Forums

Subscribe via email Subscribe via email
Subscribe via rss
Guest
or Ask a Question
Add a reply View Replies (12) →
Dave Loper
Dave Loper
Offline
Notice

Install an NGINx Reverse Proxy on ClearOS

Resolved
0 votes
# Installing reverse proxy on ClearOS that uses certificates
This will help you install and configure reverse proxy for ClearOS. We demonstrate in this guide the use of Let's Encrypt but you can use any certificate.


#Preparation
You will need to install things from the Marketplace and also from command line.


## ClearOS Modules
Download and install the following support modules for ClearOS:
* Dynamic DNS
* Web Server
* Let's Encrypt

For Dynamic DNS, if you host a domain name with ClearOS you can easily tie the name of this server into the account for DNS and then create CNAME records on ClearOS for the various services that are running under this server.
If you do not host the DNS with ClearOS you can simply use a 'poweredbyclear.com' domain. If you are ok with just using that, feel free to use just that. If you would like to use your own hostnames, configure the 'poweredbyclear.com' DNS name for Dynamic DNS and then create CNAME records that point to that name for all of your services.

For Let's Encrypt to work it will need to talk to your ClearOS Web server on port 80. This is how it validates that you on the hostname that you are wanting to get a certificate for.

For Let's Encrypt you may get prompted for prerequisites to configure Master/Slave/Standalone (always pick Master if this is your first server for this customer). You may also need to set up the directory (usually OpenLDAP). And lastly, you may need to set up the certificate server.


## NGINx
The download and install the NGINX package for ClearOS is easy. From PuTTY run the following as root:

```
yum install nginx
```


# Configuration
You will need to configure and setup Dynamic DNS and Let's Encrypt using the ClearOS Web GUI. You will need to configure NGINx from command line.

## Web Server
This is pretty simple and you don't have to do much here. Simply start the Web server service and ensure that port 80 is open.

## Dynamic DNS
This is configured from the Cloud section of the Webconfig GUI. You can pick whatever you want for the first part of the hostname so long as someone else hasn't grabbed it. If you have your DNS hosted by ClearCenter (not recommended) then you can use a custom hostname with that domain via Dynamic DNS (kind of like a vanity plate). Otherwise, just make one for the 'poweredbyclear.com' domain.

## Let's Encrypt
The DNS must be working be working for this to properly register. You can register a number of different certificates provided that ALL of them resolve via DNS to this host and port 80 is open to the outside.
If you have to make changes to your Dynamic DNS, it will take up to 5 minutes for Let's Encrypt to be able to use it.

## NGINx
By default NGINx will conflict with the ClearOS Web Server (Apache Web Server) module on port 80. You will need to modify the default nginx.conf file in /etc/nginx/nginx.conf so that you comment out its default server configuration on port 80. Put hash marks in front of all these lines so that they look like this:


```
# server {
# listen 80 default_server;
# listen [::]:80 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
```

Next, create a file called /etc/nginx/conf.d/proxypass.conf which contains something like this:

```
server {
listen 8888;
ssl on;
ssl_certificate /etc/letsencrypt/archive/something.poweredbyclear.com/fullchain1.pem;
ssl_certificate_key /etc/letsencrypt/archive/something.poweredbyclear.com/privkey1.pem;
location / {
proxy_pass http://192.168.1.10:81;
}
}
```

The 'listen 8888;' is the port that the server is listening on. You can make this 443 if you can get Apache to stop using that port.
The 'ssl_certificate' parameter points to the server certificate file. It is best to join the cert chain to the server cert. Let's encrypt does this for you with the fullchain1.pem file.
Let's Encrypt will place the current, active cert in the archive folder with the hostname of the cert. Point it there.
The 'ssl_certificate_key' file must point to the private key file for this domain.
Lastly the 'proxy_pass' line contains the internal lan URL for the service. It is important to remember that there is NO ENCRYPTION between the ClearOS server and this http server on the LAN. It is strongly advised to place ClearOS and this unsecure server on the same switch.

# Starting the services
Once configured, start the nginx service with the command:

```
systemctl start nginx
```

Look for any errors. If it starts ok, make sure to enable the service for boot:

```
systemctl enable nginx
```

# Cleaning up.
You may need to open the port you are using for NGINx to the outside. It is also highly advised that you take precautions with reverse proxies. For example, placing the hosts on a HotLAN or even using a different ClearOS that is not your main firewall.
In Water Cooler
Saturday, October 02 2021, 12:07 AM
Subscribe via email
Share this post:
Responses (12)

  • Accepted Answer

    Dag Ove Hoel
    Dag Ove Hoel
    Offline
    Saturday, March 26 2022, 07:44 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    I would really need to think about your question, but, for inside your LAN you can only use LE certs an FQDN's that are valid internally, so probably not proxy.intranet.mydomain.com. What you can do to get round that is in your internal DNS server, make your external FQDN's resolve to the ClearOS LAN IP and then use the external FQDN internally.


