Reverse-Proxy (old version): Difference between revisions

From FlowerHouseWiki
No edit summary
m (Tropaion moved page Reverse-Proxy to Reverse-Proxy (old version))
 
(87 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{ContainerInfo
{{ContainerInfo
|title = NextCloud-LXC
|title = Reverse-Proxy-LXC
|image = Reverse proxy.png
|image = Reverse proxy.png
|Domain = [https://cloud.flowerhouse.at cloud.flowerhouse.at]
|MAC = 56:59:71:B1:85:BC
|IP = 192.168.88.9
|IP = 192.168.88.3
|Privileged = No
|Privileged = No
|OS = Debian Bullseye
|RAM = 1024MB
|Cores = 1
|Files = [[configuration.yml]]<br>[[users_database.yml]]<br>[[authelia_portal.conf]]<br>[[protected_endpoint.conf]]<br>[[UpdateAuthelia.sh]]
}}
}}
<p>The ReverseProxy is reachable under <syntaxhighlight lang="Bash" inline>192.168.88.9</syntaxhighlight> which is located in the ServerVLAN. Every incoming packages from outside are forwarded to this IP.</p>
<p>The ReverseProxy is reachable under <syntaxhighlight lang="Bash" inline>192.168.88.3</syntaxhighlight> which is located in the ServerVLAN.</p>
<p>The ReverseProxy also forces outside connections to use HTTPS/SSL and will provide a WildCard-Certificate.</p>
<p>Every incoming packages from outside are forwarded to this IP.</p>
<p>Used software:</p>
<p>The ReverseProxy also forces outside connections to use HTTPS/SSL and will provide a SSL-Certificate.</p>
* [https://www.nginx.com/ NGINX] (ReverseProxy)
* [https://certbot.eff.org/ certbot] (Certificates)
* [https://www.authelia.com/ Authelia] (Login-Portal)
__TOC__
__TOC__
== Basic Setup ==
== Basic Setup ==
=== NGINX ===
=== Nginx Proxy Manager ===
<p>Install NGINX and NGINX-Extra</p>
<p>Download installation script and run it</p>
<syntaxhighlight lang="console">apt install nginx nginx-extras</syntaxhighlight>
<syntaxhighlight lang="console">
<p>Deactivate Standard-Site (no Web-Server)</p>
wget --no-cache -qO - https://raw.githubusercontent.com/ej52/proxmox/main/lxc/nginx-proxy-manager/setup.sh | sh
<syntaxhighlight lang="console">unlink /etc/nginx/sites-enabled/default</syntaxhighlight>
</syntaxhighlight>
<p>Create and paste [[reverse-proxy.conf]]</p>
<p>After installation, the webinterface should be reachable, standard login is</p>
<syntaxhighlight lang="console" line>cd /etc/nginx/sites-available
<syntaxhighlight lang="console" line>
nano reverse-proxy.conf</syntaxhighlight>
Email:    admin@example.com
<p>Activate configuration</p>
Password: changeme
<syntaxhighlight lang="console">ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf</syntaxhighlight>
</syntaxhighlight>
<p>Check if configuration is legit</p>
<syntaxhighlight lang="console">nginx -t</syntaxhighlight>
<p>Reload configuration</p>
<syntaxhighlight lang="console">nginx -s reload</syntaxhighlight>


=== certbot ===
=== Update ===
<p>Install Certbot</p>
<p>Update NPM with following command</p>
<syntaxhighlight lang="console">apt install certbot</syntaxhighlight>
<syntaxhighlight lang="console">
<p>Download [https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py acme-dns-auth.py]-Script</p>
wget --no-cache -qO - https://raw.githubusercontent.com/ej52/proxmox/main/lxc/nginx-proxy-manager/setup.sh | sh
<syntaxhighlight lang="console">wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py</syntaxhighlight><p>Change first line of script from <code>#!/usr/bin/env python</code> to</p>
</syntaxhighlight>
<syntaxhighlight lang="console">#!/usr/bin/env python3</syntaxhighlight>
<p>Move file to <code>/etc/letsencrypt/</code></p>
<syntaxhighlight lang="console">mv acme-dns-auth.py /etc/letsencrypt/</syntaxhighlight>
<p>Set permissions to run script</p>
<syntaxhighlight lang="console">chmod +x acme-dns-auth.py</syntaxhighlight>
<p><strong>Generate certificate manually</strong></p>
<p>Wildcard-Certificate</p>
<syntaxhighlight lang="console">certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.flowerhouse.at</syntaxhighlight>
<p>Sub-Domain-Certificate</p>
<syntaxhighlight lang="console">certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d subdomain.flowerhouse.at</syntaxhighlight>
<p>Follow the questions of the script and create an cname-record.</p>
<p>Path to all certificates:</p>
<syntaxhighlight lang="console">cd /etc/letsencrypt/live/</syntaxhighlight>
<p>Test manually if certificate renewal works</p>
<syntaxhighlight lang="console">certbot renew --dry-run</syntaxhighlight>
Check if auto-renewal ist activated</p>
<syntaxhighlight lang="console">systemctl list-timers</syntaxhighlight>


== Authelia ==
== Authelia ==
For security reasons and convenience, the login portal Authelia will be installed.
For security reasons and convenience, the login portal Authelia will be installed.


