Swynol 375 Posted June 10, 2017 Share Posted June 10, 2017 (edited) how did you create the lets encrypt cert? if you used zeroSSL it should allow you to create a crt/key. otherwise this link is useful - http://windowsitpro.com/windows-server/converting-certificate-files-pfx-format-pem ok if i copy what you have above, all you need to do is add a listen on 443 and provide the location of your certs server { listen 80; listen 443; server_name app1.mydomain.org; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; location / { proxy_pass http://InternalIP-App1:80/; } } server { listen 80; listen 443; server_name app2.mydomain.org; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; location / { proxy_pass http://InternalIP-App2:80/; } } that should work, obviously change the location of the certs. if you wanted to take it further after the above works you can force users to only connect with https by adding this line under the SSL section. if someone tries to connect with http it will auto redirect to https if ($scheme = http) { return 301 https://$server_name$request_uri; and then to go even crazier with security add these after the SSL part. will give you a good security rating. add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; Edited June 10, 2017 by Swynol 1 Link to comment Share on other sites More sharing options...
aptalca 70 Posted June 10, 2017 Share Posted June 10, 2017 (edited) Letsencrypt certs should be pem. You would need to convert them to pfx for certain apps like emby. Here is the docker container my group maintains: https://hub.docker.com/r/linuxserver/letsencrypt/ It's an all in one nginx webserver with php. It retrieves and automatically updates the letsencrypt certs and converts them to pfx after each renewal. It also has fail2ban set up as a firewall to prevent ddos and brute force attempts. You just have to forward port 443 on the router to this container and it handles the rest. Edited June 10, 2017 by aptalca 1 Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted June 10, 2017 Share Posted June 10, 2017 (edited) @@plessers@gmail.com you will find some things not working right on your emby with those nginx settings for the emby backend. See this post: https://emby.media/community/index.php?/topic/48029-whats-reasonable-to-expect-off-the-local-network/ Omit the "security settings" section until you get https and what not working as you expect with your proper certs. Edited June 10, 2017 by pir8radio 1 Link to comment Share on other sites More sharing options...
plessers@gmail.com 24 Posted June 10, 2017 Author Share Posted June 10, 2017 @Swynol: certs are automatically created on WIN10+IIS+letsencrypt-win-simple.V1.9.1 https://weblog.west-wind.com/posts/2016/feb/22/using-lets-encrypt-with-iis-on-windows I converted the *.pfx with openssl pkcs12 -in www.MyPublicDomain.pfx -nocerts -out wwwkey.pem openssl pkcs12 -in www.MyPublicDomain.pfx -clcerts -nokeys -out wwwcert.pem copied the *.pem to my router on /tmp/mnt/optware/ssl/wwwcert.pem /tmp/mnt/optware/ssl/wwwkey.pem changed router config to server { listen 80; listen 443; server_name www.MyPublicDomain; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate /tmp/mnt/optware/ssl/wwwcert.pem; ssl_certificate_key /tmp/mnt/optware/ssl/wwwkey.pem; ssl_session_cache shared:SSL:10m; location / { proxy_pass http://MyInternalIP:80/; } } but then, my NGINX can not startup anymore...:-( Changed config back to server { listen 80; server_name www.MyPublicDomain; location / { proxy_pass http://MyInternalIP:80/; } } no problem then. Any idea what could be the problem here? further: if I use Link to comment Share on other sites More sharing options...
