User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
selfhost:nginx [2024/08/29 08:44] willyselfhost:nginx [2025/03/13 09:29] (current) – external edit 127.0.0.1
Line 1: Line 1:
-====== The Reverse Proxy concept ======+====== F) The Reverse Proxy concept ======
  
 The use of a **reverse proxy** is the key at the foundation of ensuring security, isolation and flexibility in accessing your self-hosted services. The use of a **reverse proxy** is the key at the foundation of ensuring security, isolation and flexibility in accessing your self-hosted services.
Line 18: Line 18:
   * It is fully integrated in [[https://letsencrypt.org|Let's Encrypt]] SSL infrastructure / CertBot script   * It is fully integrated in [[https://letsencrypt.org|Let's Encrypt]] SSL infrastructure / CertBot script
  
-In general NGINX is fully featured but still very lightweight and secure HTTP server that shines as reverse-proxy. If you need to add more features, like [[https://www.php.net|PHP]] support or FastCGI, NGINX will support you without the need for an additional service on your server+In general NGINX is fully featured but still very lightweight and secure HTTP server that shines as reverse-proxy. If you need to add more features, like [[https://www.php.net|PHP]] support or FastCGI, NGINX will support you but with a little bit more effort than Apache.
  
 ===== Base URLs and sub-domains ===== ===== Base URLs and sub-domains =====
Line 51: Line 51:
  
  
-===== Reverse Proxy propagation to external world =====+===== Reverse Proxy propagation =====
  
-The reverse proxy is installed on the local server, you should have already guessed that remote access is performed using the SSH tunneling described in the [[selfhost:ssh_tunnel|specific page]]. The underlying idea is that you will have your reverse proxy listening to different portsand these ports will be forwarded to your external server using the SSH tunnels. Differentiating the ports is required to be able to apply SSO authentication depending on where your user connects from.+The reverse proxy is installed on the local server, i assume your local server is reachable from remote (see [[networking:external_access|Remote Access to your Home Server]]).  
 + 
 +The reverse proxy will need to be accessible to both the internal users and the external users. You could setup two different proxies, but i prefer to have only one listening to both worlds. I will assume that there might be differences between internal and external users in terms of authentication or service availability. The underlying idea is that you will have your reverse proxy listening to different ports: one for internal access and one for external access.
  
 The setup i am describing uses three different ports: The setup i am describing uses three different ports:
   * Port 80: both to local and remote, will just be a redirect to HTTPS   * Port 80: both to local and remote, will just be a redirect to HTTPS
-  * Port 443: standard HTTPS for **internal** access, mostly to bypass SSO authentication +  * Port 443: standard HTTPS for **internal** access 
-  * Port 8443: HTTPS with SSO authentication for **external** access +  * Port 8443: HTTPS for **external** access 
  
 **Note:** for Let's Encrypt CertBot to work properly you **need** to redirect **both** port 80 and 443 from your external server to your internal server. CertBot will shutdown your NGINX and spin a custom NGINX server that you cannot tweak so it's critical that your SSH tunnels are properly forwarding ports 80 and 443 from the external server to the internal one, or it will not work. **Note:** for Let's Encrypt CertBot to work properly you **need** to redirect **both** port 80 and 443 from your external server to your internal server. CertBot will shutdown your NGINX and spin a custom NGINX server that you cannot tweak so it's critical that your SSH tunnels are properly forwarding ports 80 and 443 from the external server to the internal one, or it will not work.
Line 72: Line 74:
   * //realip// is needed by SSO like authelia   * //realip// is needed by SSO like authelia
  
-While NGINX support WebDAV, i strongly suggest you __dont__ enable it as you will not be using it. Apache WebDAV support is much better.+While NGINX support WebDAV, i strongly suggest you __dont__ enable it as you will not be using it. NGINX WebDAV support is lacking and not really recomended.
  
