Latest News:
*New 11.2 series Release:
2019-06-20: XigmaNAS 11.2.0.4.6766 - released!

*New 12.0 series Release:
2019-06-20: XigmaNAS 12.0.0.4.6766 - released!

We really need "Your" help on XigmaNAS https://translations.launchpad.net/xigmanas translations. Please help today!

Producing and hosting XigmaNAS costs money Please consider donating for our project so that we can continue to offer you the best.
We need your support! eg: PAYPAL

Reverse proxy Nginx in jail with LetsEncrypt Certbot + settings for Nextcloud

Webserver service.
Forum rules
Set-Up GuideFAQsForum Rules
Post Reply
Shperrung
experienced User
experienced User
Posts: 91
Joined: 04 Apr 2018 16:29
Status: Offline

Reverse proxy Nginx in jail with LetsEncrypt Certbot + settings for Nextcloud

#1

Post by Shperrung » 15 Jan 2019 14:07

Hi
This post was updated because I found solution.
Big thank to texneus for his post [HOWTO] NGiNX as a Reverse Proxy server in a Jail about Reverse Proxy. Based on his method I made reverse proxy with Certbot and set up Nextcloud to use https:// connection. Most of settings are similar as described texenus. I just added Certbot, modified nginx.conf and found required parameters for config.php (Nextcloud).
As I wrote earlier I need to have the one point of entry into my local network for connection with Nextcloud, emby, transmission and other through DDNS address using secured https:// connection provided by Let's Encryptypt.
My XigmaNAS connected to Internet via Router Asus RT-AC68U. This router has free external ports 80 and 443 and I can use them for access without custom port in address. This router also has option to get DDNS name form various providers. I chose asuscomm.com
Before the start of configuration, check source parameters that used below and modify them for your installation:
1. DDNS name allcash.asuscomm.com
2. Jail for nginx and Certbot at 192.168.1.32
3. Nextcloud on my host machine at 192.168.1.9:1111/Nextcloud/
4. Forwarded ports 80 -> 80 and 4443 ->4443 for Jail's IP 192.168.1.32

Try to follow steps below because some of them can't work if you break the order:
0. Set in XigmaNAS Services-webserver type of connection for HTTP
1. Get DDNS name
2. Create the Jail on 192.168.1.32
You can define any other IP address when create Jail but don't forget to make appropriate changes in configuration files. Here you can find all about Jails and TheBrig viewtopic.php?f=79&t=3894
There are no special requirements for this jail. No need in folder mounting so you don't need fstab. I just recommend to create it as Dataset instead simple folder because of SSL certificates and sensitive information related to Let's Encrypt. After completion of this setup I recommend to do snapshot and set check box at TheBrig->Maitanance->RudimentaryConfig->Archive to have archived copy of jails when delete them. It will be needed when you upgrade XigmaNAS version because jails always fail after upgrade and the one method to restore them is creation from saved archive tarballs.
3. Forward external router's port 4443 to internal port 4443 of Jail located at 192.168.1.32 This port will be assigned for access to all services.
4. Forward external port 80 to internal 80 port of Jail at 192.168.1.32
It is relevant to keep open 80 ports for Certbot. This application for Let's Encrypt certificate issue can validate your domain only on 80 port. It has to be forwarded before nginx configuration and Certbot start service.
5. Enter inside the Jail via SSH

Code: Select all

#jls
find your jail number and run

Code: Select all

# jexec 5
6. Create folder and file for simple webpage. This part is copied form texneus post [HOWTO] NGiNX as a Reverse Proxy server in a Jail

Code: Select all

#mkdir /mnt/www
# mkdir /mnt/www/webroot
# cat>/mnt/www/webroot/index.html
<html>
   <head>
      <title>Hello</title>
   </head>
   <body> Hello World! </body>
</html>
Now change the owner/group to www so that Nginx can serve them:

Code: Select all

# chown -R www:www /mnt/www/webroot
7. Install nginx and Certbot

Code: Select all

#pkg update
#pkg install nginx install py27-certbot
8. Configure nginx for work with Certbot. I'm using Midnight Commander for exploring inside the Jail and edition of config files. You can install it

Code: Select all

#pkg install mc
start it

Code: Select all

#mc
and enjoy)
Open in editor the file /usr/local/etc/nginx/nginx.conf and insert following text with your domain name and jail's IP:

Code: Select all

#Run server as default FreeBSD web user
user www;

#Documentation says to set this to the number of CPU cores, however unless this is
#a very busy server it's hard to hard to believe that more than 2 threads are necessary
worker_processes 2;

#Defines max number of connections.  Unless this is a busy server a much lower number should suffice
events {
    worker_connections  50;
}