    No worries, no need. I was mostly confusing myself on this and ended up solving it in a much simpler way by just using the existing web server instead.

    A few years back I felt Apache was slow and lacking features, so I usually just went for Nginx for my simple needs. Now, after digging into more of what’s supported and understanding more of the configurations I can see that Apache is probably way superior to nginx.

    Best thing for me is of course how ClearOS has it set up, making it so much easier to utilize features such as ldap with with group requirements for certain virtual sites and even webdir.
    The reply is currently minimized Show

  • Accepted Answer

    Von Royce Wallace
    Von Royce Wallace
    Offline
    Tuesday, March 22 2022, 11:37 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    Von Royce Wallace wrote:
    Nick are you back in action?

    Michael reversed the contract termination.


    Happy to hear, I wondred off into the world of aapanel because of my concerns about security updates. I may come back aapanel has a lot to offer but its not as well dressed as clearos.

    I did learn a lot though and for me its all about learning.

    cant wait to see what you guys do concering the whole centos thing
    The reply is currently minimized Show

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Tuesday, March 22 2022, 04:51 PM - #Permalink
    Resolved
    0 votes
    Von Royce Wallace wrote:
    Nick are you back in action?

    Michael reversed the contract termination.
    The reply is currently minimized Show

  • Accepted Answer

    Von Royce Wallace
    Von Royce Wallace
    Offline
    Tuesday, March 22 2022, 04:31 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    I would really need to think about your question, but, for inside your LAN you can only use LE certs an FQDN's that are valid internally, so probably not proxy.intranet.mydomain.com. What you can do to get round that is in your internal DNS server, make your external FQDN's resolve to the ClearOS LAN IP and then use the external FQDN internally.


    Nick are you back in action?
    The reply is currently minimized Show

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Tuesday, March 22 2022, 09:38 AM - #Permalink
    Resolved
    0 votes
    I would really need to think about your question, but, for inside your LAN you can only use LE certs an FQDN's that are valid internally, so probably not proxy.intranet.mydomain.com. What you can do to get round that is in your internal DNS server, make your external FQDN's resolve to the ClearOS LAN IP and then use the external FQDN internally.
    The reply is currently minimized Show

  • Accepted Answer

    Dag Ove Hoel
    Dag Ove Hoel
    Offline
    Monday, March 21 2022, 10:42 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:
    You can't have Nginx and Apache running on the same port. LE needs port 80.

    As a thought it is possible to have LE do wildcard certs so it covers all subdomains. I do it, but you need to move your DNS to somewhere which supports it (I use Cloudflare for DNS only). We do it in Clearcenter and have a single LE cert covering 6 domains and all their subdomains and it is distributed automatically, or at least, each server pulls it automatically from the server which maintains the certificate.


    I see now that I misread the original post, but now I see nginx on the clearOS is only working as a proxypass to another local webserver (not encrypted traffic). Therefore I need to change my question a bit:

    Lets say our local network clearOS gateway/pdc is at intranet.mydomain.com. We have a Lets Encrypt certificate for that subdomain.

    Then, from outside of the LAN both the clearOS system and this other webserver would still be behind encryption, qualifying with valid certificate in a webbrowser, right?
    But from inside the LAN it would not? I'm assuming the other webserver would have some other hostname than the clearOS system, so if its not a wildcard cert it should really cover it. But will it when its being browsed from outside the LAN seeing as its routed through intranet.mydomain.com (the clearOS server)?

    So, If I were to replace this other webserver with a server running proxmox VE, pointing the proxy_pass to a IP of a LXC in proxmox that is running nginx* (with Nginx Proxy Manager, for simplicity) - would the Lets Encrypt certificate still be valid for the content of the proxy-manager web interface?

    *lets call it proxy.mydomain.com. (Or should it actually be proxy.intranet.mydomain.com??)

    I could gladly issue one certificate for each of the services/LXCs/IPs that I would point the proxy-manager to for the various subdomains. At home it works great, auto-renewing the certificates and running without hickups, and it seems to be less work than setting up external DNS.
    The reply is currently minimized Show

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Monday, March 21 2022, 10:24 AM - #Permalink
    Resolved
    0 votes
    You don't need the LE app for LE certificates. It is not difficult to drive LE certs manually. The app was only created after a forum thread about setting up LE manually. In some ways the LE app is OTT with its firewall manipulations.

    You can't have Nginx and Apache running on the same port. LE needs port 80.

    As a thought it is possible to have LE do wildcard certs so it covers all subdomains. I do it, but you need to move your DNS to somewhere which supports it (I use Cloudflare for DNS only). We do it in Clearcenter and have a single LE cert covering 6 domains and all their subdomains and it is distributed automatically, or at least, each server pulls it automatically from the server which maintains the certificate.
    The reply is currently minimized Show

  • Accepted Answer

    Dag Ove Hoel
    Dag Ove Hoel
    Offline
    Sunday, March 20 2022, 09:26 PM - #Permalink
    Resolved
    0 votes
    I recently started using Nginx Proxy Manager (https://nginxproxymanager.com) for a quick and simple solution to reverse proxy in my home network. Pointing subdomains to various LXCs on my proxmox server has never been easier, and I just love the possibility to easily add auto-updating Lets Encrypt certs to all my services at all my subdomains.

