Reverse-Proxy (old version)

From FlowerHouseWiki
Revision as of 00:56, 5 August 2021 by Tropaion (talk | contribs)
Reverse-Proxy-LXC
Reverse proxy.png

Network


IP: 192.168.88.3
MAC: 56:59:71:B1:85:BC

System


OS: Debian Buster
Files: reverse-proxy.conf
RAM: 1024MB
Cores: 1
Privileged: No

The ReverseProxy is reachable under 192.168.88.3 which is located in the ServerVLAN.

Every incoming packages from outside are forwarded to this IP.

The ReverseProxy also forces outside connections to use HTTPS/SSL and will provide a SSL-Certificate.

Basic Setup

Nginx Proxy Manager

Install NGINX and NGINX-Extra

apt install nginx nginx-extras

Deactivate Standard-Site (no Web-Server)

unlink /etc/nginx/sites-enabled/default

Create and paste reverse-proxy.conf

cd /etc/nginx/sites-available
nano reverse-proxy.conf

Activate configuration

ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf

Check if configuration is legit

nginx -t

Reload configuration

nginx -s reload

certbot

Install Certbot

apt install certbot

Download acme-dns-auth.py-Script

wget https://github.com/joohoi/acme-dns-certbot-joohoi/raw/master/acme-dns-auth.py

Change first line of script from #!/usr/bin/env python to

#!/usr/bin/env python3

Move file to /etc/letsencrypt/

mv acme-dns-auth.py /etc/letsencrypt/

Set permissions to run script

chmod +x acme-dns-auth.py

Generate certificate manually

Wildcard-Certificate

certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d \*.flowerhouse.at

Sub-Domain-Certificate

certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d subdomain.flowerhouse.at

Follow the questions of the script and create an cname-record.

Path to all certificates:

cd /etc/letsencrypt/live/

Test manually if certificate renewal works

certbot renew --dry-run

Check if auto-renewal ist activated

systemctl list-timers

Authelia

For security reasons and convenience, the login portal Authelia will be installed.

Redis-Server

Install Redis with the following command:

apt install redis-server

After installing Redis, start redis service and enable it to start after system reboot with the following command:

systemctl start redis-server
systemctl enable redis-server

Verify the status of the redis server:

systemctl status redis-server

By default, Redis listening on the localhost on port 6379. You can check it with the following command:

ps -ef | grep redis

SMTP-Server

Install mailutils and postfix:

apt install mailutils postfix

Test if SMTP-Server is working:

echo "This is the body of the email" | mail -s "This is the subject line" your_email_address

Installation

Download, unzip and rename latest Authelia archive:

cd /usr/bin
wget https://github.com/authelia/authelia/releases/download/v4.26.2/authelia-linux-amd64.tar.gz
tar -xzf authelia-linux-amd64.tar.gz
rm authelia-linux-amd64.tar.gz
mv ./authelia-linux-amd64 ./authelia

After unzipping, the service file authelia.service has to be moved:

mv authelia.service /etc/systemd/system/

Create folder for the authelia configuration file:

mkdir /etc/authelia
cd /etc/authelia

Move the unzipped file config.template.yml to the created folder:

mv config.template.yml /etc/authelia/

users_database.yml

Create users_database.yml in the folder /etc/authelia/:

nano users_database.yml

An user entry looks like this:

john:
    displayname: "John Doe"
    password: "$argon2id$v=19$m=65536,t=3,p=2$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t4MFFSs+iM"
    email: john.doe@authelia.com
    groups:
      - admins
      - dev

The password is encrypted so we have to get the hash value with:

authelia hash-password 'yourpassword'

configuration.yml

Create configuration.yml at the same folder:

nano configuration.yml

Start authelia and check status:

systemctl start authelia
systemctl status authelia

LATEST STATE:

Sources