I've successfully added ssl to a jail with nextcloud. If I add Strict-Transport-Security to the ngnix.conf it forces https when referencing my external DDNS . This prevents me from accessing my Plex jail (not plugin) from http://myexternalddns.net:port#. How would I get my setup to go to nextcloud with https://myexternalddns.net/nextcloud and plex with https://myexternalddns.net:port#? Would I have to copy the ssl code from the nextcloud nginx.conf and copy the perm files from /usr/local/etc/letsencrypt/live to the same directory in the other jail? Could I apply this to other jails running various plugins?
-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Strict-Transport-Security and other jails
- Thread starter NasKar
- Start date
- Status
thanks for pointing me the right direction.
Can I just add
Code:
location /sonarr {
proxy_pass http://192.168.1.156:8989;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
Do I have to make changes to the user interface?
Port was changed to 8989
Jailer
Not strong, but bad
- Joined
- Sep 12, 2014
- Messages
- 4,977
That's what you need to redirect to another IP listening on port 8989. Make sure it's listening on port 80 in your server block if you want a http connection. If you add it after your location block for Nextcloud it will try to serve it over https since Nextcloud is listening on port 443.
You don't need to make any changes in Nextcloud to make this function.
You don't need to make any changes in Nextcloud to make this function.
Here is part of my server block
Code:
server {
listen 80;
listen 443 ssl;
server_name 192.168.1.180;
add_header Strict-Transport-Security "max-age=0; includeSubDomains; preload;";
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
root /usr/local/www;
location = /robots.txt { allow all; access_log off; log_not_found off; }
location = /favicon.ico { access_log off; log_not_found off; }
location /sonarr {
proxy_pass http://192.168.1.156:8989;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location ^~ /nextcloud {
client_max_body_size 512M;
error_page 403 /nextcloud/core/templates/403.php;
error_page 404 /nextcloud/core/templates/404.php;
location /nextcloud {
With this config if I go to https://myexternaldomain/sonarr it works. But not on http://.....
So all the traffic from the https://... site is now encryted even though I have not enabled ssl in sonarr?
Jailer
Not strong, but bad
- Joined
- Sep 12, 2014
- Messages
- 4,977
You have to put your location block for sonarr above your listen 443 directive. Nginx reads the configuration from top to bottom in the server blocks and your location directive is listed after it's listening on port 443 and that's why it's being served over an encrypted connection. Something like this should work in place of what you have with of course the rest of the nginx config in place.
Code:
server {
listen 80;
server_name 192.168.1.180;
location /sonarr {
proxy_pass http://192.168.1.156:8989;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
listen 443 ssl;
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
root /usr/local/www;
location = /robots.txt { allow all; access_log off; log_not_found off; }
location = /favicon.ico { access_log off; log_not_found off; }
location ^~ /nextcloud {
client_max_body_size 512M;
error_page 403 /nextcloud/core/templates/403.php;
error_page 404 /nextcloud/core/templates/404.php;
location /nextcloud }
}Thanks I didn't realize that.
But if I keep it the original way with proxy stuff below listen 80 and listen 443 and using https://externalIP/sonarr to access sonarr is it encrypted without turning on ssl in sonarr?
same question for any of the plugin Sabnzbd or Couchpotato or Plex etc.
Sure. Why not try.
Jailer
Not strong, but bad
- Joined
- Sep 12, 2014
- Messages
- 4,977
Ok I guess I misunderstood your original question then. I thought you were trying to exclude jails from being accessed via SSL.
Add your location blocks for each jail after the listen 443 and they should all work over an encrypted connection. If you want to access over an encrypted connection do not use Strict Transport Security.
As far as accessing Plex, why not use the certificate and encryption built into it to access it?
I'm trying to give others access my plex on their ipad by going to http;/myexternalIP:portforwardedtoserveronrouter without the Plex app. No problem from a computer with their login.
I'm confused, I thought that Strict Transport Security forced the browser to use https://
That was the original problem preventing http:// access as metioned in the previous paragraph when enabling STS.
I couldn't access Plex from https;/myexternalIP:portforwardedtoserveronrouter after adding the proxy code after listen 443.
Jailer
Not strong, but bad
- Joined
- Sep 12, 2014
- Messages
- 4,977
Ahh! typo on my part, sorry about that. Strict transport security forces https after your initial visit to a site for the time period specified.
Copy that. I'm not sure exactly how you would do that. I think there is a thread on the plex forums that explains how to set this up.
- Status
Similar threads
