 that served the location " global ", and proxy everything else to port 81. 🙂

So … What I would need is something like this (obviously it doesn't work):

stream {
  map $ssl_preread_server_name $selected_upstream {
    (.*).gateway.com $1.vpn.example.com;
    default normal_serve;
  }

  upstream normal_serve { server 127.0.0.1:8443; }

  server {
    listen 0.0.0.0:443;
    proxy_pass $selected_upstream;
    ssl_preread on;
  }

  server {
    listen 127.0.0.1:8443;
    server_name other.website.com;

    (...)
  }
}