 So create the file **/etc/portage/package.use/nginx** with the following lines: So create the file **/etc/portage/package.use/nginx** with the following lines:
Line 99: Line 101:
   * Your service Y is reachable under **https://y.mydomain.com** (subdomain)   * Your service Y is reachable under **https://y.mydomain.com** (subdomain)
   * All HTTP traffic is redirected to HTTPS   * All HTTP traffic is redirected to HTTPS
 +  * You have a single Let's Encrypt SSL certificate which covers all the subdomains of your domain (either a wildcard or a comulative cert it's up to you)
 +  * You might have more than one main domain
  
 The top-level **mydomain.com** will have it's own folder, then you will create a set of sub-folders stemming from the main domain, one folder for each sub-domains, and inside each folder one configuration file for each sub-path served on that sub-domain. The top-level **mydomain.com** will have it's own folder, then you will create a set of sub-folders stemming from the main domain, one folder for each sub-domains, and inside each folder one configuration file for each sub-path served on that sub-domain.
Line 154: Line 158:
         # Add domains here (only the main config file for each domain!)         # Add domains here (only the main config file for each domain!)
         include com.mydomain/mydomain.conf;         include com.mydomain/mydomain.conf;
 +        
 +        # This is for SSL and needs to be included only once for all the domains
 +        include /etc/letsencrypt/options-ssl-nginx.conf;
 } }
 </file> </file>
Line 170: Line 177:
 # simple catch-all server for the domain # simple catch-all server for the domain
 server { server {
-       # respond both to local, internal, IP directly and to mydomain.com +       # You might want to specify also the internal  
-        server_name 10.0.0.1 mydomain.com;+        server_name mydomain.com;
         # Port for users from outside         # Port for users from outside
         listen 8443 ssl;         listen 8443 ssl;
Line 184: Line 191:
  
        # include all sub-paths for mydomain.com:        # include all sub-paths for mydomain.com:
-       include serviceX.conf+       include serviceX.conf
 + 
 +       # include HTTPS certs stuff: 
 +       include org.gardiol/certbot.conf;
 } }
  
 # include all sub-domains entry points: # include all sub-domains entry points:
 include com.mydomain/y/y.conf; include com.mydomain/y/y.conf;
- 
-# include HTTPS certs stuff: 
-include com.mydomain/certbot.conf; 
 </file> </file>
  
Line 204: Line 211:
 <file - y.conf> <file - y.conf>
 server { server {
-        server_name y.mydomain.com; +       server_name y.mydomain.com; 
-        listen 8443 ssl; # external access +       listen 8443 ssl; # external access 
-        listen 443 ssl; # internal access +       listen 443 ssl; # internal access 
-        access_log /var/log/nginx/y.mydomain.com_access_log main; +       access_log /var/log/nginx/y.mydomain.com_access_log main; 
-        error_log /var/log/nginx/y.mydomain.com_error_log info; +       error_log /var/log/nginx/y.mydomain.com_error_log info; 
-        location / { +       location / { 
-                #Generic proxy pass to proxied service +               #Generic proxy pass to proxied service 
-                proxy_pass http://127.0.0.1:8000; +               proxy_pass http://127.0.0.1:8000; 
-        }+       } 
 +       # include HTTPS certs stuff: 
 +       include org.gardiol/certbot.conf;
 } }
 </file> </file>
Line 237: Line 246:
                 proxy_pass http://127.0.0.1:8000;                 proxy_pass http://127.0.0.1:8000;
         }         }
 +       # include HTTPS certs stuff:
 +       include org.gardiol/certbot.conf;
 } }
 </code> </code>
Line 253: Line 264:
                 proxy_pass http://127.0.0.1:8000;                 proxy_pass http://127.0.0.1:8000;
         }         }
 +       # include HTTPS certs stuff:
 +       include org.gardiol/certbot.conf;
 } }
 </code> </code>
Line 268: Line 281:
                 proxy_pass http://127.0.0.1:8000;                 proxy_pass http://127.0.0.1:8000;
         }         }
 +       # include HTTPS certs stuff:
 +       include org.gardiol/certbot.conf;
 } }
 server { server {
Line 280: Line 295:
                 proxy_pass http://127.0.0.1:8000;                 proxy_pass http://127.0.0.1:8000;
         }         }
 +       # include HTTPS certs stuff:
 +       include org.gardiol/certbot.conf;
 } }
 </code> </code>

This website uses technical cookies only. No information is shared with anybody or used in any way but provide the website in your browser.

More information