So would the first step to doing this be to remove all devices that use that port first?
The install this, the redo them?
If so, is there a way to see all of these in a single place? I’m not sure my terminal command showed that all?
-
Important Announcement for The TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
HOW-TO: Set up NGINX to reverse proxy your jails w/ Certbot
- Thread starter ZodiacUHD
- Start date
-
- Tags
- certbot nginx reverse-proxy
So would the first step to doing this be to remove all devices that use that port first?
The install this, the redo them?
If so, is there a way to see all of these in a single place? I’m not sure my terminal command showed that all?
How many services or things do you need to access outside of your network?
adrianwi
Guru
- Joined
- Oct 15, 2013
- Messages
- 1,231
I think you need to give some thought as to what you are trying to achieve with this before doing too much else. I don't think it matters what 'devices' are using what ports inside your network (they should all be using unique IP addresses) but it does matter what services you wanted to expose externally and how are they going to be accessed?
I have about 10 services available outside my network, and they all come in through port 80/443 to my NGINX reverse proxy which then redirects to the internal service (running in a mix of jails, Docker containers and VMs)
I have two domains (one work, one personal) and use subdomains configured to redirect to my external WAN IP. So http://service.domain.co.uk is redirected to my router, which forwards the request on port 80 to the NGINX reverse proxy jail. I then have various service.conf files in /usr/local/etc/nginx/sites-enabled which redirect any http request to https, validate the SSL certificate and then redirect to the appropriate jail, container or VM service. These are using various ports (including 80 and 443, or others) but have unique IP addresses, so can be easily redirected too with some NGINX proxy settings.
Maybe this picture from my blog helps?
If you don't want to use a reverse proxy you could always use the router to forward external WAN port 80 to internal computer A port 80 but also forward external WAN port 81 to internal computer B port 80.
Then access them with http://www.yourdomain.com and http://www.yourdomain.com:81
It's not pretty but it will work and if it's only used by yourself it's no big deal to add the port number.
Just saying.... [emoji6]
Sent from my SM-G955F using Tapatalk
Then access them with http://www.yourdomain.com and http://www.yourdomain.com:81
It's not pretty but it will work and if it's only used by yourself it's no big deal to add the port number.
Just saying.... [emoji6]
Sent from my SM-G955F using Tapatalk
I think you need to give some thought as to what you are trying to achieve with this before doing too much else. I don't think it matters what 'devices' are using what ports inside your network (they should all be using unique IP addresses) but it does matter what services you wanted to expose externally and how are they going to be accessed?
I have about 10 services available outside my network, and they all come in through port 80/443 to my NGINX reverse proxy which then redirects to the internal service (running in a mix of jails, Docker containers and VMs)
I have two domains (one work, one personal) and use subdomains configured to redirect to my external WAN IP. So http://service.domain.co.uk is redirected to my router, which forwards the request on port 80 to the NGINX reverse proxy jail. I then have various service.conf files in /usr/local/etc/nginx/sites-enabled which redirect any http request to https, validate the SSL certificate and then redirect to the appropriate jail, container or VM service. These are using various ports (including 80 and 443, or others) but have unique IP addresses, so can be easily redirected too with some NGINX proxy settings.
Maybe this picture from my blog helps?
Ok, that makes sense. It laymen’s terms is almost like a router for external traffic to be pointed to services that are only accessible on your local network. Yes?
What I am trying to achieve is setting up Ombi for Plex requests. That was all I was really trying to do.
Other things that I would want to get to that aren’t related to freenas or jails are my ip cameras, and I’m not sure if it applies here but things like using my vpn, teamviewer, and things like that.
See my reply to the preceding post. Figured I could kill 2 birds with 1 stone.
Jailer
Not strong, but bad
- Joined
- Sep 12, 2014
- Messages
- 4,977
This chatter really should be in it's own thread, this is a tutorial thread.
Maybe @Ericloewe can split it off?
Maybe @Ericloewe can split it off?
Isn’t that what we’re doing? Not trying to be rude, but I’m trying follow this tutorial and it’s not working for me. Wouldn’t this prove useful for those that are still learning as well? I’m trying to understand what needs to be fixed to get the certificate. This guide assumes that everyone knows and understands how to make sure no device on their entire network uses port 443 and 80 and I would bet most new users still have trouble with this like I am.
