User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
selfhost:nginx [2025/02/13 11:04] willyselfhost:nginx [2025/09/16 10:15] (current) – [Reverse Proxy propagation] willy
Line 1: Line 1:
-====== The Reverse Proxy concept ======+====== F) The Reverse Proxy concept ======
  
 The use of a **reverse proxy** is the key at the foundation of ensuring security, isolation and flexibility in accessing your self-hosted services. The use of a **reverse proxy** is the key at the foundation of ensuring security, isolation and flexibility in accessing your self-hosted services.
Line 62: Line 62:
   * Port 8443: HTTPS for **external** access    * Port 8443: HTTPS for **external** access 
  
-**Note:** for Let's Encrypt CertBot to work properly you **need** to redirect **both** port 80 and 443 from your external server to your internal server. CertBot will shutdown your NGINX and spin a custom NGINX server that you cannot tweak so it's critical that your SSH tunnels are properly forwarding ports 80 and 443 from the external server to the internal one, or it will not work.+**Note:** for Let's Encrypt CertBot to work properly you **need** to redirect **both** port 80 and 443 from your external server to your internal server. CertBot will shutdown your NGINX and spin a custom NGINX server that you cannot tweak so it's critical that your Wireguard or SSH tunnels are properly forwarding ports 80 and 443 from the external server to the internal one, or it will not work.
  
  
Line 102: Line 102:
   * All HTTP traffic is redirected to HTTPS   * All HTTP traffic is redirected to HTTPS
   * You have a single Let's Encrypt SSL certificate which covers all the subdomains of your domain (either a wildcard or a comulative cert it's up to you)   * You have a single Let's Encrypt SSL certificate which covers all the subdomains of your domain (either a wildcard or a comulative cert it's up to you)
 +  * You might have more than one main domain
  
 The top-level **mydomain.com** will have it's own folder, then you will create a set of sub-folders stemming from the main domain, one folder for each sub-domains, and inside each folder one configuration file for each sub-path served on that sub-domain. The top-level **mydomain.com** will have it's own folder, then you will create a set of sub-folders stemming from the main domain, one folder for each sub-domains, and inside each folder one configuration file for each sub-path served on that sub-domain.
Line 157: Line 158:
         # Add domains here (only the main config file for each domain!)         # Add domains here (only the main config file for each domain!)
         include com.mydomain/mydomain.conf;         include com.mydomain/mydomain.conf;
 +        
 +        # This is for SSL and needs to be included only once for all the domains
 +        include /etc/letsencrypt/options-ssl-nginx.conf;
 } }
 </file> </file>
Line 173: Line 177:
 # simple catch-all server for the domain # simple catch-all server for the domain
 server { server {
-       # respond both to local, internal, IP directly and to mydomain.com +       # You might want to specify also the internal  
-        server_name 10.0.0.1 mydomain.com;+        server_name mydomain.com;
         # Port for users from outside         # Port for users from outside
         listen 8443 ssl;         listen 8443 ssl;
Line 187: Line 191:
  
        # include all sub-paths for mydomain.com:        # include all sub-paths for mydomain.com:
-       include serviceX.conf+       include serviceX.conf
 + 
 +       # include HTTPS certs stuff: 
 +       include org.gardiol/certbot.conf;
 } }
  
 # include all sub-domains entry points: # include all sub-domains entry points:
 include com.mydomain/y/y.conf; include com.mydomain/y/y.conf;
- 
-# include HTTPS certs stuff: 
-include com.mydomain/certbot.conf; 
 </file> </file>
  
Line 207: Line 211:
 <file - y.conf> <file - y.conf>
 server { server {
-        server_name y.mydomain.com; +       server_name y.mydomain.com; 
-        listen 8443 ssl; # external access +       listen 8443 ssl; # external access 
-        listen 443 ssl; # internal access +       listen 443 ssl; # internal access 
-        access_log /var/log/nginx/y.mydomain.com_access_log main; +       access_log /var/log/nginx/y.mydomain.com_access_log main; 
-        error_log /var/log/nginx/y.mydomain.com_error_log info; +       error_log /var/log/nginx/y.mydomain.com_error_log info; 
-        location / { +       location / { 
-                #Generic proxy pass to proxied service +               #Generic proxy pass to proxied service 
-                proxy_pass http://127.0.0.1:8000; +               proxy_pass http://127.0.0.1:8000; 
-        }+       } 
 +       # include HTTPS certs stuff: 
 +       include org.gardiol/certbot.conf;
 } }
 </file> </file>
Line 240: Line 246:
                 proxy_pass http://127.0.0.1:8000;                 proxy_pass http://127.0.0.1:8000;
         }         }
 +       # include HTTPS certs stuff:
 +       include org.gardiol/certbot.conf;
 } }
 </code> </code>
Line 256: Line 264:
                 proxy_pass http://127.0.0.1:8000;                 proxy_pass http://127.0.0.1:8000;
         }         }
 +       # include HTTPS certs stuff:
 +       include org.gardiol/certbot.conf;
 } }
 </code> </code>
Line 271: Line 281:
                 proxy_pass http://127.0.0.1:8000;                 proxy_pass http://127.0.0.1:8000;
         }         }
 +       # include HTTPS certs stuff:
 +       include org.gardiol/certbot.conf;
 } }
 server { server {
Line 283: Line 295:
                 proxy_pass http://127.0.0.1:8000;                 proxy_pass http://127.0.0.1:8000;
         }         }
 +       # include HTTPS certs stuff:
 +       include org.gardiol/certbot.conf;
 } }
 </code> </code>