Reverse proxy Nginx in jail with LetsEncrypt Certbot + settings for Nextcloud

[Shperrung]

Hi
This post was updated because I found solution.
Big thank to texneus for his post [HOWTO] NGiNX as a Reverse Proxy server in a Jail about Reverse Proxy. Based on his method I made reverse proxy with Certbot and set up Nextcloud to use https:// connection. Most of settings are similar as described texenus. I just added Certbot, modified nginx.conf and found required parameters for config.php (Nextcloud).
As I wrote earlier I need to have the one point of entry into my local network for connection with Nextcloud, emby, transmission and other through DDNS address using secured https:// connection provided by Let's Encryptypt.
My XigmaNAS connected to Internet via Router Asus RT-AC68U. This router has free external ports 80 and 443 and I can use them for access without custom port in address. This router also has option to get DDNS name form various providers. I chose asuscomm.com
Follow this updated article for setting up your nginx-proxy https://www.xigmanas.com/forums/viewtop ... 778#p91778

[raulfg3]

read: viewtopic.php?p=87785#p87785

[Snufkin]

Hi
Since there is still no solution to implement SSL certificate into Embedded Xigmanas I would ask experienced members for guidance how to setup "reverse proxy".
I found similar thread in French section but I'm not sure that it is fully met my need. There is no words about SSL and I don't have experience to modify that tutorial on my needs viewtopic.php?f=94&t=9496&p=58835&hilit ... oxy#p58835
I also can't explain what is CNAME and how to apply it. It is also unclear what additional parameters have to be pasted into Xigmanas webserver lighttpd.
So I have the following:
1. DDNS address nube.asuscomm.com and open external port in router 44444 redirected to internal Jail port 192.168.1.30:443
2. Xigmanas webserver on port 23456 located in /mnt/RAID/www
3. nginx web-server in Jail 192.168.1.30 with Certbot. All settings, paths and ports are default.
How to cooperate it in "reverse proxy" to get https://nube.asuscomm.com:44444/Nextowncloud/ through nginx in Jail to host http://192.168.1.4:23456/Nextowncloud/ ?
Thank for advices.

Please, Shperrung, correct me if I'm wrong

1. Nginx web server and Certbot ACME client are both installed in a single XigmaNAS jail.
2. Nextcloud is installed in host XigmaNAS system (by OBI) and not in jail.
3. Domain name issued by ASUS dynamic DNS service.

If above is correct, I would skip jail, nginx and Certbot and look at acme.sh client.

read: viewtopic.php?p=87785#p87785

Thanks raulfg3 for your advice to look at dedicated thread.
I would start from 3. Lighttpd settings topic.

[Shperrung]

Thanks for pointing on that topic. I already following for updates there and waiting for working tutorial.
It's really good if you finalize the guidance. Will try in first. Thank you for your input into Xigmanas! It's really necessary thing.

[texneus]

I just posted this how to to share what I learned the hard way with Nginx and reverse proxies. Hopefully there is enough there to get you thinking about what needs to be done, but I don't use Nextowncloud. To get Nextowncloud working with an Nginx reverse proxy your best bet will be to read up on any Nextowncloud wiki/documentation, google searching, or just ask in the Nextowncloud forum for an Nginx configuration file. Odds are somebody has figured out what needs to be done already.

[Shperrung]

The first post was updated with [HOW TO] solution.

[Shperrung]

Relevant update in ngnix.conf sample that set maximal transferred file size. It is needed for Nextcloud functionality.

Code: Select all

client_max_body_size 10G;

[socaltek]

Thank's for share a how to! It was very helpful for setting up my home pc, after I gave for a month for my friend.

[Shperrung]

Hi!
Certbot got some changes that broke LE certs renewal. Installation like in 1th post now is not working because of unknown problem. I suspect the Jail upgrade up to ver. 11.2 p13

[Shperrung]

New method for creating Jail powered with nginx + Let's Encrypt certs. configured as Reverse Proxy. Main idea and source information were taken here https://forums.freebsd.org/threads/howt ... -sh.61231/
In first:
1. Forward external ports 80 and 443 on your router to internal IP 192.168.1.32(that is just example, change it for any other).
2. Create and start the Jail. I recommend make it as dataset.
3. Get domain name or DDNS name for external access to your router. You also can use IP address if it's permanent.
Let Nextcloud is installed on the host using OBI at http://192.168.1.4:23456/Nextcloud.
4. Follow with tutorial below. You can get full text of this post and replace "allcash.asuscomm.com" to your domain and other IP addresses to another that you are using.

