What advise free Reverse Proxy solution?

Accumulated quite a lot of internal http/https services that you need to publish to the outside. All services are diverse on different platforms. Now everything is published through MS TMG, partially through a single public IP address, separated by a domain name. But as almost all services are forced to translate https, complications arise in the generation and certificate import on the server and on TMG - the certificate should be tied to the "listener". Hence almost eliminates the opportunity to use lets encrypt, because on the reissue server certificate works as a machine, but on TMG it should hands to import and change in the listener.
Therefore is searched for a free solution to publish web services, with the ability of the institution to all sub-domains and obtaining certificates for them in lets encrypt or to not set up its own certificate and forward immediately to the destination server. Well, some extra buns for the protection, like limiting the number of sessions, lock brutforce and so on.
July 2nd 19 at 13:07
3 answers
July 2nd 19 at 13:09
Solution
Eemmm, and what you nginx is not pleased? What something else to look for?
I haven't seen him yet, just stared in his direction, but have not yet found the answer to some of the points related to the certificates. In particular, how difficult is it to implement my wishlist.
For example, I have several internal servers: OWA RDWebAccess, the web face from 1C and so on. Out accordingly they published the names mail.domain.ru, terminal.domain.ru and so on. A portion of the servers themselves/get automatic with lets encrypt the certificates and put them on yourself. Is it possible to move this role to nginx to set up the required certificate? Does it need on the server to obtain the certificates? - Vaughn.Baumbac commented on July 2nd 19 at 13:12
External IP some, but not enough for all internal services, i.e. it is necessary that some subdomains were hanging on one IP. Hence there is a certificate problem, it is necessary to somehow combine. - Vaughn.Baumbac commented on July 2nd 19 at 13:15
: from what I read in the issue, nginx can, if not everything, almost everything.
It is possible to pick up multiple SSL servers (instances), each of which will appoint its own ssl certificate, the client is referring to a port, means the SNI extension to the SSL Protocol tells the server what domain it will communicate with NGINX in this case gives need the server certificate and the procedure of establishing the SSL session continues.
From NGINX to your internal resource it is possible to keep an ordinary HTTP connection.

This mode of operation is called a reverse proxy and it is very detailed in thousands of documents and works fine with default settings. Just need to put on a NGINX server public and private keys and create entries in the configuration files of nginx for each domain will be given certificates (and keys) and the endpoint address of the server on which to implement the proxying. You can optionally make transparent http -> https redirect for those users whose browsers are unsafe.

You set this up in an hour. - wilfrid11 commented on July 2nd 19 at 13:18
: answered above. Yes, on one IP can hold as many SSL domains to the destination servers will go HTTP without encryption, with support for balancing and caching. - wilfrid11 commented on July 2nd 19 at 13:21
all your questions is some kind of stone age, honestly. Visible bony hands of Microsoft.

All normal web servers (nginx and, of course) is not the first dozen years knows SNI. And for Let's Encrypt was written long ago, the weight of wrappers, self-updating site certificates - you just have to add a job to the scheduler. - Greyson.Erdm commented on July 2nd 19 at 13:24
: don't scold, Yes, cursed will not. And who never yuzal software from Microsoft - let him first throw a stone at me (preferably i7 with the index "k").

A common situation in a typical office (most likely STATE), purchased software in the past century, have a large contract with MS TMG should not bother anyone, but now it's time for a change and last the it Director left (died, retired, drank themselves to specify their reasons). - wilfrid11 commented on July 2nd 19 at 13:27
: normal office and is public enterprises - are not synonymous, but quite the contrary. In our perverted economy deliberately use less-effective solutions (for example, paid with the free the same functionality) is a common phenomenon, but personally, I am not going to indulge; hence the first paragraph of my previous comment. And rotation of Directors is to accelerate again only after the departure of someone on a pension starts on the actual implementation of the technologies :) - Greyson.Erdm commented on July 2nd 19 at 13:30
: well damn, you did not address my response to your comment is the assumption. If anything you say on this will be interesting, but the relation will not have. - wilfrid11 commented on July 2nd 19 at 13:33
: Well, I'm sorry that not all understand in normal web servers. Kick here on the MS worthless.
To dissolve a flame on the subject of opensource, too, do not see the point. In each case, their decisions.
Better throw a link to one of many manuals in my question. - Vaughn.Baumbac commented on July 2nd 19 at 13:36
here's me Proxy server from NGINX with ssl? like everything you need is there - wilfrid11 commented on July 2nd 19 at 13:39
:
server {
listen 443 ssl;
server_name test.com;

ssl_certificate /etc/nginx/cert/test_pub.crt;
ssl_certificate_key /etc/nginx/cert/test_priv.key;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

access_log /var/log/nginx/test.com.access.log;
error_log /var/log/nginx/test.com.error.log;

location / {
proxy_pass http://backend;
}
} - wilfrid11 commented on July 2nd 19 at 13:42
: this is all that is necessary to prescribe in the config, and put the keys. Backend change to something different. Test, put nginx out, changing the DNS, adding a new server into the configuration, a new key, and so on. - wilfrid11 commented on July 2nd 19 at 13:45
Thanks, I'll take a look. - Vaughn.Baumbac commented on July 2nd 19 at 13:48
: write in Skype if that. *just be online pliz =) - wilfrid11 commented on July 2nd 19 at 13:51
July 2nd 19 at 13:11
Solution
A worthy alternative to Nginx in your situation - HAProxy.
And if TMG all satisfied - we continue to sit on it, and the hemorrhoids with certificates to solve the transition to a wildcard certificate.
Thank you, too, will look in more detail. - Vaughn.Baumbac commented on July 2nd 19 at 13:14
July 2nd 19 at 13:13
nginx is great does everything You need

Find more questions by tags LinuxWeb application firewall