    Now that I know how easy and flexible all this is I am seeing possibilities with Nginx for my company intranet too, and would love to utilise it together with clearOS.

    I've been debating with myself the following two options:

    1) replace, or "cover", the apache webserver that is already installed in clearOS, as this guide suggests
    2) forward all port 80 and 443 to the server/lxc running nginx and the Nginx Proxy Manager

    Currently I have the Lets Encrypt app installed, and its renewing the certificates. The system is now using the certificates on both the Webserver, the clearOS Webconfig, the Directory Server (openldap) and even for a docker container running Home Assistan. And so far all is looking good.

    All these services are running on the same clearOS system, which is connected to a subdomain of our main domain. Therefor they are valid all of them.

    But, if I go for option 2 and forward port 80/443 to another server on our business LAN is it so that the Lets Encrypt certificate wont renew itself automatically?
    And, for option 1 it would be ok since nginx (and the web-gui Nginx Proxy Manager) is running on the same server as the certificate is already valid for?

    Edit: And, for both options: will the Apache Webserver become unavailable? I do love the simplicity of creating new "sites" and setting up access-rights directly from the clearOS webconfig, so if I can keep this and get the best from both worlds then that would be the best possible outcome.
    The reply is currently minimized Show

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Saturday, October 02 2021, 08:42 PM - #Permalink
    Resolved
    0 votes
    I need to make some corrections here. There is no point in cloning the file I mentioned earlier, /etc/clearsync.d/filewatch-samba-configuration-event.conf, as all that does is trigger the scripts in /var/clearos/events/samba_configuration. A better template would be /etc/clearsync.d/filewatch-httpd.conf which directly fires off a command. That command could be to restart nginx with a condrestart.

    The other thing to note is that there does not appear to be a any trigger to restart samba on an smb.conf change.
    The reply is currently minimized Show

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Saturday, October 02 2021, 02:17 PM - #Permalink
    Resolved
    0 votes
    Dave Loper wrote:
    Using live on Let's Encrypt would be a better thing. Also having a change awareness hook on the file to restart the daemon would be an improvement (similar to how firewall.conf and smb.conf behave). That way it is not dependent on Let's Encrypt and could be any certificate.
    You could set up a watcher on your proxypass.conf just by cloning /etc/clearsync.d/filewatch-samba-configuration-event.conf and editing it accordingly, but it won't help if you use the LE live certificates as you would never have to change the certificate files in proxypass.conf when the certificate renews. I think this is where Team Canada started rewriting the Certificate Manager app years ago to try to cope with both conventional and LE certificates in a unified way but it was never finished.
    The reply is currently minimized Show

  • Accepted Answer

    Dave Loper
    Dave Loper
    Offline
    Saturday, October 02 2021, 12:43 PM - #Permalink
    Resolved
    0 votes
    Proxypass is not free. As far as I know, it is not well maintained.

    Using live on Let's Encrypt would be a better thing. Also having a change awareness hook on the file to restart the daemon would be an improvement (similar to how firewall.conf and smb.conf behave). That way it is not dependent on Let's Encrypt and could be any certificate.
    The reply is currently minimized Show

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Saturday, October 02 2021, 08:12 AM - #Permalink
    Resolved
    0 votes
    Hi Dave, long time no hear! Thanks for your write up.

    Can I suggest a bit of a mod. For Let's Encrypt I suggest you link to the certificates in /etc/letsencrypt/live/something.poweredbyclear.com or whatever your domain is. Then when Let's Encrypt rotates your certificate every two months, it maintains the symlinks to always point to current certificate. You may also need to restart or reload nginx to read the new certificates. Please see the Using Let's Encrypt Certificates for Mail and other Apps HowTo for one simple way of doing it. You can also drop a configlet into /etc/letsencrypt/renewal-hooks/deploy, I believe.

    Also from the HowTo, if nginx does not run as root you may need to adjust permissions on the key and one of the folders for nginx to be able to read the certificate.

    Can ask what this is doing that the Proxy Pass App is not? The main thing I think I see is that you are passing any port whereas the Proxy Pass app is limited to 80 and 443.

    Note, I am considering releasing an update to the Let's Encrypt app to remove all but the last x certificates and keys from the archive folder and the csr and key folder as they build forever and take up your valuable free backup space. In my case, having a number of certificates, that ended up taking quite a lot of space. The update is already in clearos-contribs-testing and it would delete your certificate in about 12 months, but your certificate would have been expired for 9 months by then.
    The reply is currently minimized Show
Your Reply