-1

Here comes a probably strange question that is probably also wrongly asked.

I have the following network structure/plan...:

enter image description here

The idea is that someone who is responsible/authorized for network 1 and domain1.com has their own Rev. Proxy that they manage and take care of SSL certificates. The same applies to network 2.

The question is, is this even possible? Unfortunately, I'm not very familiar with SSL and proxies. I suspect that the Rev. Proxy that holds the SSL certificates must form the frontend.? If that's the case, it probably wouldn't work anyway. Then the question is whether there is another way? A kind of NAT based on http/https? Sounds a bit off... But I think the idea is clear.

If it were basically possible, then the question would be whether the order HaProxy->Nginx is the right one? And whether anyone can give me a tip or link on how to configure the frontend proxy correctly.

Thank you very much for your answers.

Update: For those who have something similar in mind, the now working haproxy config (with working Let's Encrypt):

# Automaticaly generated, dont edit manually. # Generated on: 2024-10-08 21:51 global maxconn 1000 stats socket /tmp/haproxy.socket level admin expose-fd listeners uid 80 gid 80 nbthread 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 log-send-hostname HaproxyMasterNode server-state-file /tmp/haproxy_server_state frontend Front-https bind xxx.xxx.xxx.xxx:443 name xxx.xxx.xxx.xxx:443 mode tcp log global timeout client 30000 tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } acl domain1 req_ssl_sni -m end domain1.de acl domain2 req_ssl_sni -m end domain2.de use_backend domain1-https_ipvANY if domain1 use_backend domain2-https_ipvANY if domain2 frontend Front-http bind xxx.xxx.xxx.xxx:80 name xxx.xxx.xxx.xxx:80 mode http log global option http-keep-alive timeout client 30000 acl domain1 hdr(host) -m end domain1.de acl domain2 hdr(host) -m end domain2.de use_backend domain1-http_ipvANY if domain1 use_backend domain2-http_ipvANY if domain2 backend domain1-https_ipvANY mode tcp id 101 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global stick-table type binary len 32 size 30k expire 30m acl clienthello req_ssl_hello_type 1 acl serverhello rep_ssl_hello_type 2 tcp-request inspect-delay 5s tcp-request content accept if clienthello tcp-response content accept if serverhello stick on payload_lv(43,1) if clienthello stick store-response payload_lv(43,1) if serverhello server ProxyMan 172.28.200.255:8443 id 102 check inter 1000 backend domain2-https_ipvANY mode tcp id 100 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global stick-table type binary len 32 size 30k expire 30m acl clienthello req_ssl_hello_type 1 acl serverhello rep_ssl_hello_type 2 tcp-request inspect-delay 5s tcp-request content accept if clienthello tcp-response content accept if serverhello stick on payload_lv(43,1) if clienthello stick store-response payload_lv(43,1) if serverhello server ProxyMan 192.168.7.1:8443 id 102 check inter 1000 backend domain1-http_ipvANY mode http id 103 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server ProxyMan 172.28.200.255:8080 id 104 check inter 1000 backend domain2-http_ipvANY mode http id 105 log global timeout connect 30000 timeout server 30000 retries 3 load-server-state-from-file global server ProxyMan 192.168.7.1:8080 id 106 check inter 1000
Improve this question
3
  • Please upload and embed your diagram within Server Fault to ensure it stays available and accessible instead of linking to external images that will eventually become inaccessible, leading to missing context in the question. Commented Oct 7, 2024 at 6:42
  • I don't see where you interfacing and split conflict is? You have two networks with two domains. So why not have two separate reverse proxies for the two separate domains with two separate SSL certificates? Commented Oct 7, 2024 at 6:45
  • @Kissaki Thanks for your feedback, I wanted to include the image but was not allowed to do so by serverfault (the link is also from serverfault): You're not allowed to embed images in your posts yet, so we've included a link instead. As soon as you earn 10 reputation on the site, you'll be able to embed images. Commented Oct 7, 2024 at 7:42

1 Answer 1

Reset to default
1

It is possible to have certificates for the same domain at multiple stages, which is especially common if the transit between the various stages is over untrusted networks and thus should be protected.

A typical example is a content delivery network (CDN) like cloudflare, which terminates the TLS on their site but then forwards the traffic to the customer system somewhere else on the internet which has its own certificate to protect the communication between cloudflare and the final server.

Since each of the servers/proxies needs both a certificate and private key for this and the private keys should not be shared, this usually means that proxies and servers have different certificates. From the perspective of the public client only the initial proxy needs to have a certificate trusted by the client, i.e. typically a certificate from a public CA like Let's Encrypt. Each other stage needs only a certificate trusted by the previous stage, which might be issued by some internal non-public CA or might even be self-signed.

Note that you could also use domain based routing in HA proxy without terminating the TLS, by routing based on the server name which is visible in the TLS handshake (as long as no ECH is setup). Since in this case HA proxy does not terminate the TLS it does not need certificates either.

Improve this answer
2
  • Thank you very much for your answer. The information and the links were very helpful. One Nginx-Rev.-Proxy is already working, but the second one isn't working yet and no certificates can be generated. But I suspect that it's an internal problem with the Nginx-Rev.-Proxy.? Commented Oct 7, 2024 at 19:07
  • 1
    @OrkoPaede: I've only answered your conceptional question. For problems with the specific implementation you would need to provide more details of what you are exactly doing - i.e. "isn't working" and "no certificates can be generated" are not sufficient details. But this would also be another new question and should be asked separately and not in a comment - your original question one is answered. Commented Oct 7, 2024 at 23:41

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.