notes/IT/Making nginx forward VPN and https traffic on tcp 443.md

52 lines
2.7 KiB
Markdown
Raw Normal View History

2024-05-19 15:41:53 +00:00
This file documents my troubleshooting methodology for configuring nginx to reverse proxy https traffic, and reverse proxy non https traffic on tcp/443.
2024-05-19 15:47:53 +00:00
## Context
2024-05-19 15:50:53 +00:00
I have an OpenVPN server set up on a Raspberry Pi (`192.168.0.2`) listening on TCP/443 so that it's able to function on most networks. There are enough clients configured that I do not want to remake the server, then update config files for all the clients, and so on.
2024-05-19 15:52:53 +00:00
I have a Debian VM running on `192.168.0.6` that runs an "nginx hub" that I'd like to proxy all web-ish traffic out of my network with. It's currently handling at least one http(s) service running from that same VM, and will probably handle more.
2024-05-19 15:47:53 +00:00
2024-05-19 15:54:54 +00:00
Given I only have one external IP, I want the ability to handle both OpenVPN traffic and https traffic on port TCP/443. I know it's possible to reverse proxy raw TCP traffic, and it's apparently possible to reverse proxy openvpn traffic through nginx.
2024-05-19 15:53:53 +00:00
2024-05-19 15:55:54 +00:00
## Troubleshooting
2024-05-19 15:47:53 +00:00
2024-05-19 15:43:53 +00:00
Right now, it appears that I can't do that with one IP because that would require two separate nginx components listening on the same port, or that's what I ascertained from the logs.
2024-05-19 15:44:53 +00:00
I modified `/etc/nginx/nginx.conf` to include this block underneath the `http` block:
```nginx
2024-05-19 15:46:53 +00:00
stream {
server {
listen 443;
proxy_pass 192.168.0.2:443;
}
}
2024-05-19 15:44:53 +00:00
```
2024-05-19 15:43:53 +00:00
2024-05-19 15:47:53 +00:00
When trying to start with that change applied, I got the error:
```
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
```
2024-05-19 15:41:53 +00:00
## IP Aliasing
2024-05-19 15:57:54 +00:00
Hoping in vain that nginx would somehow be able to request the provided IP from the DHCP server and listen to it with no other config, I modified the `listen` directive from `listen 443;` to `listen 192.168.0.8:443;`. This resulted in the below error:
```
nginx: [emerg] bind() to 192.168.0.8:443 failed (99: Cannot assign requested address)
```
2024-05-19 15:59:55 +00:00
I then googled a variety of things before determining that I'd configure the new IP in at an OS (and router?) level, then configure it in at an nginx level after.
2024-05-19 16:03:10 +00:00
Following <https://www.computernetworkingnotes.com/linux-tutorials/how-to-configure-multiple-ip-addresses-on-linux.html>, I ran:
```
sudo ip addr add 192.168.0.8/24 dev enX0
```
2024-05-19 16:04:10 +00:00
`192.168.0.8` is an unused IP outside of the DHCP pool range, and the command completed without errors.
```
arc@apollo-vm:/etc/nginx$ sudo ip addr show enX0
2: enX0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether b2:0e:72:85:fe:8e brd ff:ff:ff:ff:ff:ff
inet 192.168.0.6/24 brd 192.168.0.255 scope global dynamic enX0
valid_lft 412sec preferred_lft 412sec
inet 192.168.0.8/24 scope global secondary enX0
valid_lft forever preferred_lft forever
inet6 fe80::b00e:72ff:fe85:fe8e/64 scope link
valid_lft forever preferred_lft forever
```