use of own certificates and https-pass-through

[geigervibe]

Hi all!

I'm currently use traefik but my configuration will not work, for that I wonder if NPM is a better option and I wonder, if NPM supports the use of own certificates and https-pass-through. For both I could not find anything in the documentation (https://nginxproxymanager.com/setup/). If it supports these functions, were can I find more to read about, how to setup?

I need at least two routings:
https > npm > http/container1
https > npm > https/container2 (passthrough)
And as told using own certificate and NOT letsencrypt...

Thanks and regards...

[chaptergy]

It is currently not possible, I made a PR which would add this functionality but I'm not sure it will get merged, as it is a huge change and comes with a load of issues. See #853

[geigervibe]

I was able to answer one question myself, my own certificates can be integrated via the web GUI, as 'Custom' ones. Nothing special needs to be set up in the composer.

Thanks for the clarification, @chaptergy . If I have understood correctly, it is not possible to use entry port 443 for both proxy and ssl-passthrough at the same time, regardless of which edition of nginx is used? No possibility at all?

If I interpret the example-configuration under https://admintuts.net/server-admin/docker/nginx-reverse-proxy-with-ssl-pass-through-load-balancing/ (see 'Bonus: Configure Nginx Reverse Proxy SSL Passthrough SNI For Docker') correctly, the port 3443 is used for the ssl-passthrough and port 443 for proxy? Did I interpreted that correctly?

[geigervibe]

Sorry, my english is not that good and therefor confusing. I thought when I use native nginx I would have more possibilities than using npm. OK, the underlaying nginx for npm is a full installation of nginx, I did not know that. What I would want is the following:

Browser https://app1.example.com (443) > example.com/nginx/proxy > http/container1
Browser https://app2.example.com (443) > example.com/nginx/sslpassthrough > https/container2

Would that be possible when using a host with only one IP were normal nginx is running? I read at some places, that you would need at least two entry ports or two IP's for that. But I'm not sure, if I got that right. If that is really the case, then nginx would not be an option for this kind of configuration (besides the other caveats you mention).

[chaptergy]

You do have more options when you create the nginx config files yourself, npm limits the options it exposes to make it easy to use. Otherwise you would have to mount custom configs into the container using the docker-compose.

So why do you want to proxy it twice? Why https://app1.example.com (443) > example.com/nginx/proxy > http/container1 instead of just doing https://app1.example.com (443) > http/container1?

Proxying multiple websites on the same port is exactly what a reverse proxy does. When managing the SSL certificate in NPM it is very easy and you can just add proxy hosts which do exactly that. If you want the app behind the proxy to handle the SSL certificate, it is much more complicated and not possible through the interface of the current npm version. But it is possible in nginx in general.

[geigervibe]

Thank you for taking the time to answer my further questions, but I think we have some misunderstandings here.

With my illustration I wanted to mark the following path:
browser > proxy > endpoint
.. so no double proxy chain.

Even if the question of which answer I am wrestling with has nothing to do with npm but rather with nginx in general, it will help me to focus the right way for the future.

As shown in the illustration in previous post, I continue to wonder whether it is possible that the same entry port 443 can be used for both proxy and ssl-passthrough at the same time via one nginx-instance.

There are statements on the Internet that this is not possible, but I am not sure whether I have understood that correctly.

If that really doesn't work, I would have to deal with traefik again and neither hope/wait for a merge nor setup nginx by hand.

Up until now I have managed to access the app2 (see illustration) via npm and proxy scheme https, but that has nothing to do with ssl-passthrough, but this way I can currently reach both app1 and app2 via port 443 in my lab environment.

[chaptergy]

Am I now totally misunderstanding you? As I have said in my previous responses, having a ssl terminating proxy and a ssl passthrough proxy is possible on the same port, though much harder than just having ssl teminating proxies. Is that not what you want to know?

[geigervibe]

Yes, that's exactly what I wanted to know. Although I have now looked again where I have read that that is just not possible (using the same port). And I have now found one of the posts and it is actually on the same page where you have posted your PR:

NGINX can do SSL passthru, but it can't do it on the same ports being serviced for normal NGINX services. You can do only one or the other.

So now I'm even more confused. But I will leave it at that, instead of passthrough I now use the https scheme, although it is not the same, it serves the purpose for now.