User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
router:proxy_chain [2025/02/19 12:40] willyrouter:proxy_chain [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1
Line 1: Line 1:
-The idea is having TWO NGINX proxy linked together. 
-Currently, i am not using this approach. It's written here just as a concept and because it can be a neat way to host public only services on the external server and public/private ones on the internal server at the same time. 
- 
-==== External NGINX ==== 
- 
-<file - nginx.conf> 
-        server { 
-                server_name *.mydomain.com; 
-                listen 4443 ssl; 
-                include proxy-chain.conf; 
-                ssl_certificate /etc/letsencrypt/live/home.mydomain.com/fullchain.pem; 
-                ssl_certificate_key /etc/letsencrypt/live/home.mydomain.com/privkey.pem; 
-        } 
- 
-        server { 
-                server_name otherdomain.whatever; 
-                listen 4443 ssl; 
-                include proxy-chain.conf; 
-                ssl_certificate /etc/letsencrypt/live/otherdomain.whatever/fullchain.pem; 
-                ssl_certificate_key /etc/letsencrypt/live/otherdomain.whatever/privkey.pem; 
-        } 
-</file> 
- 
-<file - proxy-chain.conf> 
-location / { 
-        proxy_pass https://10.100.0.1:8443/; 
-} 
- 
-include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot 
-ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot 
-proxy_set_header   Host $host; 
-proxy_set_header   ProxyHost $proxy_host; 
-proxy_set_header   X-Real-IP $remote_addr; 
-proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for; 
-proxy_set_header X-Forwarded-Proto $scheme; 
-proxy_set_header X-Forwarded-Host $server_name; 
-proxy_set_header X-Forwarded-Ssl on; 
-proxy_set_header Upgrade $http_upgrade; 
-proxy_set_header Connection "upgrade"; 
-proxy_http_version 1.1; 
-</file> 
- 
-If using SSH tunnel, rememeber to use **127.0.0.1** instead of **10.100.0.1** in the //proxy_pass// above. 
- 
- 
-==== Certificates ==== 
- 
- 
-other way around: generate don external then copied to local. 
-group certs 
-post-hook copy to backup 
- 
-scp fro minternal... 
- 
- 
- 
- 
-kokoko 
-kokok 
- 
- 
-Needs to be shared between the internal server and the external server. You cannot use certbot on both, because ports 80&443 of external are redirected to the internal and certbot on external would not work. 
- 
-So, on internal zip che certs after any update, edit crontab like: 
-<code> 
-47 5 * * * /etc/letsencrypt/certbot-renew.sh && (cd /etc && tar cJf /home/user/certs-copy.tar.xy letsencrypt) &>> /root/certbot.log 
-31 16 * * * /etc/letsencrypt/certbot-renew.sh && (cd /etc && tar cJf /home/user/certs-copy.tar.xy letsencrypt) &>> /root/certbot.log 
-</code> 
- 
-On external, copy that file over and replace certs, again in crontab: 
-<code> 
-10 6 * * * sftp -P 5022 user@127.0.0.1:/home/user/certs-copy.tar.xy /root/certs-copy.tar.xy && cd /etc &&  tar xvf /root/certs-copy.tar.xy && chown root:root -R letsencrypt && /etc/init.d/nginx restart 
-50 16 * * * sftp -P 5022 user@127.0.0.1:/home/user/certs-copy.tar.xy /root/certs-copy.tar.xy && cd /etc &&  tar xvf /root/certs-copy.tar.xy && chown root:root -R letsencrypt && /etc/init.d/nginx restart 
-</code> 
- 
-Of course, add the external root SSH public key to user file /home/use/.ssh/authorized_keys for passwordless access. 
- 
-**Note:** it should be possible to avoid this by using certbot on both internal and external server at the same time, but i have not attempted yet. 
  

This website uses technical cookies only. No information is shared with anybody or used in any way but provide the website in your browser.

More information