Start:
Install acme.sh agent and nginx:

Code: Select all

pkg install security/acme.sh nginx mc

create web-root folders

Code: Select all

mkdir -p /mnt/www/webroot/
chown -R root:www /mnt/www/webroot/
chmod -R 0555 /mnt/www

create simple web-page for "diagnostic" purposes

Code: Select all

cat>/mnt/www/webroot/index.html

copy-past text below. Last empty row is also needed

Code: Select all

<html>
   <head>
      <title>Hello</title>
   </head>
   <body> Hello World! </body>
</html>

CTRL+c

create folders for key and certificates:

Code: Select all

mkdir -p /usr/local/etc/nginx/ssl/allcash.asuscomm.com/

Create a place to store the certificate with permissions to read and write for anyone. It is needed to provide RW access for acme.sh and to nginx for reading:

Code: Select all

touch /usr/local/etc/nginx/ssl/allcash.asuscomm.com/fullchain.cer
touch /usr/local/etc/nginx/ssl/allcash.asuscomm.com/allcash.asuscomm.com.key
touch /usr/local/etc/nginx/ssl/allcash.asuscomm.com/allcash.asuscomm.com.cer
chmod -R 0555 /usr/local/etc/nginx/ssl

remove default nginx configuration file

Code: Select all

rm /usr/local/etc/nginx/nginx.conf

create new nginx.conf

Code: Select all

cat>/usr/local/etc/nginx/nginx.conf

Copy-past text below

Code: Select all

#Run server as default FreeBSD web user
user www;

#Documentation says to set this to the number of CPU cores, however unless this is
#a very busy server it's hard to hard to believe that more than 2 threads are necessary
worker_processes 2;

#Defines max number of connections.  Unless this is a busy server a much lower number should suffice
events {
    worker_connections  50;
}

# Nginx log paths (Information only, do not enable these lines)
# Access Log:  /var/log/nginx/access.log
# Error Log:   /var/log/nginx/error.log
# PID:         /var/run/nginx.pid

http {

    server_tokens off;                  #Disable reporting of NGINX info
    server {
    listen 80;
    server_name allcash.asuscomm.com;
    root /mnt/www/webroot;
    # Let's Encrypt webroot
    location /.well-known/acme-challenge/ {
    alias /mnt/www/webroot/.well-known/acme-challenge/;
}
    }
# add here ssl section
}

CTRL+c

Let nginx to use new config. That is intermediate web-server for validation of your domain. We will replace it to full config after getting certificates.

Code: Select all

chown www:www /usr/local/etc/nginx/nginx.conf

Enable Nginx as daemon at jail startup

Code: Select all

echo 'nginx_enable="YES"' >> /etc/rc.conf

Code: Select all

service nginx restart

issue real certificate

Code: Select all

acme.sh --issue -d allcash.asuscomm.com -w /mnt/www/webroot

install certificate to location specified in full nginx cofig

Code: Select all

acme.sh --install-cert -d allcash.asuscomm.com \--cert-file /usr/local/etc/nginx/ssl/allcash.asuscomm.com/allcash.asuscomm.com.cer --key-file  /usr/local/etc/nginx/ssl/allcash.asuscomm.com/allcash.asuscomm.com.key --fullchain-file /usr/local/etc/nginx/ssl/allcash.asuscomm.com/fullchain.cer --reloadcmd "service nginx restart"

Source guidance for FreeBSD setting-up recommends to modify sudo and give "acme" user SU rights to reload nginx. Webroot method of certificate renewal requires to reload nginx. I faced with problems in password request for sudo despite of added rights for "acme" user. I decided to use root user for cron job. I don't see safety problems in jail in case of operations under root.

create cron job:

Code: Select all

crontab -e

Code: Select all

a

Code: Select all

45 1 * * * /usr/local/sbin/acme.sh --cron --home /var/db/acme/.acme.sh --reloadcmd "service nginx restart"

press

Code: Select all

ESC ESC

(escape button two times)

Code: Select all

:wq!

press

Code: Select all

[enter]

key

sudo and cron are edited by VI text editor. If you typed something wrong and your need to drop changes press

Code: Select all

ESC ESC

and type

Code: Select all

:q!

. Read VI manual in case of significant problems))

Now we make new nginx.config with full settings including references to certificate and key. Remove default nginx configuration file

Code: Select all

rm /usr/local/etc/nginx/nginx.conf

create new nginx.conf. Take my draft below and replace in any txt editor "allcash.asuscomm.com", IPs, ports for yours and copy text...

Code: Select all

cat>/usr/local/etc/nginx/nginx.conf

and past text into terminal. Last empty row is necessary.

