Differences

This shows you the differences between two versions of the page.

--- router:proxy_chain [2025/02/04 11:00] – willy
+++ router:proxy_chain [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
@@ Line 1: / Line 1: @@
-The idea is having TWO NGINX proxy linked by a WireGuard channel.
-==== External NGINX ====
-wireshark setup
-Internal server config into **/etc/wireguard/**:
-<file - wg0.conf>
-[Interface]
-PrivateKey = << here my private key >>
-Address = 10.100.0.1/24 # choose a subnet for the scope
-[Peer] # this is external server
-PublicKey = << here external public key >>
-Endpoint = << external server IP >>:5790
-AllowedIPs = 10.100.0.2/24
-PersistentKeepAlive = 25
-</file>
-External server config into **/etc/wireguard/**:
-<file - wg0.conf>
-[Interface]
-PrivateKey = << external server private key >>
-Address = 10.100.0.2/24
-ListenPort = 5790
-[Peer] # this is internal server
-PublicKey = << internal server public key >>
-#Endpoint =  # internal server has no public IP, leave this commented.
-AllowedIPs = 10.100.0.1/32 # Only allow internal server packets trough the wireguard tunnel!
-PersistentKeepAlive = 25
-</file>
-Start both on boot, so on both servers:
-<code bash>
-ln -s /etc/init.d/wg-quick /etc/init.d/wg-quick.wg0
-rc-update add wg-quick.wg0 default
-/etc/init.d/wg-quick.wg0 start
-</code>
-==== External NGINX ====
-<file - nginx.conf>
-        server {
-                server_name *.mydomain.com;
-                listen 4443 ssl;
-                include proxy-chain.conf;
-                ssl_certificate /etc/letsencrypt/live/home.mydomain.com/fullchain.pem;
-                ssl_certificate_key /etc/letsencrypt/live/home.mydomain.com/privkey.pem;
-        }
-        server {
-                server_name otherdomain.whatever;
-                listen 4443 ssl;
-                include proxy-chain.conf;
-                ssl_certificate /etc/letsencrypt/live/otherdomain.whatever/fullchain.pem;
-                ssl_certificate_key /etc/letsencrypt/live/otherdomain.whatever/privkey.pem;
-        }
-</file>
-<file - proxy-chain.conf>
-location / {
-        proxy_pass https://10.100.0.1:8443/;
-}
-include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-proxy_set_header   Host $host;
-proxy_set_header   ProxyHost $proxy_host;
-proxy_set_header   X-Real-IP $remote_addr;
-proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-proxy_set_header X-Forwarded-Proto $scheme;
-proxy_set_header X-Forwarded-Host $server_name;
-proxy_set_header X-Forwarded-Ssl on;
-proxy_set_header Upgrade $http_upgrade;
-proxy_set_header Connection "upgrade";
-proxy_http_version 1.1;
-</file>
-==== Certificates ====
-Needs to be shared between the internal server and the external server. You cannot use certbot on both, because ports 80&443 of external are redirected to the internal and certbot on external would not work.
-So, on internal zip che certs after any update, edit crontab like:
-<code>
-5 * * * /etc/letsencrypt/certbot-renew.sh && (cd /etc && tar cJf /home/user/certs-copy.tar.xy letsencrypt) &>> /root/certbot.log
-16 * * * /etc/letsencrypt/certbot-renew.sh && (cd /etc && tar cJf /home/user/certs-copy.tar.xy letsencrypt) &>> /root/certbot.log
-</code>
-On external, copy that file over and replace certs, again in crontab:
-<code>
-6 * * * sftp -P 5022 user@127.0.0.1:/home/user/certs-copy.tar.xy /root/certs-copy.tar.xy && cd /etc &&  tar xvf /root/certs-copy.tar.xy && chown root:root -R letsencrypt && /etc/init.d/nginx restart
-16 * * * sftp -P 5022 user@127.0.0.1:/home/user/certs-copy.tar.xy /root/certs-copy.tar.xy && cd /etc &&  tar xvf /root/certs-copy.tar.xy && chown root:root -R letsencrypt && /etc/init.d/nginx restart
-</code>
-Of course, add the external root SSH public key to user file /home/use/.ssh/authorized_keys for passwordless access.

Willy's Wiki

User Tools

Differences