问题
I am trying to have a subdomain go to a Jitsi Video Chat service on a VM I'm running on my local homelab by way of an nginx reverse proxy.
Currently this is how I'm trying to achieve this:
I have my subdomain CNAME'd and pointed to a dynamic DNS address provided by NetGear. It sends traffic to my router which has ports 80, 443, and 81 forwarding to my nginx reverse proxy VM. I want the nginx reverse proxy VM to forward to the Jitsi VM (which is also running nginx).
I'm doing a simple proxy_pass right now in hopes of getting the LetsEncrypt certificate working:
server {
listen 80;
server_name meet.example.com;
location / {
proxy_pass http://192.168.1.33;
}
}
The site is sym-linked on the reverse proxy vm's nginx to sites-enabled.
Right now, it sends me to an nginx "Welcome to nginx" page, although I can't tell if its the Reverse Proxy nginx or the Jitsi nginx (I suspect it the Jitsi). But LetsEncrypt can't see/validate the certificate.
So I have a feeling I'm doing more than one thing wrong. I've been reading endlessly for days but I haven't leveled up enough in this field to see the error of my ways. Anyone know what I can do make this setup work?
Also, if the certificate is being validated on the Jitsi machine, how does the reverse proxy nginx forward 443 to the Jitsi machine? Do both machines need certificates? Just the Jitsi VM? Just the Reverse Proxy VM? This next code block is what I had been planning to do once the certificate was working, but I have a feeling I'm doing it incorrectly. I tested it and nginx isn't happy if I try to send 443 without a signed certificate set up. It just gives me errors in the browser about being unsigned and super dangerous.
server {
listen 80;
server_name example.com www.example.com;
include snippets/letsencrypt.conf;
return 301 https://$host$request_uri;
}
server {
listen 80;
server_name meet.example.com;
#include snippets/letsencrypt.conf;
#return 301 https://meet.example.com;
location / {
proxy_pass http://192.168.1.33; # Jitsi server w/ nginx
#proxy_set_header X-Forwarded-For $remote_addr;
#proxy_set_header Host $http_host;
}
}
server {
listen 443 ssl http2;
server_name www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
include snippets/ssl.conf;
include snippets/letsencrypt.conf;
location / {
proxy_pass https://192.168.1.43:443; # this goes someplace else
}
}
server {
listen 443;
server_name meet.example.com;
location / {
proxy_pass https://192.168.1.33; # Jitsi server w/ nginx
}
}
tldr; - I want to set up an nginx reverse proxy VM that will send a user from a HTTPS subdomain link to a different VM running Jitsi and nginx. Jitsi requires a signed certificate to work.
I appreciate any and all help!
EDIT: Here is a readout from the logs on the Jitsi nginx server. Looks like some traffic is getting through.
myuser@reverse-proxy:/etc/nginx/sites-available$ tail /var/log/nginx/error.log
2020/04/13 06:47:07 [error] 1832#1832: *6 connect() failed (111: Connection refused) while connecting to upstream, client: 111.111.111.111, server: meet.example.com, request: "GET /favicon.ico HTTP/2.0", upstream: "https://192.168.1.33:443/favicon.ico", host: "meet.example.com"
2020/04/13 06:47:21 [error] 1832#1832: *22 connect() failed (111: Connection refused) while connecting to upstream, client: 111.111.111.111, server: meet.example.com, request: "GET / HTTP/2.0", upstream: "https://192.168.1.33:443/", host: "meet.example.com"
2020/04/13 06:47:21 [error] 1832#1832: *22 connect() failed (111: Connection refused) while connecting to upstream, client: 111.111.111.111, server: meet.example.com, request: "GET /favicon.ico HTTP/2.0", upstream: "https://192.168.1.33:443/favicon.ico", host: "meet.example.com", referrer: "https://meet.example.com/"
2020/04/13 07:01:41 [error] 1921#1921: *3 connect() failed (111: Connection refused) while connecting to upstream, client: 111.111.111.111, server: meet.example.com, request: "GET / HTTP/2.0", upstream: "https://192.168.1.33:443/", host: "meet.example.com"
2020/04/13 07:01:41 [error] 1921#1921: *3 connect() failed (111: Connection refused) while connecting to upstream, client: 111.111.111.111, server: meet.example.com, request: "GET /favicon.ico HTTP/2.0", upstream: "https://192.168.1.33:443/favicon.ico", host: "meet.example.com"
2020/04/13 07:15:45 [error] 1921#1921: *47 upstream prematurely closed connection while reading response header from upstream, client: 111.111.111.111, server: meet.example.com, request: "GET / HTTP/2.0", upstream: "https://192.168.1.33:443/", host: "meet.example.com"
2020/04/13 07:15:51 [error] 1921#1921: *47 upstream prematurely closed connection while reading response header from upstream, client: 111.111.111.111, server: meet.example.com, request: "GET / HTTP/2.0", upstream: "https://192.168.1.33:443/", host: "meet.example.com"
2020/04/13 07:15:55 [error] 1921#1921: *47 upstream prematurely closed connection while reading response header from upstream, client: 111.111.111.111, server: meet.example.com, request: "GET / HTTP/2.0", upstream: "https://192.168.1.33:443/", host: "meet.example.com"
2020/04/13 07:17:05 [error] 1967#1967: *7 upstream prematurely closed connection while reading response header from upstream, client: 111.111.111.111, server: meet.example.com, request: "GET / HTTP/2.0", upstream: "https://192.168.1.33:443/", host: "meet.example.com"
