3.1 KiB
This file documents my troubleshooting methodology for configuring nginx to reverse proxy https traffic, and reverse proxy non https traffic on tcp/443.
Context
I have an OpenVPN server set up on a Raspberry Pi (192.168.0.2) listening on TCP/443 so that it's able to function on most networks. There are enough clients configured that I do not want to remake the server, then update config files for all the clients, and so on.
I have a Debian VM running on 192.168.0.6 that runs an "nginx hub" that I'd like to proxy all web-ish traffic out of my network with. It's currently handling at least one http(s) service running from that same VM, and will probably handle more.
Given I only have one external IP, I want the ability to handle both OpenVPN traffic and https traffic on port TCP/443. I know it's possible to reverse proxy raw TCP traffic, and it's apparently possible to reverse proxy openvpn traffic through nginx.
Troubleshooting
Right now, it appears that I can't do that with one IP because that would require two separate nginx components listening on the same port, or that's what I ascertained from the logs.
I modified /etc/nginx/nginx.conf to include this block underneath the http block:
stream {
server {
listen 443;
proxy_pass 192.168.0.2:443;
}
}
When trying to start with that change applied, I got the error:
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address already in use)
IP Aliasing
Hoping in vain that nginx would somehow be able to request the provided IP from the DHCP server and listen to it with no other config, I modified the listen directive from listen 443; to listen 192.168.0.8:443;. This resulted in the below error:
nginx: [emerg] bind() to 192.168.0.8:443 failed (99: Cannot assign requested address)
I then googled a variety of things before determining that I'd configure the new IP in at an OS (and router?) level, then configure it in at an nginx level after.
Following https://www.computernetworkingnotes.com/linux-tutorials/how-to-configure-multiple-ip-addresses-on-linux.html, I ran:
sudo ip addr add 192.168.0.8/24 dev enX0
192.168.0.8 is an unused IP outside of the DHCP pool range, and the command completed without errors.
When I ran sudo ip adder show enx0, I got the below output, seeming to imply that it worked without issue. When I ping the new IP from a different device, it works without error.
arc@apollo-vm:/etc/nginx$ sudo ip addr show enX0
2: enX0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether b2:0e:72:85:fe:8e brd ff:ff:ff:ff:ff:ff
inet 192.168.0.6/24 brd 192.168.0.255 scope global dynamic enX0
valid_lft 412sec preferred_lft 412sec
inet 192.168.0.8/24 scope global secondary enX0
valid_lft forever preferred_lft forever
inet6 fe80::b00e:72ff:fe85:fe8e/64 scope link
valid_lft forever preferred_lft forever
The server now starts without issue.
After going through that headache, I now believe that we're back to square 1, and we have 2 IPs that both need to listen externally on 443.
Outcome
I ended up spinning up a new openvpn server on TCP/3389 for RDP