Jump to content

direct internal routing with public url possible?


plessers@gmail.com

Recommended Posts

Swynol

how did you create the lets encrypt cert? if you used zeroSSL it should allow you to create a crt/key.

 

otherwise this link is useful - http://windowsitpro.com/windows-server/converting-certificate-files-pfx-format-pem 

 

ok if i copy what you have above, all you need to do is add a listen on 443 and provide the location of your certs

server {
    listen 80;
    listen 443;
    server_name app1.mydomain.org;

     ssl_session_timeout 30m; 
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate      SSL/cert.pem;
ssl_certificate_key  SSL/private.key;
     ssl_session_cache shared:SSL:10m;
 

location / {

proxy_pass http://InternalIP-App1:80/; }

}

 

server {

listen 80;

listen 443;

server_name app2.mydomain.org;

  ssl_session_timeout 30m;

    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate      SSL/cert.pem;
ssl_certificate_key  SSL/private.key;
    ssl_session_cache shared:SSL:10m;
 

location / {

proxy_pass http://InternalIP-App2:80/; }

}


 

 

 

 

 

that should work, obviously change the location of the certs.

 

if you wanted to take it further after the above works you can force users to only connect with https by adding this line under the SSL section. if someone tries to connect with http it will auto redirect to https

if ($scheme = http) {
        return 301 https://$server_name$request_uri;

and then to go even crazier with security add these after the SSL part. will give you a good security rating.

                add_header X-Xss-Protection "1; mode=block" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
		add_header X-Frame-Options "SAMEORIGIN" always;
		proxy_hide_header X-Powered-By;
		add_header 'Referrer-Policy' 'no-referrer';
Edited by Swynol
  • Like 1
Link to comment
Share on other sites

aptalca

Letsencrypt certs should be pem. You would need to convert them to pfx for certain apps like emby.

 

Here is the docker container my group maintains: https://hub.docker.com/r/linuxserver/letsencrypt/

 

It's an all in one nginx webserver with php. It retrieves and automatically updates the letsencrypt certs and converts them to pfx after each renewal. It also has fail2ban set up as a firewall to prevent ddos and brute force attempts.

 

You just have to forward port 443 on the router to this container and it handles the rest.

Edited by aptalca
  • Like 1
Link to comment
Share on other sites

pir8radio

@@plessers@gmail.com   you will find some things not working right on your emby with those nginx settings for the emby backend.

See this post: https://emby.media/community/index.php?/topic/48029-whats-reasonable-to-expect-off-the-local-network/

 

Omit the "security settings" section until you get https and what not working as you expect with your proper certs.

Edited by pir8radio
  • Like 1
Link to comment
Share on other sites

plessers@gmail.com

@Swynol: certs are automatically created on WIN10+IIS+letsencrypt-win-simple.V1.9.1

https://weblog.west-wind.com/posts/2016/feb/22/using-lets-encrypt-with-iis-on-windows

 

 

I converted the *.pfx with

openssl pkcs12 -in www.MyPublicDomain.pfx -nocerts -out wwwkey.pem
openssl pkcs12 -in www.MyPublicDomain.pfx -clcerts -nokeys -out wwwcert.pem

copied the *.pem to my router on 

/tmp/mnt/optware/ssl/wwwcert.pem
/tmp/mnt/optware/ssl/wwwkey.pem

changed router config to

 

 

server {
    listen 80;
    listen 443;
    server_name www.MyPublicDomain;
    ssl_session_timeout 30m; 
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_certificate     /tmp/mnt/optware/ssl/wwwcert.pem;
    ssl_certificate_key /tmp/mnt/optware/ssl/wwwkey.pem;
    ssl_session_cache shared:SSL:10m;


location / {
proxy_pass http://MyInternalIP:80/; }
}


but then, my NGINX can not startup anymore...:-(

 

Changed config back to

server {
    listen 80;
    server_name www.MyPublicDomain;


location / {
proxy_pass http://MyInternalIP:80/; }
}

no problem then.

 

Any idea what could be the problem here?

 

 

 

 

 

 

further: if I use

Link to comment
Share on other sites

plessers@gmail.com

@Swynol: nothing else running on 443.

 

But maybe this is the problem: when converting *.pfx -> *.pem, I was asked for an passphrase.

