PitchHut logo
Log in / Sign up
nginx-quick-relay
by
loud_chocolate_joye
Effortlessly secure your private network with a smart Nginx reverse proxy.
Preview url
Visit project
Pitch

Nginx Quick Relay offers an easy-to-setup reverse proxy tailored for securing private network services. With automatic Let's Encrypt certification handling and optional mTLS authentication, it simplifies connecting your internal services to the internet securely. Ideal for those seeking efficient SSL management.

Description

Nginx Quick Relay

Nginx Quick Relay is a configuration-based, opinionated SNI-based reverse proxy designed using Nginx. This project simplifies the process of establishing a secure, internet-facing reverse proxy for private networks with automatic Let's Encrypt certificate provisioning and optional mutual TLS (mTLS) for enhanced security.

Key Features

  • Ease of Setup: Quickly deploy an efficient reverse proxy to secure services within a home network while making them accessible from the internet.
  • Flexible Configuration: The system is configured using a straightforward JSON or YAML file, ensuring clarity and ease of management. Example configuration files are available for reference:

Virtual Domain Types Supported

  1. Passthrough: Ideal for direct forwarding to private servers handling HTTP and HTTPS traffic. Key features include:

    • Direct forwarding of HTTP and SSL traffic.
    • Optional PROXY protocol support for preserving client IP information.

  2. Direct-Serve: For servers requiring added SSL support. This mode includes:

    • Automatic certificate management (creation and renewal).
    • Redirects HTTP to HTTPS and proxies HTTPS requests to backend servers.
    • Support for client certificates to restrict access.
    • IP-based trust mechanism for internal network exceptions.
    • Support for backend server certificates.

Client Certificate Authentication (mTLS)

The project supports client certificate authentication, adding another layer of security. Here’s a brief overview of the mTLS setup:

  1. Generate a Certificate Authority (CA) to issue trusted client certificates.

    mkdir -p client-certificates
openssl genrsa -out client-certificates/ca.key 4096
openssl req -new -x509 -days 3650 -key client-certificates/ca.key -out client-certificates/ca.pem -subj "/CN=My Client CA"

  2. Create and sign client certificates for authenticated users silently under your control.

  3. Configure the client-certificate setting in the direct-serve entry to ensure your server validates incoming requests with client certificates.

Advanced Features

  • Bypass mTLS for Specific Networks: Exempt certain IP ranges from mTLS requirements, facilitating easier access for trusted internal networks while maintaining security for external connections.
  • Server Certificate Verification: Ensure backend services are validated against trusted certificate authorities, enhancing security for direct-serve implementations.
  • PROXY Protocol Support: Enable the PROXY protocol to forward the client IP even when behind another proxy, ensuring accurate tracking of requests.

Conclusion

Nginx Quick Relay is an excellent solution for securely exposing services over the internet with comprehensive features that simplify proxy management while providing robust security measures. Whether securing home services or managing enterprise-level applications, this project offers the necessary tools for efficient and secure configurations.

0 comments

No comments yet.

Sign in to be the first to comment.