=== Requirements ===
* [https://docs.mongodb.com/manual/tutorial/install-mongodb-on-debian MongoDB]
* [https://linuxize.com/post/how-to-install-and-configure-redis-on-debian-10/ Redis-Server]
==== Mongo-DB ====
<p>Add sources for MongoDB</p>
<syntaxhighlight lang="console">apt-get install gnupg</syntaxhighlight>
<syntaxhighlight lang="console">wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | apt-key add -</syntaxhighlight>
<syntaxhighlight lang="console">echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" | tee /etc/apt/sources.list.d/mongodb-org-4.4.list</syntaxhighlight>
<syntaxhighlight lang="console">apt-get update</syntaxhighlight>
<p>Install MongoDB</p>
<syntaxhighlight lang="console">apt-get install -y mongodb-org</syntaxhighlight>
<p>Start MongoDB</p>
<syntaxhighlight lang="console">systemctl start mongod</syntaxhighlight>
<syntaxhighlight lang="console">systemctl status mongod</syntaxhighlight>
<p>Enable MongoDB&nbsp;</p>
<syntaxhighlight lang="console">systemctl enable mongod</syntaxhighlight>
==== Redis-Server ====
==== Redis-Server ====
<p>Install Redis with the following command:</p>
<syntaxhighlight lang="console">apt install redis-server</syntaxhighlight>
<syntaxhighlight lang="console">apt install redis-server</syntaxhighlight>
<>Check if server is running</p>
 
<syntaxhighlight lang="console">systemctl status redis-server</syntaxhighlight>
<p>After installing Redis, start redis service and enable it to start after system reboot with the following command:</p>
<syntaxhighlight lang="console" line>
systemctl start redis-server
systemctl enable redis-server
</syntaxhighlight>
 
<p>Verify the status of the redis server:</p>
<syntaxhighlight lang="console">
systemctl status redis-server
</syntaxhighlight>
 
<p>By default, Redis listening on the localhost on port 6379. You can check it with the following command:</p>
<syntaxhighlight lang="console">
ps -ef | grep redis
</syntaxhighlight>
 
<p>Open Redis Config and set passphrase for redis server, which is needed in the authelia configuration file. Find <code># requirepass</code> in line 790 and change it <code>requirepass "my_redis_password"</code></p>
<syntaxhighlight lang="console" line>
nano /etc/redis/redis.conf
</syntaxhighlight>
 
<p>Restart redis to apply config</p>
<syntaxhighlight lang="console" line>
systemctl restart redis
</syntaxhighlight>
 
<p>Test if passphrase is working correctly and exit</p>
<syntaxhighlight lang="console" line>
redis-cli
AUTH yourpassword
exit
</syntaxhighlight>


=== Installation ===
=== Installation ===
<syntaxhighlight lang="console">wget https://github.com/authelia/authelia/releases/download/v4.26.1/authelia-linux-amd64.tar.gz</syntaxhighlight>
<p>Download and install package file:</p>
<syntaxhighlight lang="console">tar -xzf authelia-linux-amd64.tar.gz</syntaxhighlight>
<syntaxhighlight lang="console" line>
<syntaxhighlight lang="console">rm authelia-linux-amd64.tar.gz</syntaxhighlight>
wget https://github.com/authelia/authelia/releases/download/v4.36.3/authelia_v4.36.3_amd64.deb
<p>Authelia-Paths:</p>
apt install ./authelia_v4.36.3_amd64.deb
* Installation: /usr/bin/authelia
</syntaxhighlight>
* Config-Path: /etc/authelia/configuration.yml
 
* Service-Path: /etc/systemd/system
==== configuration.yml ====
<p>Edit onfiguration file, modify and paste [[configuration.yml]]</p>
<syntaxhighlight lang="console">
nano /etc/authelia/configuration.yml
</syntaxhighlight>
 
<p>Restrict permissions for the configuration file</p>
<syntaxhighlight lang="console">
chmod 0600 /etc/authelia/configuration.yml
</syntaxhighlight>
 
==== users_database.yml ====
<p>Create users_database, modify and paste [[users_database.yml]]</p>
<syntaxhighlight lang="console">
nano /etc/authelia/users_database.yml
</syntaxhighlight>
 
<p>Password hash can be generated with following command</p>
<syntaxhighlight lang="console">
/usr/bin/authelia hash-password 'yourpassword' -i1 -k32 -l16 -m256 -p8
</syntaxhighlight>
 
<p>Restrict permissions for the users_database</p>
<syntaxhighlight lang="console">
chmod 0600 /etc/authelia/users_database.yml
</syntaxhighlight>
 
