I have a reverse proxy running on port 80 to serve as a "gateway" to update Let's Encrypt certificates on VMs inside my network. This reverse proxy is only exposed for 5 minutes per week on port 80 for this reason. I have a number of domains that pass through this server to be forwarded to their internal IP addresses. This all works fine, however there is one server exposed to the internet on port 443. When I make a request to the correct domain name using https, all is fine. When I use one of the other domains, I of course get an invalid certificate error. That is why I was thinking of routing port 443 traffic through the reverse proxy so I'll be able to block traffic not targetting the one domain that is exposed and running on 443. Nginx however expects a valid certificate which I can't give it because it's on another server.
The server I'm running on port 443 is Kerio Mailserver.. maybe there is something I can do there to force the use of only one domain name?
Is there a way of handling this? Just in case you're wondering: the other servers don't need exposing.
I see no reason why you can't proxy both HTTP and HTTPS traffic through NGINX. So you can:
Edit: If you also want to encrypt the traffic between NGINX and the VMs or, as you remark in a comment, you don't want to use NGINX for connections from the local network, you can use a local Certification Authority for the internal servers.
From your perspective it is much safer, since a local CA is more trustworthy than an external authority. You just need to add it to all computers in the local network and you can issue long term certificates without renewing them every 60 days.
I fixed this as following: I first installed nginx on my Kerio VM and configured a reverse proxy routing port 443 to 444 (where Kerio now lives). Next I created a wildcard SSL certificate on the VM that I used on 2 hosts, 1 for the webmail and Kerio as a whole and 1 for redirecting all other domain names pointed at my public IP without getting a certificate error.
Now all I have to figure out is how to fix the 504 gateway timeout issue for real, so not by just adding a huge timeout limit. And hope certbot does renew using the DNS challenge without issues.
Now it's time for bed.