Nginx Reverse Proxy zu Azure Web App (Eigener Domain-Name)

Nginx Reverse Proxy To Azure Web App (Source: https://www.cloudflare.com/learning/cdn/glossary/reverse-proxy/)

Problem:

Eigene Domain-Namen bei Azure Web Apps sind nicht kostenlos möglich. Durch einen Nginx Reverse Proxy von einem externem Server/Anbieter zu Azure Cloud kann man das Problem umgehen.

Lösung:

Eigene Domain auf Server mit nginx (inklusive Letsencrypt, kostenlose SSL-Zertifikate)
—>
nginx reverse proxy
—>
Azure Web App (zb. ASP.NET)

https://domain.com –> proxy –> webappname.azurewebsites.net

Nginx Config (Reverse Proxy zu Azure Web App)

server {
     listen 80;
     server_name domain.com www.domain.com;
     
     location /.well-known/acme-challenge { 
     default_type "text/plain";
     root /var/www/letsencrypt;
     } 
     location / {
     return 301 https://$server_name$request_uri;
     }
 }

upstream app_webappname {                           
     server webappname.azurewebsites.net:443; 
 }
 server {
     listen 443 ssl http2;
     ssl on;
     server_name www.domain.com domain.com;
     keepalive_timeout 300;
     
     # letsencrypt
     ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
     
     # Cipher
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on;
     ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
     ssl_dhparam /etc/ssl/private/dhparam.pem; ssl_ecdh_curve secp384r1;
     ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m;
     
     # OSCP
     ssl_stapling on; ssl_stapling_verify on;
     resolver 8.8.8.8 8.8.4.4 valid=300s;
     resolver_timeout 5s;
     ssl_trusted_certificate /etc/letsencrypt/live/domain.com/chain.pem;

     # proxy to upstream
     location / { proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header Host webappname.azurewebsites.net;
     proxy_set_header X-Forwarded-Proto $scheme;
     #proxy_set_header X-NginX-Proxy true;
     proxy_ssl_session_reuse off;
     proxy_pass https://app_webappname/;
     proxy_redirect off;
     }
 }

Azure Web App Einstellungen

Networking –> Access Restrictions
Nur Traffic von Reverse Proxy Server zulassen.
Neue Regel (Add rule) –> allow IP (IP vom nginx proxy Server)

TLS/SSL settings –> Bindings
HTTPS Only –> auf „On“

Quellen und weitere Informationen:
https://withouttheloop.com/articles/2017-07-23-nginx-letsencrypt-azure-web-app/
https://www.cloudflare.com/learning/cdn/glossary/reverse-proxy/
https://www.nginx.com/resources/glossary/reverse-proxy-server/
https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/
https://mohitgoyal.co/2018/06/02/load-balance-azure-web-apps-using-nginx-server/