You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi. I have a use-case where I would need to be able to customize the nginx listen directive for a given proxy host only.
I am self-hosting a service server at home that can be accessed from the internet (WAN) or the local LAN. I want to enforce client-side TLS (mTLS) ONLY when the HTTPS client is coming from the internet, but NOT when coming from the LAN. In both cases, clients should be using the same FQDN (using a different FQDN would be a real headache for clients configuration). In both cases I want to use nginx-proxy-manager as a TLS termination and HTTP proxy (btw, great tool, thank you!). The reason why I do not want to enforce mTLS on LAN requests is because its support in HTTPS clients is inconsistent.
First of all, there seems to be no way with nginx to enforce ssl_trusted_certificate only for some source IP addresses/networks, apart from tweaking with the geo directive and making the client TLS optional, but that is still a problem for some web clients. So I figured I would have to run 2 proxy hosts by service, tweaking the nginx listen directive and using 2 different [IP address, TCP port] pair on my server (one for LAN and one for WAN), using my LAN DNS server as a way to add entries pointing towards the LAN address for LAN requests, whereas the public internet DNS would point towards the WAN address. The problem is that node-proxy-manager does not allow customising the nginx listen directive :-( so today my only way around this is running 2 different node-proxy-manager containers, one for each interface. This is cumbersome, because it is not very practical to duplicate configuration between 2 node-proxy-manager instances.
So this is a feature request: adding a way to tweak the listen directive, to limit the interfaces used rather than going for 0.0.0.0 and [::].
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Hi. I have a use-case where I would need to be able to customize the nginx
listendirective for a given proxy host only.I am self-hosting a service server at home that can be accessed from the internet (WAN) or the local LAN. I want to enforce client-side TLS (mTLS) ONLY when the HTTPS client is coming from the internet, but NOT when coming from the LAN. In both cases, clients should be using the same FQDN (using a different FQDN would be a real headache for clients configuration). In both cases I want to use nginx-proxy-manager as a TLS termination and HTTP proxy (btw, great tool, thank you!). The reason why I do not want to enforce mTLS on LAN requests is because its support in HTTPS clients is inconsistent.
First of all, there seems to be no way with nginx to enforce ssl_trusted_certificate only for some source IP addresses/networks, apart from tweaking with the
geodirective and making the client TLS optional, but that is still a problem for some web clients. So I figured I would have to run 2 proxy hosts by service, tweaking the nginxlistendirective and using 2 different [IP address, TCP port] pair on my server (one for LAN and one for WAN), using my LAN DNS server as a way to add entries pointing towards the LAN address for LAN requests, whereas the public internet DNS would point towards the WAN address. The problem is that node-proxy-manager does not allow customising the nginxlistendirective :-( so today my only way around this is running 2 different node-proxy-manager containers, one for each interface. This is cumbersome, because it is not very practical to duplicate configuration between 2 node-proxy-manager instances.So this is a feature request: adding a way to tweak the
listendirective, to limit the interfaces used rather than going for0.0.0.0and[::].I would gladly discuss my issue further.
Beta Was this translation helpful? Give feedback.
All reactions