# Nginx log paths (Information only, do not enable these lines)
# Access Log:  /var/log/nginx/access.log
# Error Log:   /var/log/nginx/error.log
# PID:         /var/run/nginx.pid



http {

    server_tokens off;                  #Disable reporting of NGINX info
    server {
    listen 80;
    server_name allcash.asuscomm.com 192.168.1.32;
    root /mnt/www/webroot;
    }

}
Check nginx.conf syntax

Code: Select all

#nginx -t
Enable Nginx as daemon at jail startup

Code: Select all

#echo 'nginx_enable="YES"' >> /etc/rc.conf
Start service

Code: Select all

#service nginx start
It's needed for Certbot to validate your domain and provide certificates. It creates folders and certificate files that will be used in further nginx.conf edition.
9. Check that your simple web-page is accessible. Type http://allcash.asuscomm.com in browser address line and blank page with "Hello world!" says that you did all right and your reverse proxy server is ready for Certbot.
10. Let Certbot to do it's work (all commands and file editions are performed inside Jail for reverse proxy!):

Code: Select all

#sudo certbot certonly --webroot -w /mnt/www/webroot -d allcash.asuscomm.com
This is sensitive moment because Certbot will ask your name, e-mail address and try to check you domain. It means that "guys" from Let's Encrypt enter into your jail and create required certificates SSL. If you correctly created web-page and nginx initial configuration you'll be prompted where your credentials and certificates are saved.
11. Check folder /usr/local/etc/letsencrypt/live/allcash.asuscomm.com/ You will see your SSL certificates.
Your domain now has certificates valid for 3 months. Set cron job for renewal as recommended by developers:

Code: Select all

#echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew --pre-hook 'service haproxy stop' --post-hook 'service haproxy start'" | sudo tee -a /etc/crontab > /dev/null
12. Stop nginx and configure it for https:// (you may not to do it and just reload nginx configuration file if you know how to do it):

Code: Select all

#service nginx stop
Open in editor /usr/local/etc/nginx/nginx.conf and make it like this (it's full content of nginx.conf including previous settings for web-page on 80 port):

Code: Select all

#Run server as default FreeBSD web user
user www;

#Documentation says to set this to the number of CPU cores, however unless this is
#a very busy server it's hard to hard to believe that more than 2 threads are necessary
worker_processes 2;

#Defines max number of connections.  Unless this is a busy server a much lower number should suffice
events {
    worker_connections  50;
}

# Nginx log paths (Information only, do not enable these lines)
# Access Log:  /var/log/nginx/access.log
# Error Log:   /var/log/nginx/error.log
# PID:         /var/run/nginx.pid



http {

    server_tokens off;                  #Disable reporting of NGINX info
    server {
    listen 80;
    server_name allcash.asuscomm.com 192.168.1.32;
    root /mnt/www/webroot;
    }

    #Define HTTPS reverse proxy's on port 4443.
    server {
        server_name allcash.asuscomm.com;
        listen 4443 ssl;   #Listen to 4443 HTTPS
	access_log off;
	client_max_body_size 10G; #That is needed to allow transfer files with size up to 10 Gb. It is relevant when you bypass Nextcloud via this proxy. You can set value that is needed for you.
        #SSL certificate & key for HTTPS defined previously
		#Certificates and routes to them will be created by Certbot
        ssl_certificate      /usr/local/etc/letsencrypt/live/allcash.asuscomm.com/fullchain.pem;
        ssl_certificate_key  /usr/local/etc/letsencrypt/live/allcash.asuscomm.com/privkey.pem;
	ssl_trusted_certificate /usr/local/etc/letsencrypt/live/allcash.asuscomm.com/chain.pem;
	
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 127.0.0.0 8.8.8.8;
	
	#block return to http://
	add_header Strict-Transport-Security "max-age=31536000";
	
	expires max;
	
        #Defines a home page
        location / {
            root   /mnt/www/webroot;
            index  index.html;
        }

########################################
#Insert specific reverse proxy server blocks here
########################################

    }

}
Check syntax by command

Code: Select all

#nginx -t
start nginx

Code: Select all

#service nginx start
Try to open your web-page using https://allcash.asuscomm.com:4443 If you see "Hello world!" you may smile) and find that your domain is validated by LE.
You can try forward internal port 4443 to external port 443 and I think that address line will be https://allcash.asuscomm.com without port number. Just be sure that your router doesn't use 443 for its needs.
13. Reverse Proxy is ready for custom settings for Emby, Nextcloud, transmission and other. Read texenus post this how to for "Specific reverse proxy server blocks" and insert them into nginx.conf on your needs.
From my side see below the block for Nextcloud.

