Using two successives proxies (nginx then caddy)

Hello Guys,

I set up a Vaultwarden and a caddy reverse proxy (for the SSL part) on the same host, as described in this part of the wiki, and it is working perfectly fine ! (Thank you guys for the documentation!).
This vaultwarden “full server box” is hosted in the Private DMZ and can be normally accessed from inside the LAN using https :smiley:
Until here, everything is perfect !

But now, here is now my problem:
I also need to make it accessible from the outside (Internet), and for this, the entrance point is through the main NGINX WAF reverse proxy located in the Public DMZ. This NGINX reverse proxy then must follow the different flows to the original Caddy reverse proxy on the VW server box inside the Private DMZ.

That finally makes flows passing through two successive reverse proxies.

I don’t want to jump over the caddy https by directing all the flows in http from de public DMZ directly to vaultwarden (http) in the private DMZ. Not clean.
So I started using the typical nginx reverse-proxy template in the wiki to build my sites-enabled/conf file, but I quickly saw this was not adapted, and here I’m stumped ! :thinking:

I made some searches on this forum and on Internet, but was not able to find such a case with this scenario of one first nginx proxy in a public DMZ, and a second vaultwarden+caddy reverse-proxy in the private DMZ.

My main thinking would be to redirect in this way, but it’s not working.

----------------------------
| nginx in   | caddy in    |
| public DMZ | private DMZ |
|---------------------------
|     http  -->  http      |
----------------------------
|     https -->  https     |
----------------------------

I’m not understanding what are the different flows embeded to be able to direct them correctly.
Could you please point me in the right direction for the frontal nginx configuration ?

Many thanks evrybody !!

Basically my example Nginx (by @BlackDex) should be enough for you to get it to work.

Depending on if you offload https again on nginx or not?
You still need to tell nginx to connect via ssl to caddy of course. And, if caddy doesn’t serve a certificate that nginx think is valid, you might need to tell nginx to ignore, or provide the CA.

Thank you a lot @BlackDex, I used and adapted the nginx template in the wiki and finally get it working !

I firstly encountered a ‘504 Bad Gateway’.
After a few testing, I was able to see that caddy was not accepting IP addresses as URI but only the strict SNI (vault.example.com).

I just needed to add these two necessary parameters into the site config of nginx to let him use the SNI when forwarding to the caddy server:

proxy_ssl_server_name on;
proxy_ssl_name vault.example.com;

Many thanks for you advice and pointing me in the right direction !!

1 Like