I have seen this very thing before somewhere on the internet, and evidently this scenario works (thankfully it is for my personal environment.) But I am going to ask the community at large. My main reason for putting IIS behind a Nginx reverse proxy would be more for IP address reduction and the security that they provide. Though proxying is all I want Nginx doing. I want IIS to handle as much as it can. I would love to hear your experiences on getting Certify working behind Nginx. Thanks.
It depends if nginx is running on the same server to some extent. If it is, then it will take exclusive use of port 80 (MS servers instead share via http.sys) and you won’t be able to take advantage of the built in http challenge server (which uses http.sys to listen for /.well-known/acme-challenge/ requests), although you can still use the fallback IIS config. If you’re using DNS validation then it doesn’t matter.
Naturally your nginx front end will need to know about all the right certificates for your domains so you’ll currently need Scripting to export certificates to nginx on renewal.
Personally I’d just put cloudflare (free) in front of it and not bother with nginx at all.
Good to know. If Nginx is running on a different machine, probably OpenSUSE, then does that make a difference? I will also have cloudflare in front of it, as well, though
If nginx is on another machine then Certify will work normally as long as when Let’s Encrypt performs http validation it can get through to the backend server OK (even if it’s proxied).
If all of your traffic is proxied through cloudflare they do provide a certificate for you, so you may not really need Certify in that case (except to provide https communication to cloudflare).
Chaining cloudflare to nginx and then to IIS is quite a complex setup mind you, so I’d only do that if you really need it. It would be useful if you want different URL endpoints to proxy to different servers. I’m not aware of any actual security benefit.
I use CloudFlare for mostly domain registration and DNS management. The main reason why I would have the proxy is to keep from needing a ton of IPs. Basically I am going to have one IIS server and then a NextCloud server. But thanks for the advice. I will definitely see what I come up with. I don’t think it will happen until next month, though. I will probably write a blog post about it.
I use the opposite scenario: IIS is both the web server and reverse proxy (for OpenSuse). I have a single IP (dynamic) and multiple web sites on a single certificate installed on the Windows server. IIS handles all redirections to SSL from port 80 and matching site headers.
Having an additional layer seems like it’s adding complications, but maybe your configuration is better served by it.