NGINX TCP Stream with SNI support. More than helpful for lab environments
Daniel Nashed – 21 January 2023 14:11:41
In production you usually want centralized certificate handling and off-loading TLS termination to a load-balancer.I posted scripts to have NGINX realod certs automatically from Domino CertMgr via HTTPS to leverage Domino's Let's Encrypt implementation.
But sometimes you really want all your servers directly exposed over TLS.
For example in a lab environment with limited resources and only one IP, you might want to still have each of the hosts expose their services on their own.
I did know Traefik (https://traefik.io/) has a build-in way to dispatch TLS passthru traffic.
But I just discovered end of last year, NIGNX also has a module to pre-read TLS SNI information to dispatch TCP traffic (http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html).
This becomes very convenient, when you want to expose multiple services over the same TCP port.
DNUG Lab as an example (Domino HTTPS and SafeLinx on both on port 443)
In my example we are am running Domino HTTPS and a Safelinx server on port 443.
And we might add more services in future. And could even introduce a Nomad server in parallel with a different host name on port 443.
But they could be also separate containers or a native application running on a Linux host.
In our case we are also running NGINX in a container.
This approach allows you to run the latest NGINX container, even if you Linux distribution has not included it yet.
Like in our case Domino is exposed on port 444 and the SafeLinx server is exposed on port 445 via Docker.
Combinations are just limited by your imaginations
Having NGINX dispatch all the traffic you can use any number of services on port 443.
Other ports could run on the same NGINX instance.
But you could also have a NGINX instance in TCP Stream node also dispatch traffic into another NGINX instance off-loading TLS for other services or redirecting traffic.
-- Daniel
Example start for a NGINX Docker container
docker run -it -d --name nginx --network host -v $PWD/nginx.conf:/etc/nginx/nginx.conf nginx
Example configuration for your nginx.conf file
user nginx;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
stream {
map $ssl_preread_server_name $name {
nomad.lab.dnug.eu nomad;
default domino;
}
upstream domino {
server 127.0.0.1:444;
}
upstream nomad {
server 127.0.0.1:445;
}
server {
listen 443;
proxy_pass $name;
ssl_preread on;
}
}
- Comments [0]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}