Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

alt

Daniel Nashed

NGINX TCP Stream with SNI support. More than helpful for lab environments

Daniel Nashed – 21 January 2023 14:11:41
In production you usually want centralized certificate handling and off-loading TLS termination to a load-balancer.
I posted scripts to have NGINX realod certs automatically from Domino CertMgr via HTTPS to leverage Domino's Let's Encrypt implementation.
But sometimes you really want all your servers directly exposed over TLS.


For example in a lab environment with limited resources and only one IP, you might want to still have each of the hosts expose their services on their own.

I did know Traefik (https://traefik.io/) has a build-in way to dispatch TLS passthru traffic.
But I just discovered end of last year, NIGNX also has a module to pre-read TLS SNI information to dispatch TCP traffic (
http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html).
This becomes very convenient, when you want to expose multiple services over the same TCP port.


DNUG Lab as an example (Domino HTTPS and SafeLinx on both on port 443)

In my example we are am running Domino HTTPS and a Safelinx server on port 443.

And we might add more services in future. And could even introduce a Nomad server in parallel with a different host name on port 443.
But they could be also separate containers or a native application running on a Linux host.

In our case we are also running NGINX in a container.
This approach allows you to run the latest NGINX container, even if you Linux distribution has not included it yet.
Like in our case Domino is exposed on port 444 and the SafeLinx server is exposed on port 445 via Docker.



Combinations are just limited by your imaginations


Having NGINX dispatch all the traffic you can use any number of services on port 443.
Other ports could run on the same NGINX instance.
But you could also have a NGINX instance in TCP Stream node also dispatch traffic into another NGINX instance off-loading TLS for other services or redirecting traffic.


-- Daniel


Example start for a NGINX Docker container

docker run -it -d --name nginx --network host -v $PWD/nginx.conf:/etc/nginx/nginx.conf nginx


Example configuration for your nginx.conf file

user nginx;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
  worker_connections 768;
}


stream {
  map $ssl_preread_server_name $name {
    nomad.lab.dnug.eu   nomad;
    default             domino;
  }

  upstream domino {
    server 127.0.0.1:444;
  }

  upstream nomad {
    server 127.0.0.1:445;
  }

  server {
    listen      443;
    proxy_pass  $name;
    ssl_preread on;
  }
}

Links

    Archives


    • [HCL Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]