<p>Start authelia and check status</p>
<syntaxhighlight lang="console" line>
systemctl start authelia
systemctl status authelia
</syntaxhighlight>
 
<p>Enable authelia at boot</p>
<syntaxhighlight lang="console">
systemctl enable authelia
</syntaxhighlight>
 
=== Update ===
To update authelia, I made an bash script: [[UpdateAuthelia.sh]]
 
== Configure Nginx Proxy Manager ==
<p>Create Proxy-Host for Authelia:</p>
* auth.flowerhouse.at -> Scheme: http, Forward IP: 192.168.88.3, Port: 9091
* Chache Assests: On, Block Common Exploits: On
* At the advanced tab add content of file [[authelia_portal.conf]]


* [[Authelia.yaml]]
<p>To enable the login portal for a host, go to the advanced tab and add the contenct of [[protected_endpoint.conf]]</p>
* Line 3, 33 and 34 needs to be edited


== Sources ==
== Sources ==
* [https://www.digitalocean.com/community/tutorials/how-to-acquire-a-let-s-encrypt-certificate-using-dns-validation-with-acme-dns-certbot-on-ubuntu-18-04 DigitalOcean]
* [https://nginxproxymanager.com/ Nginx Proxy Manager] (ReverseProxy)
* [https://github.com/ej52/proxmox-scripts/tree/main/lxc/nginx-proxy-manager Nginx Proxy Manager Install Script]
* [https://github.com/authelia/authelia/releases/ Authelia GitHub] (Login-Portal)
* [https://github.com/ibracorp/authelia#authelia Set up Authelia with Nginx Proxy Manager]

Latest revision as of 20:47, 11 February 2023

Reverse-Proxy-LXC
Reverse proxy.png

Network


IP: 192.168.88.3
MAC: 56:59:71:B1:85:BC

System


OS: Debian Bullseye
Files: configuration.yml
users_database.yml
authelia_portal.conf
protected_endpoint.conf
UpdateAuthelia.sh
RAM: 1024MB
Cores: 1
Privileged: No

The ReverseProxy is reachable under 192.168.88.3 which is located in the ServerVLAN.

Every incoming packages from outside are forwarded to this IP.

The ReverseProxy also forces outside connections to use HTTPS/SSL and will provide a SSL-Certificate.

Basic Setup

Nginx Proxy Manager

Download installation script and run it

wget --no-cache -qO - https://raw.githubusercontent.com/ej52/proxmox/main/lxc/nginx-proxy-manager/setup.sh | sh

After installation, the webinterface should be reachable, standard login is

Email:    admin@example.com
Password: changeme

Update

Update NPM with following command

wget --no-cache -qO - https://raw.githubusercontent.com/ej52/proxmox/main/lxc/nginx-proxy-manager/setup.sh | sh

Authelia

For security reasons and convenience, the login portal Authelia will be installed.

Redis-Server

Install Redis with the following command:

apt install redis-server

After installing Redis, start redis service and enable it to start after system reboot with the following command:

systemctl start redis-server
systemctl enable redis-server

Verify the status of the redis server:

systemctl status redis-server

By default, Redis listening on the localhost on port 6379. You can check it with the following command:

ps -ef | grep redis

Open Redis Config and set passphrase for redis server, which is needed in the authelia configuration file. Find # requirepass in line 790 and change it requirepass "my_redis_password"

nano /etc/redis/redis.conf

Restart redis to apply config

systemctl restart redis

Test if passphrase is working correctly and exit

redis-cli
AUTH yourpassword
exit

Installation

Download and install package file:

wget https://github.com/authelia/authelia/releases/download/v4.36.3/authelia_v4.36.3_amd64.deb
apt install ./authelia_v4.36.3_amd64.deb

configuration.yml

Edit onfiguration file, modify and paste configuration.yml

nano /etc/authelia/configuration.yml

Restrict permissions for the configuration file

chmod 0600 /etc/authelia/configuration.yml

users_database.yml

Create users_database, modify and paste users_database.yml

nano /etc/authelia/users_database.yml

Password hash can be generated with following command

/usr/bin/authelia hash-password 'yourpassword' -i1 -k32 -l16 -m256 -p8

Restrict permissions for the users_database

chmod 0600 /etc/authelia/users_database.yml

Start authelia and check status

systemctl start authelia
systemctl status authelia

Enable authelia at boot

systemctl enable authelia

Update

To update authelia, I made an bash script: UpdateAuthelia.sh

Configure Nginx Proxy Manager

Create Proxy-Host for Authelia:

  • auth.flowerhouse.at -> Scheme: http, Forward IP: 192.168.88.3, Port: 9091
  • Chache Assests: On, Block Common Exploits: On
  • At the advanced tab add content of file authelia_portal.conf

To enable the login portal for a host, go to the advanced tab and add the contenct of protected_endpoint.conf

  • Line 3, 33 and 34 needs to be edited

Sources