2020/04/13 07:17:05 [error] 1967#1967: *7 upstream prematurely closed connection while reading response header from upstream, client: 111.111.111.111, server: meet.example.com, request: "GET /favicon.ico HTTP/2.0", upstream: "https://192.168.1.33:443/favicon.ico", host: "meet.example.com", referrer: "https://meet.example.com/"
myuser@reverse-proxy:/etc/nginx/sites-available$ tail /var/log/nginx/error.log.1
2020/04/13 06:05:30 [error] 1332#1332: *26 connect() failed (111: Connection refused) while connecting to upstream, client: 111.111.111.111, server: =, request: "GET /favicon.ico HTTP/1.1", upstream: "http://192.168.1.33:80/favicon.ico", host: "meet.example.com", referrer: "http://meet.example.com/"
2020/04/13 06:05:32 [error] 1332#1332: *26 connect() failed (111: Connection refused) while connecting to upstream, client: 111.111.111.111, server: =, request: "GET / HTTP/1.1", upstream: "http://192.168.1.33:80/", host: "meet.example.com"
2020/04/13 06:05:32 [error] 1332#1332: *26 connect() failed (111: Connection refused) while connecting to upstream, client: 111.111.111.111, server: =, request: "GET /favicon.ico HTTP/1.1", upstream: "http://192.168.1.33:80/favicon.ico", host: "meet.example.com", referrer: "http://meet.example.com/"
2020/04/13 06:18:24 [emerg] 1371#1371: invalid parameter "udp" in /etc/nginx/sites-enabled/example.com:103
2020/04/13 06:18:37 [emerg] 1373#1373: invalid parameter "udp" in /etc/nginx/sites-enabled/example.com:103
2020/04/13 06:20:08 [emerg] 1377#1377: "stream" directive is not allowed here in /etc/nginx/sites-enabled/example.com:102
2020/04/13 06:20:40 [emerg] 1381#1381: invalid parameter "udp" in /etc/nginx/sites-enabled/example.com:103
2020/04/13 06:22:33 [emerg] 1387#1387: "stream" directive is not allowed here in /etc/nginx/sites-enabled/example.com:102
2020/04/13 06:23:35 [emerg] 1393#1393: "http" directive is not allowed here in /etc/nginx/sites-enabled/example.com:1
2020/04/13 06:24:57 [warn] 1397#1397: conflicting server name "=" on 0.0.0.0:80, ignored
myuser@reverse-proxy:/etc/nginx/sites-available$ tail /var/log/nginx/access.log
111.111.111.111 - - [13/Apr/2020:18:31:01 +0000] "GET / HTTP/1.1" 200 396 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
111.111.111.111 - - [13/Apr/2020:18:31:01 +0000] "GET /favicon.ico HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
111.111.111.111 - - [13/Apr/2020:18:32:31 +0000] "GET / HTTP/1.1" 200 396 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
111.111.111.111 - - [13/Apr/2020:18:32:31 +0000] "GET /favicon.ico HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
162.243.133.219 - - [13/Apr/2020:18:40:58 +0000] "GET /manager/html HTTP/1.1" 404 152 "-" "Mozilla/5.0 zgrab/0.x"
111.111.111.111 - - [13/Apr/2020:19:07:15 +0000] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
111.111.111.111 - - [13/Apr/2020:19:07:27 +0000] "GET /test HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
111.111.111.111 - - [13/Apr/2020:19:07:43 +0000] "GET /test HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
111.111.111.111 - - [13/Apr/2020:19:07:44 +0000] "GET /test HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:75.0) Gecko/20100101 Firefox/75.0"
138.197.222.62 - - [13/Apr/2020:19:20:53 +0000] "GET / HTTP/1.1" 200 396 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.2171.71 Safari/537.36"
myuser@reverse-proxy:/etc/nginx/sites-available$ tail /var/log/nginx/access.log.1
111.111.111.111 - - [13/Apr/2020:06:03:11 +0000] "GET /gen_204?atyp=i&ct=webfont_timing&cad=@2sec,1.[REMOVED] HTTP/1.1" 204 0 "http://meet.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
111.111.111.111 - - [13/Apr/2020:06:03:22 +0000] "GET / HTTP/2.0" 502 584 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
111.111.111.111 - - [13/Apr/2020:06:03:22 +0000] "POST /gen_204?oq=&gs_lcp=[REMOVED] HTTP/1.1" 204 0 "http://meet.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
111.111.111.111 - - [13/Apr/2020:06:03:22 +0000] "POST /gen_204?atyp=csi&ei=nACUXrSZI8mX-gSlkJ_YDw&s=jsa&jsi=s,et.focus,n.iDPoPb,cn.2&zx=1586757802796 HTTP/1.1" 204 0 "http://meet.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
111.111.111.111 - - [13/Apr/2020:06:03:22 +0000] "GET /favicon.ico HTTP/2.0" 502 584 "https://meet.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
111.111.111.111 - - [13/Apr/2020:06:05:30 +0000] "GET / HTTP/1.1" 502 584 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
111.111.111.111 - - [13/Apr/2020:06:05:30 +0000] "GET /favicon.ico HTTP/1.1" 502 584 "http://meet.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
111.111.111.111 - - [13/Apr/2020:06:05:32 +0000] "GET / HTTP/1.1" 502 584 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
111.111.111.111 - - [13/Apr/2020:06:05:32 +0000] "GET /favicon.ico HTTP/1.1" 502 584 "http://meet.example.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
51.254.59.113 - - [13/Apr/2020:06:05:34 +0000] "GET / HTTP/1.1" 200 612 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"
来源:https://stackoverflow.com/questions/61194598/how-to-verify-nginx-ssl-that-is-forwarding-to-another-nginx-that-also-needs-veri