Approach to have 2 IPs with nginx as reverse proxy

We have two public IPs:

PurposeIPPort
Websites (Apache/Nginx)51.210.247.10280 (HTTP), optionally 443 if you want)
ISPConfig admin panel51.210.247.102443 (HTTPS)
stunnel (OpenVPN / other TCP)5.135.106.93443

1️⃣ Traffic separation

  • Main IP (51.210.247.102): receives HTTPS requests for ISPConfig and normal HTTP/HTTPS for websites

  • Additional IP (5.135.106.93): only receives stunnel traffic (OpenVPN wrapped in TLS)

This works because:

  • Linux binds sockets to specific IPs.

  • No port conflict occurs because 443 on each IP is independent.

2️⃣ Practical layout

 
[ Internet ] | |---- 51.210.247.102:443 ---> nginx / Apache reverse proxy | |---> Websites (127.0.0.1:8080) | |---> ISPConfig admin (127.0.0.1:8081) | |---- 5.135.106.93:443 ---> stunnel ---> OpenVPN (127.0.0.1:1195)

Notes:

  • Nginx / Apache on the main IP decides whether a connection is for ISPConfig or website.

  • stunnel only listens on the secondary IP — traffic is separate.

  • Both services can use port 443 because they bind to different IPs.

3️⃣ Example nginx setup (Main IP)

a) Websites

 
server { listen 51.210.247.102:80; server_name example.com www.example.com; root /var/www/html; index index.php index.html; }

b) ISPConfig admin panel (HTTPS)

 
server { listen 51.210.247.102:443 ssl; server_name panel.example.com; ssl_certificate /etc/letsencrypt/live/panel.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/panel.example.com/privkey.pem; location / { proxy_pass http://127.0.0.1:8081; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto https; } }

4️⃣ stunnel setup (Secondary IP)

/etc/stunnel/stunnel.conf:

 
pid = /var/run/stunnel.pid cert = /etc/stunnel/stunnel.pem foreground = yes [openvpn] accept = 5.135.106.93:443 connect = 127.0.0.1:1195

  • Listens only on secondary IP

  • Forwards to local OpenVPN on 1195

5️⃣ Firewall

 
# Main IP sudo ufw allow 51.210.247.102/32 proto tcp to any port 80,443 # Secondary IP (stunnel) sudo ufw allow 5.135.106.93/32 proto tcp to any port 443

  • Only those IPs respond on respective ports

  • No collisions

6️⃣ Advantages of this setup

  • Clear separation of web, panel, VPN

  • ISPConfig admin can safely run on 443 of main IP

  • stunnel doesn’t interfere with web traffic

  • Easy to scale if you later add more IPs / VPNs

2026Stable CORE

Search form