Continuing the discussion from LXD UI Not Recognizing Certificates over NGINX Proxy Manager:
I am having an issue similar to the above discussion.
I can access the web-ui with an installed certificate through say SSH forwarding of port 8443, but the certificate is neither recognized and nor hand installable through NGINX reverse proxying.
Is there any chance to set-up incus web-ui through an NGINX reverse proxy? Or is there any kind of impossibility here.
Thx for an update on this issue.
You cannot do TLS client authentication through an HTTPS terminating proxy like NGINX.
If you could, it would be a giant security issue.
You can proxy though a TCP-only proxy (haproxy in tcp mode for example) or you can use an HTTPS terminating proxy like NGINX but will have to use OIDC authentication then as TLS authentication cannot work.
Thank you very much for the answer. Indeed, I realize that NGINX would then act as a “man in the middle”. I will try the OIDC option first. Thanks again for the hints.
@stgraber What do you think about using this Caddy plugin? GitHub - mholt/caddy-l4: Layer 4 (TCP/UDP) app for Caddy
Would it still be considered an “insecure” solution?
That’s fine, looks like it can work like tcp mode in haproxy, so basically just blindly forwarding all traffic to Incus. It can’t analyze, it can’t provide a different certificate, but for pure “stuff arrives on port XYZ send it to Incus IP on port 8443” that works fine.