Skip to main content
sanderl
sanderl
New Member
June 9, 2020
Question

SSL VPN behind Nginx Proxy Manager

  • June 9, 2020
  • 2 replies
  • 18158 views

Is it possible to. Open 443 on an ip adress through a fortigate (yes :-)) to an nginx server. To then have that nginx server serving several urls and lets encrypt to a webserver(s). And then the magic: to have a url eg. vpn.domain.com serving back to (the internal?) interface of the fortigate. The is only 1 internet ip adress avaliable on the fortigate. And ofcourse port 80 is also forwarded to the nginx in order to renew letsencrypt. Any tips welcome. Thanks.

2 replies

emnoc
emnoc
New Member
June 9, 2020

That makes no sense if your trying to map tcp.port 443 to a nginx webserver AND the fortigate. You want to use an alternative ports 

 

i.e

8443=== vpn.domain.com 

443==webserver1.domain.com ,owa.domain.com ,etc.....

 

If you get a wildcard.cert you can use it on both the sslvpn portal/service and webserver, you can even use a SANs  and share it on the two services just place a altName for two services

 

i.e

altName field

 

DNS1=vpn.domain.com 

DNS2=web.domain.com 

DNS3=email.domain.com

 

Ken Felix

sanderl
sanderlAuthor
New Member
June 10, 2020

Hi ken Felix, thank you very much for taking the time to resond to my question!

 

Of course it makes sense that the widely accepted port for SSL and https is 443. other ports are just "workarounds" and possibly not enabled in a guest network (hence my question). So please, can we go back to the original question and find out if that is possible?

sw2090
SuperUser
sw2090
SuperUser
June 10, 2020

443/tcp is per default used for https and ssl on the Fortigate.

If you want to fwd that to you ngnix this makes only sense when you reconfigure your FGT to use a different Port for https and ssl before.

The domains then is only dns and Host Headername via vhost on nginx.

Of course you could create a domain that you redirect back to the FGT with nginx. Still that will require that the FGT uses a different port since 443 then would be redirected to nginx.

sanderl
sanderlAuthor
New Member
February 15, 2024

Long time back I created this topic. At that time it did not succeed. Now for a long time it works like I wanted and I thought to share some back with the community.

 

So what I have:

  • A ubuntu machine with nginx (npm).
  • A Fortigate with a loopback interface (internal) presenting ssl vpn.
  • A VIP port forwarding (443) to the nginx machine.
  • A public dns name resolving back to the external IP of the FG.
  • Configuration on the nginx catching that traffic (for thát dns name) and forwarding to the loopback.

Some screenshots:

nginx.png

nginx2.png

 

This way the client (browser / vpn client / android app) connect fine and without certificate warning as that is presented by nginx.

Next to that the external IP can be used with multiple dns names that are all forwarded to different backend services all over 1 IP address.

Terms & ConditionsAccessibility statement