Code: Select all

#Run server as default FreeBSD web user
user www;

#Documentation says to set this to the number of CPU cores, however unless this is
#a very busy server it's hard to hard to believe that more than 2 threads are necessary
worker_processes 2;

#Defines max number of connections.  Unless this is a busy server a much lower number should suffice
events {
    worker_connections  50;
}

# Nginx log paths (Information only, do not enable these lines)
# Access Log:  /var/log/nginx/access.log
# Error Log:   /var/log/nginx/error.log
# PID:         /var/run/nginx.pid



http {

    server_tokens off;                  #Disable reporting of NGINX info
    server {
    listen 80;
    server_name allcash.asuscomm.com;
    root /mnt/www/webroot;
    # Let's Encrypt webroot
    location /.well-known/acme-challenge/ {
    alias /mnt/www/webroot/.well-known/acme-challenge/;
}
    }
    #Define HTTPS reverse proxy's on port 443.
    server {
server_name allcash.asuscomm.com;
    listen 443 ssl;
	access_log off;   #extra
	client_max_body_size 10G; #extra That is needed to allow transfer files with size up to 10 Gb. It is relevant when you bypass Nextcloud via this proxy. You can set value that is needed for you.
    ssl_certificate /usr/local/etc/nginx/ssl/allcash.asuscomm.com/allcash.asuscomm.com.cer;
    ssl_certificate_key /usr/local/etc/nginx/ssl/allcash.asuscomm.com/allcash.asuscomm.com.key;
    ssl_session_timeout 30m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    ssl_session_cache shared:SSL:10m;
    ssl_trusted_certificate /usr/local/etc/nginx/ssl/allcash.asuscomm.com/fullchain.cer;
    ssl_prefer_server_ciphers on;
 
    ## Improves TTFB by using a smaller SSL buffer than the nginx default
    ssl_buffer_size 8k;
 
    ## Enables OCSP stapling
    ssl_stapling on;
    resolver 127.0.0.0 8.8.8.8;
    ssl_stapling_verify on;
    
    ## Send header to tell the browser to prefer https to http traffic
    add_header Strict-Transport-Security max-age=31536000;
    expires max; #extra
	
        #Defines a home page
        location / {
            root   /mnt/www/webroot;
            index  index.html;
        }
       # exrta Let's Encrypt webroot
       location /.well-known/acme-challenge/ {
           alias /mnt/www/webroot/.well-known/acme-challenge/;
}
       #caldav and carddav additional configuration for proper Nextcloud redirect. Uncomment and adjust folder path where your Nextcloud is installed

#        location = /.well-known/carddav {
#        return 301 https://allcash.asuscomm.com/nextcloud/remote.php/dav;
#    }

#    location = /.well-known/caldav {
#        return 301 https://allcash.asuscomm.com/nextcloud/remote.php/dav;
#    }
    #-------- END SSL config -------##
 
  # Add rest of your config below like document path and more ##
 # Proxy to the Nextcloud server
        location /Nextcloud {
    	proxy_pass         http://192.168.1.4:23456/Nextcloud;
    	proxy_redirect     off;
    	proxy_set_header   Host $host;
    	proxy_set_header   X-Real-IP $remote_addr;
    	proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    	proxy_set_header   X-Forwarded-Host $server_name;
        }
        
        location /transmission {
        proxy_pass http://192.168.1.4:9091;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }
}

CTRL+c
check nginx syntax

Code: Select all

nginx -t

Code: Select all

service nginx restart

Check access to https://allcash.asuscomm.com and check new certificate validation data.

Edit config.php in Nextcloud installation folder.
At the beginning of file enter trusted domains:

Code: Select all

$CONFIG = array (
  'instanceid' => 'private value',
  'passwordsalt' => 'private value',
  'secret' => 'private value',
  'trusted_domains' => 
  array (
    0 => '192.168.1.4:23456',
    1 => 'allcash.asuscomm.com',
  ),

At the end of file add information about trusted proxies. It's relevant to set "localhost" here

Code: Select all

'trusted_proxies'   =>
   array (
    0 => '192.168.1.32',
    1 => 'localhost',
    2 => 'allcash.asuscomm.com',
   ),

You can also add following for strict redirections all requests over DDNS address and https:// connection:

Code: Select all

  'overwritehost'     => 'allcash.asuscomm.com',
  'overwriteprotocol' => 'https',
  'overwritewebroot'  => '/Nextcloud',

Check that last row ends with

Code: Select all

 );

That's all.

Update 2 Sep 2019: cron job section was simplified.
Update 3 Apr 2020: I found solution to resolve "caldav...carddav" error for Nextcloud. Proxy has to have proper redirect for both despite it is already configured in host web-server where Nextcloud is installed. I added required parameters into config text but it is fully commented because you need to change your domain name and folder path and than uncomment these row to test it.

Code: Select all

       #caldav and carddav additional configuration for proper Nextcloud redirect. Uncomment and adjust folder path where your Nextcloud is installed

#        location = /.well-known/carddav {
#        return 301 https://allcash.asuscomm.com/nextcloud/remote.php/dav;
#    }

#    location = /.well-known/caldav {
#        return 301 https://allcash.asuscomm.com/nextcloud/remote.php/dav;
#    }

I recommend to do it in the last order after successful setup of main configurations.