Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
selfhost:nginx [2024/08/29 08:44] – willy | selfhost:nginx [2025/03/13 09:29] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== The Reverse Proxy concept ====== | + | ====== |
The use of a **reverse proxy** is the key at the foundation of ensuring security, isolation and flexibility in accessing your self-hosted services. | The use of a **reverse proxy** is the key at the foundation of ensuring security, isolation and flexibility in accessing your self-hosted services. | ||
Line 18: | Line 18: | ||
* It is fully integrated in [[https:// | * It is fully integrated in [[https:// | ||
- | In general NGINX is fully featured but still very lightweight and secure HTTP server that shines as reverse-proxy. If you need to add more features, like [[https:// | + | In general NGINX is fully featured but still very lightweight and secure HTTP server that shines as reverse-proxy. If you need to add more features, like [[https:// |
===== Base URLs and sub-domains ===== | ===== Base URLs and sub-domains ===== | ||
Line 51: | Line 51: | ||
- | ===== Reverse Proxy propagation | + | ===== Reverse Proxy propagation ===== |
- | The reverse proxy is installed on the local server, | + | The reverse proxy is installed on the local server, |
+ | |||
+ | The reverse proxy will need to be accessible to both the internal users and the external users. You could setup two different proxies, but i prefer to have only one listening to both worlds. I will assume that there might be differences between internal and external users in terms of authentication or service availability. The underlying idea is that you will have your reverse proxy listening to different ports: one for internal access | ||
The setup i am describing uses three different ports: | The setup i am describing uses three different ports: | ||
* Port 80: both to local and remote, will just be a redirect to HTTPS | * Port 80: both to local and remote, will just be a redirect to HTTPS | ||
- | * Port 443: standard HTTPS for **internal** access, mostly to bypass SSO authentication | + | * Port 443: standard HTTPS for **internal** access |
- | * Port 8443: HTTPS with SSO authentication | + | * Port 8443: HTTPS for **external** access |
**Note:** for Let's Encrypt CertBot to work properly you **need** to redirect **both** port 80 and 443 from your external server to your internal server. CertBot will shutdown your NGINX and spin a custom NGINX server that you cannot tweak so it's critical that your SSH tunnels are properly forwarding ports 80 and 443 from the external server to the internal one, or it will not work. | **Note:** for Let's Encrypt CertBot to work properly you **need** to redirect **both** port 80 and 443 from your external server to your internal server. CertBot will shutdown your NGINX and spin a custom NGINX server that you cannot tweak so it's critical that your SSH tunnels are properly forwarding ports 80 and 443 from the external server to the internal one, or it will not work. | ||
Line 72: | Line 74: | ||
* //realip// is needed by SSO like authelia | * //realip// is needed by SSO like authelia | ||
- | While NGINX support WebDAV, i strongly suggest you __dont__ enable it as you will not be using it. Apache | + | While NGINX support WebDAV, i strongly suggest you __dont__ enable it as you will not be using it. NGINX WebDAV support is lacking and not really recomended. |
So create the file **/ | So create the file **/ | ||
Line 99: | Line 101: | ||
* Your service Y is reachable under **https:// | * Your service Y is reachable under **https:// | ||
* All HTTP traffic is redirected to HTTPS | * All HTTP traffic is redirected to HTTPS | ||
+ | * You have a single Let's Encrypt SSL certificate which covers all the subdomains of your domain (either a wildcard or a comulative cert it's up to you) | ||
+ | * You might have more than one main domain | ||
The top-level **mydomain.com** will have it's own folder, then you will create a set of sub-folders stemming from the main domain, one folder for each sub-domains, | The top-level **mydomain.com** will have it's own folder, then you will create a set of sub-folders stemming from the main domain, one folder for each sub-domains, | ||
Line 154: | Line 158: | ||
# Add domains here (only the main config file for each domain!) | # Add domains here (only the main config file for each domain!) | ||
include com.mydomain/ | include com.mydomain/ | ||
+ | | ||
+ | # This is for SSL and needs to be included only once for all the domains | ||
+ | include / | ||
} | } | ||
</ | </ | ||
Line 170: | Line 177: | ||
# simple catch-all server for the domain | # simple catch-all server for the domain | ||
server { | server { | ||
- | # | + | # |
- | server_name | + | server_name mydomain.com; |
# Port for users from outside | # Port for users from outside | ||
listen 8443 ssl; | listen 8443 ssl; | ||
Line 184: | Line 191: | ||
# include all sub-paths for mydomain.com: | # include all sub-paths for mydomain.com: | ||
- | | + | |
+ | |||
+ | # include HTTPS certs stuff: | ||
+ | | ||
} | } | ||
# include all sub-domains entry points: | # include all sub-domains entry points: | ||
include com.mydomain/ | include com.mydomain/ | ||
- | |||
- | # include HTTPS certs stuff: | ||
- | include com.mydomain/ | ||
</ | </ | ||
Line 204: | Line 211: | ||
<file - y.conf> | <file - y.conf> | ||
server { | server { | ||
- | | + | server_name y.mydomain.com; |
- | listen 8443 ssl; # external access | + | |
- | listen 443 ssl; # internal access | + | |
- | access_log / | + | |
- | error_log / | + | |
- | location / { | + | |
- | #Generic proxy pass to proxied service | + | |
- | proxy_pass http:// | + | |
- | } | + | |
+ | # include HTTPS certs stuff: | ||
+ | | ||
} | } | ||
</ | </ | ||
Line 237: | Line 246: | ||
proxy_pass http:// | proxy_pass http:// | ||
} | } | ||
+ | # include HTTPS certs stuff: | ||
+ | | ||
} | } | ||
</ | </ | ||
Line 253: | Line 264: | ||
proxy_pass http:// | proxy_pass http:// | ||
} | } | ||
+ | # include HTTPS certs stuff: | ||
+ | | ||
} | } | ||
</ | </ | ||
Line 268: | Line 281: | ||
proxy_pass http:// | proxy_pass http:// | ||
} | } | ||
+ | # include HTTPS certs stuff: | ||
+ | | ||
} | } | ||
server { | server { | ||
Line 280: | Line 295: | ||
proxy_pass http:// | proxy_pass http:// | ||
} | } | ||
+ | # include HTTPS certs stuff: | ||
+ | | ||
} | } | ||
</ | </ |