Accessing and setting up system using NGINX and FQDN
-
Hey! Hopefully this isn't a stupid question. I'm finding it a bit difficult to figure out how to access this system with my endpoint clients from a FQDN such as openem.mydomain.com using NGINX Proxy Manager.
Maybe I'm doing something wrong or maybe I've just missed something really simple but when I go into Admin settings > Client Com Servers > MyComServer and change the URL from my local http://192.168.1.69:8888/ to something like https://openem.mydomain.com (which does point back to my home router and my home router points anything on port 80 and 443 to my NGINX proxy manager install which then points to my local server of http://192.168.1.69:8888) I get no connection to the system.
A guide or writeup somewhere on how to use NGINX PM with this system would be fantastic but I understand not being able to create a guide for that use case. I just hope someone can help me out on how to connect to the system using a FQDN through NGINX PM.
It's worth noting that I use cloud flare for this process as well so the full URL path of https://openem.mydomain.com points to cloud flare who proxies the connection for security, then points to my WAN address which is static, my router takes all port 80 and all port 443 traffic and forwards it to my NGIX PM Server where it has https://openem.mydomain.com pointed from the NGINX PM server to my local install of http://192.168.1.69:8888
I really hope I'm just missing something simple here or that I have misread something because I can't figure out for the life of me how you're supposed to take the Toems UI on port 80, the API on port 8080 and the Client Connect port of 8888 and have them all under one FQDN through a proxy system.
And just for reference, If I enter https://openem.mydomain.com:443/Provison/VerifyDb I'm able to get the "60" message on screen. Not sure if that helps or not.
-
So I figured out what the issue is. Now I need help figuring out the solution.
After several days of playing around with the FQDN settings and trying to figure out how to utilize the system, I figured out that the client com server URL under the Admin Settings > Client Com Servers > "My Com Server" > URL - is where you program in the TOEC Client URL. I knew this before but I don't think I explained it very well in my previous post.
My problem is the Certificates that the server requires for the Toec API clients to connect. When you go though the setup process you generate a set of certificates (A Trusted and an Intermediate) that you then install on the Server Host in their respective places. Unfortunately, when using NGINX PM or Cloudflare, the connection string is changed in the routing process which prevents the connection due to the certificates being provided by the server not matching the ones being provided by the NGINX PM and not matching the specified URL when using Cloudflare proxy. I've also noticed that they don't work with SSL ports like 443 either.
My problem now is that I need to figure out a way to tell "TheOpenEM" server that it doesn't need to care about SSL connections/certs. Below is an example of how the SSL connection will work and why TheOpenEM server doesn't need to care about them.
When you enter in "theopenem.mydomain.com" it's routed through Cloudflare on port 443 and proxied. Next it's sent via proxy to the WAN/Router of the building the server is housed in still on port 443. Then it is sent from the WAN/Router to the NGINX PM Server still on port 443 because all port 443 and port 80 traffic of the WAN/Router is forwarded to NGINX by design. Once at NGINX the NGINX server verifies the SSL connection using a certificate at that point. Then the traffic is based on using that certificate to the internal IP address and port of the OpenEM server Toec client API address. The only connection from the OpenEM server to the outside world is through the NGINX PM Server which is also where the SSL happens.
So basically I need to allow any and all connections to the OpenEM Server regardless of certificates/keys or whatever because the protection and SSL of the traffic happens elsewhere.
- Is there a way to turn off the requirement for certs on the server and if so, how is that accomplished?
I know this seems like a silly way to do this but when you're running 10+ services/servers and need a quick and easy way to launch new ones securely over SSL, this is the easiest and best method I've found so far that works for my needs.