TL;DR

  • Point portal.test.privsec.ch to the main gateway IP.
  • Use SAN or separate certs for espodev and portal.
  • Ensure Host/SNI are preserved across proxies.
  • Set EspoCRM Portal Custom URL to the portal domain.

Target Flow

Internet
  -> proxymain :443 (TLS, SNI, LE cert)
    -> proxytest 127.0.0.1:7701 (SNI verify)
      -> sidecar :2001 (internal TLS)
        -> app :8080 (EspoCRM HTTP)

1) DNS and TLS

  • DNS: A portal.test.privsec.ch -> public IP of proxymain.
  • Certs:
    • Test: single SAN cert for espodev and portal.
    • Prod: separate certs per hostname.

Verify internal TLS (SNI):

openssl s_client -connect 127.0.0.1:22901 -servername portal.test.privsec.ch -brief </dev/null

2) NGINX Chain

proxymain (edge)

  • proxy_pass http://127.0.0.1:7701;
  • Preserve Host and X-Forwarded-* headers.
  • proxy_redirect off.

proxytest (hop 2)

  • proxy_pass https://127.0.0.1:22901;
  • proxy_ssl_server_name on;
  • proxy_ssl_name $host;
  • proxy_ssl_verify on;

sidecar (internal TLS)

  • server_name espodev.test.privsec.ch portal.test.privsec.ch;
  • proxy_pass http://127.0.0.1:8080;
  • proxy_set_header Host $host;

3) EspoCRM Settings

  • Site URL: https://espodev.test.privsec.ch
  • Portal Custom URL: https://portal.test.privsec.ch
  • Outbound Email: verify SMTP; send a test email.
  • Clear Cache after URL changes.

4) Portal Visibility

  • Portals -> Layouts -> Navigation: enable portal tabs.
  • Portals -> Layouts -> Dashboards: add widgets as needed.

Notes

  • If you get redirect loops, verify X-Forwarded-Proto and Host headers.
  • Keep portal and CRM URLs distinct to avoid token confusion.