Nextcloud configuration
Edit nginx.conf pasting specific block for Nextcloud. Don't ask me how it works I found it in yandex and google. Amendments and corrections are appreciated if know more:

Code: Select all

# Proxy to the Nextcloud server
        location /Nextcloud {
    	proxy_pass         http://192.168.1.9:1111/Nextcloud;
    	proxy_redirect     off;
    	proxy_set_header   Host $host;
    	proxy_set_header   X-Real-IP $remote_addr;
    	proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    	proxy_set_header   X-Forwarded-Host $server_name;
        }
Edit config.php in Nextcloud installation folder.
At the beginning of file enter trusted domains:

Code: Select all

$CONFIG = array (
  'instanceid' => 'private value',
  'passwordsalt' => 'private value',
  'secret' => 'private value',
  'trusted_domains' => 
  array (
    0 => '192.168.1.9:1111',
    1 => 'allcash.asuscomm.com',
  ),

At the end of file add information about trusted proxies. It's relevant to set "localhost" here

Code: Select all

    'trusted_proxies'   =>
   array (
    0 => '192.168.1.32',
    1 => 'localhost',
    2 => 'allcash.asuscomm.com',
   ),
  'overwritehost'     => 'allcash.asuscomm.com:4443',
  'overwriteprotocol' => 'https',
  'overwritewebroot'  => '/Nextcloud',

Check that last row ends with

Code: Select all

 );
In this config.php settings all requests will be redirected through https://allcash.asuscomm.com:4443/Nextcloud/. In other words if you try to enter http://192.168.1.9:1111/Nextcloud/ you will be re-directed to https://allcash.asuscomm.com:4443/Nextcloud/ If you don't like it try to find solution because it's outside of my understanding.
Last edited by Shperrung on 13 Aug 2019 16:46, edited 24 times in total.
11.2.0.4 - Omnius (revision 6177)
ASRock J3710-ITX, LAN: Realtek RTL8111GR; 16Gb RAM; WD 1Tbx2, WD 2Tb; UPS Powercom WOW500U.

User avatar
raulfg3
Site Admin
Site Admin
Posts: 4914
Joined: 22 Jun 2012 22:13
Location: Madrid (ESPAÑA)
Contact:
Status: Offline

Re: Reverse proxy for lighttpd to/from nginx web-server in jail with LetsEncrypt Certbot

#2

Post by raulfg3 » 17 Jan 2019 15:30

12.0.0.4 - BETA (revision 6625)+OBI on SUPERMICRO X8SIL-F 8GB of ECC RAM, 12x3TB disk in 3 vdev in RaidZ1 = 32TB Raw size only 22TB usable

Wiki
Last changes
Old Wiki

User avatar
Snufkin
Advanced User
Advanced User
Posts: 281
Joined: 01 Jul 2012 11:27
Location: Etc/GMT-3 (BSD style)
Status: Offline

Re: Reverse proxy for lighttpd to/from nginx web-server in jail with LetsEncrypt Certbot

#3

Post by Snufkin » 17 Jan 2019 21:18

Shperrung wrote:
15 Jan 2019 14:07
Hi
Since there is still no solution to implement SSL certificate into Embedded Xigmanas I would ask experienced members for guidance how to setup "reverse proxy".
I found similar thread in French section but I'm not sure that it is fully met my need. There is no words about SSL and I don't have experience to modify that tutorial on my needs viewtopic.php?f=94&t=9496&p=58835&hilit ... oxy#p58835
I also can't explain what is CNAME and how to apply it. It is also unclear what additional parameters have to be pasted into Xigmanas webserver lighttpd.
So I have the following:
1. DDNS address nube.asuscomm.com and open external port in router 44444 redirected to internal Jail port 192.168.1.30:443
2. Xigmanas webserver on port 23456 located in /mnt/RAID/www
3. nginx web-server in Jail 192.168.1.30 with Certbot. All settings, paths and ports are default.
How to cooperate it in "reverse proxy" to get https://nube.asuscomm.com:44444/Nextowncloud/ through nginx in Jail to host http://192.168.1.4:23456/Nextowncloud/ ?
Thank for advices.
Please, Shperrung, correct me if I'm wrong
  1. Nginx web server and Certbot ACME client are both installed in a single XigmaNAS jail.
  2. Nextcloud is installed in host XigmaNAS system (by OBI) and not in jail.
  3. Domain name issued by ASUS dynamic DNS service.
If above is correct, I would skip jail, nginx and Certbot and look at acme.sh client.
raulfg3 wrote:
17 Jan 2019 15:30
read: viewtopic.php?p=87785#p87785
Thanks raulfg3 for your advice to look at dedicated thread.
I would start from 3. Lighttpd settings topic.
XNAS 11.2.0.4 embedded, ASUS P5B-E, Intel DC E6600, 4 GB DDR2, 2 x HGST HDN726040ALE614, 2 x WDC WD5000AAKS, Ippon Back Power Pro 400