Now I converted my *.pfx as follows:

 

openssl pkcs12 -in www.mydomain.pfx -nokeys -clcerts -out wwwcert.pem -password pass:******** -passin pass:******** 
openssl pkcs12 -in www.mydomain.pfx -nocerts -out wwwkey-temp.pem -password pass:******** -passin pass:******** -passout pass:TemporaryPassword
openssl rsa -in wwwkey-temp.pem -out wwwkey.pem -passin pass:TemporaryPassword
Note: in the 3th line, the passphrase is removed from the key.
 
I used the new cert/key pare, and server could be started, but still had a problem reaching my website:
 
ERR_SSL_PROTOCOL_ERROR

So I changed my config to:

 

 

server {
    listen 80;
    listen 443 ssl;
    server_name www.mydomain;
    ssl_session_timeout 30m; 
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_certificate     /tmp/mnt/optware/ssl/wwwcert.pem;
    ssl_certificate_key /tmp/mnt/optware/ssl/wwwkey.pem;
    ssl_session_cache shared:SSL:10m;


location / {
proxy_pass http://myinternalIP:80/; }
}

(note the ssl behind 443)

 

And this finally worked!!!

 

Really really really many thanx for good tips & advice here. 

Without your help, I was never started -and definitely not successful ended- with this config :-)

 

 

 

 

 

 

 
 
Edited by plessers@gmail.com
Link to comment
Share on other sites

plessers@gmail.com

Next level...  

 

 

 

 

I configured NGINX as reverse proxy on my router

Incoming traffic (port 80) is forwarded to NGINX

 

INTERNAL NETWORK

Everything works fine.

I can go to http://app.mydomain and I am routed to my backend server according to settings of NGINX

 

EXTERNAL NETWORK

site seems not accessible.

 

Both from internal and external network: http://app.mydomain is resolved with it's public IP adress.

 

First idea was that port 80 was blocked by my provider, BUT...

If I reconfigure my own router so that port 80 is directly forwarded to my backend server (and thus not to NGINX), my backend IS accessible from external network, so it must have something to do with config of NGINX.

I already tried "Allow Remote Access" true/false, but no influence.

 

 

Anybody an idea what is going wrong here?

Is there somewhere a setting that should be enabled to let NGINX accept external requests?

 

 

My settings of NGINX:

593e441e683dd_20170612093337.png

Edited by plessers@gmail.com
Link to comment
Share on other sites

pir8radio

its a tomato issue... I don't think you can port forward to the router itself...  I think you have to do some weird firewall rules via iptables to allow port 80, and remove the port forward.

Link to comment
Share on other sites

plessers@gmail.com

oooooooooo bummer.. :-(

Now I'm stuck with an incompatible router, a rather intensive procedure to renew my certs and a girlfriend complaining about all the time I spend at this topic during the incredibly sunny weekend here in Belgium :-)

 

Anyway: I had a good time and learned a lot. Thanx for good support here!

 

 

PS

I believe that I have an Ubiquitiy EdgeRouter X somewhere that can probably run nginx. Looking forward to next weekend, don't tell my girlfriend...

Link to comment
Share on other sites

pir8radio

oooooooooo bummer.. :-(

Now I'm stuck with an incompatible router, a rather intensive procedure to renew my certs and a girlfriend complaining about all the time I spend at this topic during the incredibly sunny weekend here in Belgium :-)

 

Anyway: I had a good time and learned a lot. Thanx for good support here!

 

 

PS

I believe that I have an Ubiquitiy EdgeRouter X somewhere that can probably run nginx. Looking forward to next weekend, don't tell my girlfriend...

 

No, I think you can still use your router, you just have to enter rules via iptables...   google 

Link to comment
Share on other sites

plessers@gmail.com

Okay, I will give it a try later.

For now, I switched to following setup:

- "server" running WWW, Emby, Plex, ... is a WIN10 machine

- with IIS on it

- and configured it yesterday as reverse proxy for my services 

- Port forwarding 80/443 from router to IIS

 

Everything works fine now. Certs are automatically renewed with https://github.com/Lone-Coder/letsencrypt-win-simple 

 

Not ideal because not redundant + problem when I'm rebooting my server, but for now, I can live with that...

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...