Reverse-Proxy (old version)
| IP: | 192.168.88.9 |
|---|---|
| MAC: | 56:59:71:B1:85:BC |
| OS: | Debian Buster |
|---|---|
| Files: | reverse-proxy.conf |
| RAM: | 1024MB |
| Cores: | 1 |
| Privileged: | No |
The ReverseProxy is reachable under 192.168.88.9 which is located in the ServerVLAN.
Every incoming packages from outside are forwarded to this IP.
The ReverseProxy also forces outside connections to use HTTPS/SSL and will provide a WildCard-Certificate.
Basic Setup
NGINX
Install NGINX and NGINX-Extra
apt install nginx nginx-extras
Deactivate Standard-Site (no Web-Server)
unlink /etc/nginx/sites-enabled/default
Create and paste reverse-proxy.conf
cd /etc/nginx/sites-available
nano reverse-proxy.conf
Activate configuration
ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf
Check if configuration is legit
nginx -t
Reload configuration
nginx -s reload
certbot
Install Certbot
apt install certbot
Download acme-dns-auth.py-Script
wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py
Change first line of script from #!/usr/bin/env python to
#!/usr/bin/env python3
Move file to /etc/letsencrypt/
mv acme-dns-auth.py /etc/letsencrypt/
Set permissions to run script
chmod +x acme-dns-auth.py
Generate certificate manually
Wildcard-Certificate
certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.flowerhouse.at
Sub-Domain-Certificate
certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d subdomain.flowerhouse.at
Follow the questions of the script and create an cname-record.
Path to all certificates:
cd /etc/letsencrypt/live/
Test manually if certificate renewal works
certbot renew --dry-run
Check if auto-renewal ist activated
systemctl list-timers
Authelia
For security reasons and convenience, the login portal Authelia will be installed.
Redis-Server
Install Redis with the following command:
apt install redis-server
After installing Redis, start redis service and enable it to start after system reboot with the following command:
systemctl start redis-server
systemctl enable redis-server
Verify the status of the redis server:
systemctl status redis-server
By default, Redis listening on the localhost on port 6379. You can check it with the following command:
ps -ef | grep redis
SMTP-Server
Install mailutils and postfix:
apt install mailutils postfix
Test if SMTP-Server is working:
echo "This is the body of the email" | mail -s "This is the subject line" your_email_address
Installation
Download, unzip and rename latest Authelia archive:
cd /usr/bin
wget https://github.com/authelia/authelia/releases/download/v4.26.2/authelia-linux-amd64.tar.gz
tar -xzf authelia-linux-amd64.tar.gz
rm authelia-linux-amd64.tar.gz
mv ./authelia-linux-amd64 ./authelia
After unzipping, the service file authelia.service has to be moved:
mv authelia.service /etc/systemd/system/
Create folder for the authelia configuration file:
mkdir /etc/authelia
cd /etc/authelia
Move the unzipped file config.template.yml to the created folder:
mv config.template.yml /etc/authelia/
Copy template configuration and edit it:
cp config.template.yml configuration.yml
nano configuration.yml
Start authelia and check status:
systemctl start authelia
systemctl status authelia
Feb 22 19:07:11 ReverseProxy systemd[6259]: authelia.service: Failed to execute command: No such file or directory Feb 22 19:07:11 ReverseProxy systemd[6259]: authelia.service: Failed at step EXEC spawning /usr/bin/authelia: No such file or directory ExecStart=/usr/bin/authelia --config /etc/authelia/configuration.yml
Authelia-Paths:
- Installation: /etc/authelia
- Config-Path: /etc/authelia/configuration.yml
- Service-Path: /etc/systemd/system
Sources
- NGINX (ReverseProxy)
- DigitalOcean (LetsEncrypt)
- certbot (Certificates)
- Authelia (Login-Portal)
- Redis-Server
