Ssl passthrough hosts - updated

[acul009]

Hi,

This PR updates the original Request: SSL passthrough hosts #1479

My use case is passing data to hosts which can handle certificate request for themselves.
In those cases I'd use the http proxy to only forward the requests to /.well-known/acme-challenge.

Additional traffic then has to arrive over TLS to work.
This makes reusing Port 443 for multiple services a breeze.

@chaptergy If you have some time, I'd really appreciate if you could check that I didn't botch any of your work :)

This would resolve Ticket #853 and allow for more secure data handling inside local networks.

[cj0duke]

Docker Image for build 2 is available on DockerHub as jc21/nginx-proxy-manager:github-pr-3331

Note: ensure you backup your NPM instance before testing this PR image! Especially if this PR contains database changes.

I'd like to test the feature. I did pull the image 3331, the stack is starting without problems, but within NPM - SSL P Hosts there is a message "SSL Passthrough Hosts are not enabled in the environment. Please see the docs for more information." Cloud you please provide some information on how to enable SSL P in the environment?

[acul009]

Right, the documentation is only contained in the branch, so you wouldn't see that normally.

The corresponding Environment Variable is:
ENABLE_SSL_PASSTHROUGH

Just set that to true and the new option can be found in the webinterface.

[cj0duke]

Just set that to true and the new option can be found in the webinterface.

Thank you for the quick update. It works.

Unfortunately when accessing a passthrough host, firefox is returning "SSL_ERROR_UNRECOGNIZED_NAME_ALERT". Which point am I missing?

(Maybe I need a coffee or two)

[acul009]

Can you describe your configuration a bit?

You might already know this, but I'll describe how this works a bit so we're on the same page.
Its hard to know how much the person on the other end of the line knows on the internet ;)

This is only a SSL/TLS passthrough which uses the SNI from the TLS protocoll to route the raw traefik.
Your error sounds like a problem with the hosts certificate.
It's important, that the connection with your given address (test.example.com) would work if you just route the whole port through.

So you can't just add test2.example.com as a passthrough if you target system doesnt have the required certificate.

If that helped, great.
In case you already know all that you'll have to share a bit more information to find the cause :)

[nginxproxymanagerci]

Docker Image for build 5 is available on DockerHub as jc21/nginx-proxy-manager:github-pr-3331

Note: ensure you backup your NPM instance before testing this PR image! Especially if this PR contains database changes.

[cj0duke]

If that helped, great. In case you already know all that you'll have to share a bit more information to find the cause :)

I tried it once again, with fresh docker images, but same result.

Setup as follows:
vm with working ssl cert serving with apache (private network, no NAT, no public access)
bind running (seperate) to serve domain

Did the following steps:

• bind entry pointing to vm
• changed entry to point to npm
• setup npm for passthrough (see pic)
  

Still getting the firefox error of "SSL_ERROR_UNRECOGNIZED_NAME_ALERT"

[acul009]

unfortunately it seems like this won't be merged anytime soon, even if I updated it.

In case anyone direly needs a solution for TLS forwarding, I created another project (WIP):

https://github.com/Rahn-IT/traefik-gui.git