Jailer
Not strong, but bad
- Joined
- Sep 12, 2014
- Messages
- 4,977
Not really. And no worries your not being rude. It's just that in reading your posts you don't seem have an understanding what a reverse proxy is and how it works. The posters are trying to help you learn but that would be best done in it's own thread.
Just so i can do some more research, NGINX is not a stand alone reverse proxy, it is just web server? Are you able to point me toward a resource to use that you think does a good job of teaching about from past experiences? I saw something about nginx plus when i tried to google a bit, but I have only been using FreeNAS about 6 weeks now and this is my first server, so this all new to me. I don't live in the IT world for work, so i am relying on the forums and people generous with their time to help me learn.
Thanks!
Ok, so i got it up and working now. It turns out that there must be a bug in 11.2. When i created the jail using the UI it didn't seem to work and actually establish a connection to the router. When i created it using the command line, the certificate validated and completed.
Thanks all for the help! Hopefully some day I can pay it forward!
I was able to run this successfully, but does this also need to be triggered in the UI with a cronjob? I don't see it showing up in the UI. Does this just automatically run monday's at 1:30? Is there a way to verify it worked or get notifications of when it completes?
Thanks!
-Jason
ZodiacUHD
Patron
- Joined
- Aug 28, 2015
- Messages
- 226
It runs automatically, no worries. If it doesn't work, you'll get an email when your certs are about to expire (as long as you set it up when generating a cert).
adrianwi
Guru
- Joined
- Oct 15, 2013
- Messages
- 1,231
I've got a small .sh script that I run from the UI Tasks menu which works quite well.
This is the script
Which is run using Task > Cron Jobs
This creates a log file and sends me an e-mail to say it's run and what has updated, if anything.
This is the script
Code:
#!/bin/sh today=$(date +%Y-%b-%d) echo $today >> /var/log/le-renew.log certbot renew >> /var/log/le-renew.log service nginx reload >> /var/log/le-renew.log
Which is run using Task > Cron Jobs
Code:
iocage exec ssl-proxy sh /le-renew.sh
This creates a log file and sends me an e-mail to say it's run and what has updated, if anything.
Last edited:
Hi,
I can successfully connect to my nextcloud via the reverse proxy. Thanks a lot for this guide :)
In the settings from nextcloud i get the following messages:
Can anybody guide me to fix this issues, please.
Thanks a lot
Arga
I can successfully connect to my nextcloud via the reverse proxy. Thanks a lot for this guide :)
In the settings from nextcloud i get the following messages:
- Der „X-XSS-Protection“-HTTP-Header ist nicht so konfiguriert, dass er „1; mode=block“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
- Der „X-Content-Type-Options“-HTTP-Header ist nicht so konfiguriert, dass er „nosniff“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
- Der „X-Robots-Tag“-HTTP-Header ist nicht so konfiguriert, dass er „none“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
- Der „X-Frame-Options“-HTTP-Header ist nicht so konfiguriert, dass er „SAMEORIGIN“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
- Der „X-Download-Options“-HTTP-Header ist nicht so konfiguriert, dass er „noopen“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
- Der „X-Permitted-Cross-Domain-Policies“-HTTP-Header ist nicht so konfiguriert, dass er „none“ entspricht. Dies ist ein potentielles Sicherheitsrisiko und es wird empfohlen, diese Einstellung zu ändern.
Can anybody guide me to fix this issues, please.
Thanks a lot
Arga
I was able to solve these problems, just add a few more lines to Nextcloud's settings in reverse proxy I am currently not at home so when I will, I will edit the post and will add to you what you need to add
Hey
This is the lines that you must add in the reverse proxy, where NextCloud is, so that it will function properly
Code:
proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; client_max_body_size 16400M; (You change the size you set in PHP / Additional settings in NextCloud)
I also recommend scanning at https://scan.nextcloud.com/ to check that all NextCloud security settings and settings are configured correctly
Thanks for you reply. I have added this lines, but i get still the same message….
Do the restart to NGINX
And NextCloud's WebServer
