search

NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://nginxproxymanager.com
MIT License
22.41k stars 2.6k forks source link

Manage CA, verify and issue upstream server certificates #2271

Open simonlerpard opened 2 years ago

simonlerpard commented 2 years ago

Is your feature request related to a problem? Please describe. When hosting web servers internally I would like to access an upstream server over https (which currently is possible), but nginx doesn't verify the server certificate by default. Which leaves it open for mitm attacks if my internal network is compromised. My current solution is to add custom nginx config to support this and mount a CA to the NPM docker container. But then I need to manage a CA and issue all upstream certificates manually via the terminal separately from NPM.

Describe the solution you'd like I would love if it was possible (via NPM) to generate a CA, issue and download long lived certificates (with their private keys) so they can be used between NPM and each individual upstream server securely.

Describe alternatives you've considered A first step could of course be to just make it possible to upload the CA and add an option when https is selected (of upstream server) to verify the certificate.

Additional context Example nginx config to verify one or multiple CAs for the upstream servers: proxy_ssl_trusted_certificate /config/trusted_ca_cert.crt; proxy_ssl_verify on;
proxy_ssl_verify_depth 2;

I think it's kind of reasonable to have this functionality in NPM since it's already specifying upstream endpoints and managing other downstream certificates for the clients. It might be sort of inefficient to terminate SSL just to use it again for the upstream server, but then I can use a trusted certificate (Let's Encrypt) for all clients but still use https all the way.

And just to be clear, this is how I'm using NPM for internal web servers. And if I doesn't specify custom nginx config the self signed cert isn't verified at all: Client -> HTTPS (Let's encrypt cert) -> Nginx Proxy Manager -> HTTPS (Self signed cert) -> Upstream server

FlorianFritz commented 1 year ago

This would be a nice addition I'd like to see as well.

To automate deployment, this would require an API to "download" the certificates and private keys on to the downstream servers.

This would also be beneficial to access the letsencrypt certificates which might be used for something other than http/https on downstream hosts (like smtp/imap):

mail.example.com:443 --> Router --> NPM --> https-service on Mailhost (Webmail) mail.example.com:587 --> Router --> smtp-service on Mailhost (Send-Mailserver) mail.example.com:993 --> Router --> imap-service on Mailhost (Receive-Mailserver)

Currently you have to copy the certs/keys from the container to the other server.

github-actions[bot] commented 8 months ago

Issue is now considered stale. If you want to keep it open, please comment :+1:

FlorianFritz commented 8 months ago

Please implement this feature 🙋‍♂️