Reverse-Proxy (old version): Difference between revisions

The ReverseProxy is reachable under 192.168.88.9 which is located in the ServerVLAN. Every incoming packages from outside are forwarded to this IP.

The ReverseProxy also forces outside connections to use HTTPS/SSL and will provide a WildCard-Certificate.

Used software:

• NGINX (ReverseProxy)
• certbot (Certificates)
• Authelia (Login-Portal)

Basic Setup

NGINX

Install NGINX and NGINX-Extra

apt install nginx nginx-extras

Deactivate Standard-Site (no Web-Server)

unlink /etc/nginx/sites-enabled/default

Create and paste reverse-proxy.conf

cd /etc/nginx/sites-available
nano reverse-proxy.conf

Activate configuration

ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf

Check if configuration is legit

nginx -t

Reload configuration

nginx -s reload

certbot

Install Certbot

apt install certbot

Download acme-dns-auth.py-Script

wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py

Change first line of script from #!/usr/bin/env python to

#!/usr/bin/env python3

Move file to /etc/letsencrypt/

mv acme-dns-auth.py /etc/letsencrypt/

Set permissions to run script

chmod +x acme-dns-auth.py

Generate certificate manually

Wildcard-Certificate

certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.flowerhouse.at

Sub-Domain-Certificate

certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d subdomain.flowerhouse.at

Follow the questions of the script and create an cname-record.

Path to all certificates:

cd /etc/letsencrypt/live/

Test manually if certificate renewal works

certbot renew --dry-run

Check if auto-renewal ist activated

systemctl list-timers

For security reasons and convenience, the login portal Authelia will be installed.

• Install Authelia
• Authelia.yaml

Sources

• DigitalOcean