Swynol 375 Posted June 10, 2017 Share Posted June 10, 2017 have you got anything else running on port 443? Link to comment Share on other sites More sharing options...
plessers@gmail.com 24 Posted June 11, 2017 Author Share Posted June 11, 2017 (edited) @Swynol: nothing else running on 443. But maybe this is the problem: when converting *.pfx -> *.pem, I was asked for an passphrase. Now I converted my *.pfx as follows: openssl pkcs12 -in www.mydomain.pfx -nokeys -clcerts -out wwwcert.pem -password pass:******** -passin pass:******** openssl pkcs12 -in www.mydomain.pfx -nocerts -out wwwkey-temp.pem -password pass:******** -passin pass:******** -passout pass:TemporaryPassword openssl rsa -in wwwkey-temp.pem -out wwwkey.pem -passin pass:TemporaryPassword Note: in the 3th line, the passphrase is removed from the key. I used the new cert/key pare, and server could be started, but still had a problem reaching my website: ERR_SSL_PROTOCOL_ERROR So I changed my config to: server { listen 80; listen 443 ssl; server_name www.mydomain; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate /tmp/mnt/optware/ssl/wwwcert.pem; ssl_certificate_key /tmp/mnt/optware/ssl/wwwkey.pem; ssl_session_cache shared:SSL:10m; location / { proxy_pass http://myinternalIP:80/; } } (note the ssl behind 443) And this finally worked!!! Really really really many thanx for good tips & advice here. Without your help, I was never started -and definitely not successful ended- with this config :-) Edited June 11, 2017 by plessers@gmail.com Link to comment Share on other sites More sharing options...
plessers@gmail.com 24 Posted June 12, 2017 Author Share Posted June 12, 2017 (edited) Next level... I configured NGINX as reverse proxy on my router Incoming traffic (port 80) is forwarded to NGINX INTERNAL NETWORK Everything works fine. I can go to http://app.mydomain and I am routed to my backend server according to settings of NGINX EXTERNAL NETWORK site seems not accessible. Both from internal and external network: http://app.mydomain is resolved with it's public IP adress. First idea was that port 80 was blocked by my provider, BUT... If I reconfigure my own router so that port 80 is directly forwarded to my backend server (and thus not to NGINX), my backend IS accessible from external network, so it must have something to do with config of NGINX. I already tried "Allow Remote Access" true/false, but no influence. Anybody an idea what is going wrong here? Is there somewhere a setting that should be enabled to let NGINX accept external requests? My settings of NGINX: Edited June 12, 2017 by plessers@gmail.com Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted June 12, 2017 Share Posted June 12, 2017 its a tomato issue... I don't think you can port forward to the router itself... I think you have to do some weird firewall rules via iptables to allow port 80, and remove the port forward. Link to comment Share on other sites More sharing options...
plessers@gmail.com 24 Posted June 12, 2017 Author Share Posted June 12, 2017 oooooooooo bummer.. :-( Now I'm stuck with an incompatible router, a rather intensive procedure to renew my certs and a girlfriend complaining about all the time I spend at this topic during the incredibly sunny weekend here in Belgium :-) Anyway: I had a good time and learned a lot. Thanx for good support here! PS I believe that I have an Ubiquitiy EdgeRouter X somewhere that can probably run nginx. Looking forward to next weekend, don't tell my girlfriend... Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted June 12, 2017 Share Posted June 12, 2017 oooooooooo bummer.. :-( Now I'm stuck with an incompatible router, a rather intensive procedure to renew my certs and a girlfriend complaining about all the time I spend at this topic during the incredibly sunny weekend here in Belgium :-) Anyway: I had a good time and learned a lot. Thanx for good support here! PS I believe that I have an Ubiquitiy EdgeRouter X somewhere that can probably run nginx. Looking forward to next weekend, don't tell my girlfriend... No, I think you can still use your router, you just have to enter rules via iptables... google Link to comment Share on other sites More sharing options...
plessers@gmail.com 24 Posted June 13, 2017 Author Share Posted June 13, 2017 Okay, I will give it a try later. For now, I switched to following setup: - "server" running WWW, Emby, Plex, ... is a WIN10 machine - with IIS on it - and configured it yesterday as reverse proxy for my services - Port forwarding 80/443 from router to IIS Everything works fine now. Certs are automatically renewed with https://github.com/Lone-Coder/letsencrypt-win-simple Not ideal because not redundant + problem when I'm rebooting my server, but for now, I can live with that... 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now