Shperrung
experienced User
experienced User
Posts: 91
Joined: 04 Apr 2018 16:29
Status: Offline

Re: Reverse proxy for lighttpd to/from nginx web-server in jail with LetsEncrypt Certbot

#4

Post by Shperrung » 17 Jan 2019 22:17

Thanks for pointing on that topic. I already following for updates there and waiting for working tutorial.
It's really good if you finalize the guidance. Will try in first. Thank you for your input into Xigmanas! It's really necessary thing.
11.2.0.4 - Omnius (revision 6177)
ASRock J3710-ITX, LAN: Realtek RTL8111GR; 16Gb RAM; WD 1Tbx2, WD 2Tb; UPS Powercom WOW500U.

texneus
Starter
Starter
Posts: 23
Joined: 12 Oct 2017 05:02
Status: Offline

Re: Reverse proxy for lighttpd to/from nginx web-server in jail with LetsEncrypt Certbot

#5

Post by texneus » 21 Jan 2019 00:18

I just posted this how to to share what I learned the hard way with Nginx and reverse proxies. Hopefully there is enough there to get you thinking about what needs to be done, but I don't use Nextowncloud. To get Nextowncloud working with an Nginx reverse proxy your best bet will be to read up on any Nextowncloud wiki/documentation, google searching, or just ask in the Nextowncloud forum for an Nginx configuration file. Odds are somebody has figured out what needs to be done already.

Shperrung
experienced User
experienced User
Posts: 91
Joined: 04 Apr 2018 16:29
Status: Offline

Re: Reverse proxy for lighttpd to/from nginx web-server in jail with LetsEncrypt Certbot

#6

Post by Shperrung » 18 Mar 2019 20:49

The first post was updated with [HOW TO] solution.
11.2.0.4 - Omnius (revision 6177)
ASRock J3710-ITX, LAN: Realtek RTL8111GR; 16Gb RAM; WD 1Tbx2, WD 2Tb; UPS Powercom WOW500U.

Shperrung
experienced User
experienced User
Posts: 91
Joined: 04 Apr 2018 16:29
Status: Offline

Re: Reverse proxy Nginx in jail with LetsEncrypt Certbot + settings for Nextcloud

#7

Post by Shperrung » 16 Apr 2019 23:11

Relevant update in ngnix.conf sample that set maximal transferred file size. It is needed for Nextcloud functionality.

Code: Select all

client_max_body_size 10G;
11.2.0.4 - Omnius (revision 6177)
ASRock J3710-ITX, LAN: Realtek RTL8111GR; 16Gb RAM; WD 1Tbx2, WD 2Tb; UPS Powercom WOW500U.

User avatar
socaltek
NewUser
NewUser
Posts: 2
Joined: 23 May 2019 17:43
Status: Offline

Re: Reverse proxy Nginx in jail with LetsEncrypt Certbot + settings for Nextcloud

#8

Post by socaltek » 28 May 2019 00:03

Thank's for share a how to! It was very helpful for setting up my home pc, after I gave for a month for my friend.
Web application firewalls (link) provide protection between end users and your web application, potentially at multiple layers of the Open Systems Interconnection (OSI) model.

Shperrung
experienced User
experienced User
Posts: 91
Joined: 04 Apr 2018 16:29
Status: Offline

Re: Reverse proxy Nginx in jail with LetsEncrypt Certbot + settings for Nextcloud

#9

Post by Shperrung » 13 Aug 2019 09:04

Hi!
Certbot got some changes that broke LE certs renewal. Installation like in 1th post now is not working because of new Certbot version

Code: Select all

#pkg install py36-certbot
I removed (remove and autoremove) py27-certbot and install latest version. Jail was updated to 11.2 p13 release.
Unfortunately I have an error message while try to test issue certificate

Code: Select all

root@reverse:/ # certbot renew --dry-run
Fatal Python error: failed to get random numbers to initialize Python

Abort
root@reverse:/ # certbot certonly --dry-run -d mysite.com -d
Fatal Python error: failed to get random numbers to initialize Python

Abort
root@reverse:/ # sudo certbot certonly --webroot                             Fatal Python error: failed to get random numbers to initialize Python

Abort
Do anybody know how to fix it?
Maybe https://github.com/Neilpang/acme.sh/wiki/How-to-install will be better solution?
11.2.0.4 - Omnius (revision 6177)
ASRock J3710-ITX, LAN: Realtek RTL8111GR; 16Gb RAM; WD 1Tbx2, WD 2Tb; UPS Powercom WOW500U.

Post Reply

Return to “WebServer”