Reverse-Proxy (old version): Difference between revisions
No edit summary |
No edit summary |
||
Line 12: | Line 12: | ||
<p>Every incoming packages from outside are forwarded to this IP.</p> | <p>Every incoming packages from outside are forwarded to this IP.</p> | ||
<p>The ReverseProxy also forces outside connections to use HTTPS/SSL and will provide a WildCard-Certificate.</p> | <p>The ReverseProxy also forces outside connections to use HTTPS/SSL and will provide a WildCard-Certificate.</p> | ||
<p>Files: [[reverse-proxy.conf]] | |||
__TOC__ | __TOC__ | ||
== Basic Setup == | == Basic Setup == |
Revision as of 18:39, 20 February 2021
IP: | 192.168.88.9 |
---|---|
MAC: | 56:59:71:B1:85:BC |
OS: | Debian Buster |
---|---|
RAM: | 1024MB |
Cores: | 1 |
Privileged: | No |
The ReverseProxy is reachable under 192.168.88.9
which is located in the ServerVLAN.
Every incoming packages from outside are forwarded to this IP.
The ReverseProxy also forces outside connections to use HTTPS/SSL and will provide a WildCard-Certificate.
Files: reverse-proxy.conf
Basic Setup
NGINX
Install NGINX and NGINX-Extra
apt install nginx nginx-extras
Deactivate Standard-Site (no Web-Server)
unlink /etc/nginx/sites-enabled/default
Create and paste reverse-proxy.conf
cd /etc/nginx/sites-available
nano reverse-proxy.conf
Activate configuration
ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf
Check if configuration is legit
nginx -t
Reload configuration
nginx -s reload
certbot
Install Certbot
apt install certbot
Download acme-dns-auth.py-Script
wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py
Change first line of script from #!/usr/bin/env python
to
#!/usr/bin/env python3
Move file to /etc/letsencrypt/
mv acme-dns-auth.py /etc/letsencrypt/
Set permissions to run script
chmod +x acme-dns-auth.py
Generate certificate manually
Wildcard-Certificate
certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.flowerhouse.at
Sub-Domain-Certificate
certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d subdomain.flowerhouse.at
Follow the questions of the script and create an cname-record.
Path to all certificates:
cd /etc/letsencrypt/live/
Test manually if certificate renewal works
certbot renew --dry-run
Check if auto-renewal ist activated
systemctl list-timers
Authelia
For security reasons and convenience, the login portal Authelia will be installed.
Requirements
Mongo-DB
Add sources for MongoDB
apt-get install gnupg
wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | apt-key add -
echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.4 main" | tee /etc/apt/sources.list.d/mongodb-org-4.4.list
apt-get update
Install MongoDB
apt-get install -y mongodb-org
Start MongoDB
systemctl start mongod
systemctl status mongod
Enable MongoDB
systemctl enable mongod
Redis-Server
apt install redis-server
<>Check if server is running
systemctl status redis-server
Installation
wget https://github.com/authelia/authelia/releases/download/v4.26.1/authelia-linux-amd64.tar.gz
tar -xzf authelia-linux-amd64.tar.gz
rm authelia-linux-amd64.tar.gz
Authelia-Paths:
- Installation: /usr/bin/authelia
- Config-Path: /etc/authelia/configuration.yml
- Service-Path: /etc/systemd/system
Sources
- DigitalOcean
- NGINX (ReverseProxy)
- certbot (Certificates)
- Authelia (Login-Portal)