http and ssh server behind nginx


I very new to reverse proxies and nginx. Can you tell me if it's possible to do this.

I want to open 443 port and forward it to a linux box in my DMZ which will be running nginx. I started to read about the stream module for non-http connections.

I wanted to have this :

* []( : redirect to my Cisco ASA Anyconnect VPN
* []( : redirect to an ssh server
* []( : I don't have any web server right now but maybe in the future

From my understanding, it would be possible if it was just web servers because you have the FQDN in the headers but I will not be able to do this with stream module because there is no way to differentiate the connections.

In that case, I have to use different ports.

Am I right ?


6 thoughts on “http and ssh server behind nginx”

  1. I’m not \*completely\* certain what you’re saying about the “stream module”, but the entire point of reverse proxies seems to be what you’re trying to do – multiple addresses take connections to the same box and then that box determines where the connection needs to go. You can have all of those using port 443 only on the way in and then separate them out to an internal port for different internal boxes from Nginx.

  2. Idk…can nginx reverse proxy ssh tcp connections? In not aware how to do this with nginx. Perhaps it can be done however. I’m aware HA proxy has these capabilities however.

  3. You can proxy ssh, but only with the stream module not the http module (which is what you use for websites).

    The stream module doesn’t look at host headers (and ssh doesn’t send hostname), but ssh is on a different port, so that’s less of an issue. You can stream everything from that port to another host. So your ssh server. (you could just send it straight there on a router, if that’s an option, but you might prefer to use nginx. You would want the following in your nginx.conf.

    stream {
    upstream ssh-server {
    server [SSH_SERVER_IP]:22; # where SSH_SERVER_IP is your ip address of your ssh server
    server {
    listen [NGINX_SSH_PORT]; # where NGINX_SSH_PORT is port on Nginx to be forwarded to ssh server
    proxy_pass ssh-server ;

    I’m not sure if “Cisco ASA Anyconnect VPN” would be compatible with http module for proxying by host header. Might need to https vpn, but it might just be ssl vpn. If is not compatible, you’ll need to use stream module again like above, and if so you won’t be able to see the hostname, and won’t be able to have anything else on that port. So you might need to move it to another port than 443 if you want to have https webservers on nginx. You would probably also need additional config on nginx so the vpn can see people’s ip.

    If you have to use stream servers and different ports for stuff, you’d probably be better with port-forwarding from your router if your router supports it. Similar and work better.

    If you can’t do that on your router, try stream server on nginx.

    Nginx Stream module would be better than a router if you wanted to forward non-http requests to one of multiple servers, eg DNS, (or if you had multiple ssh servers, but would need to add hash so that it gets forwarded to same ssh server). Nginx http module would be better if you had multiple http/https servers. (or mutliple http/https apps)

  4. You don’t have to use different ports. The reverse proxy will redirect traffic based on target to the appropriate destination.

    You can have those subdomains and tell NGINX to direct traffic to IP:PORT for each one. You’ll have a config file named for each subdomain. So vpn.conf, [www.conf](http://www.conf), remote.conf. Each one contains all the details needed for each subdomain.

    Here’s my VPN config:

    server {
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/domain.tld-0001/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/domain.tld-0001/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    location / {
    proxy\_pass [;](😉

    proxy\_set\_header Host $host;

    proxy\_set\_header X-Real-IP $remote\_addr;

    proxy\_set\_header X-Forwarded-For $proxy\_add\_x\_forwarded\_for;


Leave a Comment