Forums

×

Warning

JUser: :_load: Unable to load user with ID: 182061
JUser: :_load: Unable to load user with ID: 182501
Medium
Offline
Resolved
0 votes
Hi, I'm looking for advise to improve my current setup. Cause it's not ideal and probably stupid from a professional's point of view. Thank you so much for your thoughts!

This is the situation:
I host two hobby related websites at home, as well as a mailserver and owncloud for my wife and kids and me. I access those on resp. https://mail.mydomainhere.com and https://www.mydomainhere.com/owncloud" target="_blank">https://www.mydomainhere.com/owncloud.
I have decided long time ago to do that on two different VM's (now on COS7) on an ESXi host. At that time I wanted to separate my private stuff (mail + owncloud) from publicly accessible stuff (both websites), because of security and because the websites are rather static and I wish to backup my private data way more often. I can now do that easily by taking that VM offline and copying it.

This is the routing:
I'm not incredibly experienced, I do my best to learn, but long ago I figured to separate traffic in my router, which has a static outside IP. I set port 80 to go to the VM #1 with the websites, and port 8080 to go to the VM #2 with the mailserver and owncloud. This was probably not very professional :-)

Problem 1:
The actual problems I have with this setup are twofold. The first is with Letsencrypt. I could only get that up and running on VM #1, because it needs traffic to http://www.mydomainhere.com to verify and create the certificate for https://www.mydomainhere.com. So every two months when Letsencrypt has refreshed the certificate on VM #1, I have to sit down and copy the fresh certificate files from VM #1 to #2, where I actually send https traffic, and integrate that into VM #2's configuration. That's a waste of time and of course due to my own earlier choices. But how can I improve this situation, what's the proper thing to do in this case?

Problem 2:
The second problem is that I think the certificate isn't working perfectly either. After each two-monthly transportation, I have to re-accept the Letsencrypt certificate on all my e-mail clients (on both desktop and mobile devices). The certificate seems OK, the new date is correct etc, but apparently not as good as the clients would like it to have to accept it right away. How do I figure out what the problem is there, and can it be related to my setup with separated http and https machines? Or is that due to Letsencrypt being a free service? Moreover, on the Android gmail app from Google I cannot even accept my own certificate at all. There's nothing I can do to make it work with my renewed certificate on my mailserver.

Thank you for helping out!

Wouter
Wednesday, February 12 2020, 04:16 PM
Share this post:
Responses (10)
  • Accepted Answer

    Monday, February 17 2020, 12:05 PM - #Permalink
    Resolved
    0 votes
    Sounds like you're trying to do what I've done ...

    In my case, 2 physical servers (COS7), one running a VM as a mail server. One of the servers is running as a file server and Nextcloud server, the other as the DHCP/DNS/VirtualBox host, along with a ProxyPass server. The gateway is a cable router with static ip, built-in dhcp server turned off - and acting as the gateway to the internet .. and the IMAP/SMTP/ICAL sent direct to the VM mailserver (bridged network address). HTTP/HTTPS accesses are sent to the ProxyPass for distribution. These include webmail/iPhone accesses (as they appear go via port 80). ProxyPass takes care of the mail/Nextcloud accesses (different servers) via port 80/443

    The ProxyPass webserver is setup with LetsEncrypt certificates (using default settings).
    Mailserver LetsEncrypt certificate .. IMAP/SMTP have their own certificates .. these are provided using the webroot configuration rather than the default .. mainly because the port 80 access goes via the ProxPass server and so the webserver side of the mailserver is not directly visible from outside .. but as the LetsEncrypt accesses can be made via the ProxyPass, it works.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, February 17 2020, 11:42 AM - #Permalink
    Resolved
    0 votes
    You could add a VM to your setup and you could delegate to it the redirection and certificate generation processes.

    Have a look at Nginx Proxy Manager.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, February 16 2020, 08:24 PM - #Permalink
    Resolved
    0 votes
    ClearOS (along with a lot of firewalls) is not brilliant at redirecting traffic from the LAN to its WAN interface and back in. Whatever is used as the DNS resolver on your LAN should resolve mail.mydomain.com to a LAN IP.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, February 16 2020, 07:44 PM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    Thank you again.
    With forwarding the port at the gateway, you mean setting it in the port forwarding app, right? Or something else?

    When you say that my dns server needs to resolve the mail subdomain to the LAN IP of the mailserver, you mean within the VM #1 webserver, am I right? I do not run a separate dns server in my LAN.

    And why is that needed? If I set the port forwarding for port 993 to the LAN IP of my mailserver, why do I need to do that?

    Thanks for your comments (Marcel as well) on the billing. We'll see in 2021 :-)
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, February 16 2020, 05:49 PM - #Permalink
    Resolved
    0 votes
    Wouter Smit wrote:
    Side note: proxy pass costs €15, but per what? Year I presume? Is there a standard billing period of 1yr for subscriptions?


    I think it is indeed a billing period of 1 year. A bit strange this is not mentioned when purchasing the app.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, February 16 2020, 05:48 PM - #Permalink
    Resolved
    0 votes
    ProxyPass is a one-off payment.

    For IMAP for external access, you should just port forward at the gateway. Do not open the incoming port on the gateway. You can track the packets with tcpdump with something like:
    tcodump -nn -i your_interface port 993
    You can have multiple windows, one running on your WAN port one on your LAN port and one on your mail server. For internal access, in your DNS server, you need to set your mail server name to point to your mailserver LAN IP. E.g if you have you e-mail client configured to point to mail.mydomain.com, externally it should resolve to your WAN IP and internally you put it in your DNS server so it resolves to your mail server's LAN IP.

    I have little idea about Owncloud and may need the exact message. I am a Nextcloud user but is is on my gateway.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, February 16 2020, 04:20 PM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    I've successfully installed and configured proxypass on my VM #1. I've set it to reverse proxy the traffic to subdomain mail.mydomain.com to my VM #2. I've changed the port forwarding in my router for https (443) and IMAP SSL (993) to go to VM #1. It works, I was able to get a new letsencrypt certificate on VM #2 and can access a test site on my VM #2 as well as mail.mydomain.com/owncloud.

    It feels much better this way.

    I still have two problems though.
    1) I can't access my imap server on VM #2. I figured proxypass wouldn't handle port 993, so I installed the COS port forwarding app. And set it to send 993 to the IP of my VM #2. But it doesn't work. Email clients say the server cannot be reached. I've tried opening up port 993 in the firewall as well as disabling the firewall. How can I find out where traffic is getting stuck?

    2) The Owncloud site shows, but it throws an error about being reached from an unknown location. I don't know the exact message and I reverted my steps yesterday cause I ran out of time.

    Side note: proxy pass costs €15, but per what? Year I presume? Is there a standard billing period of 1yr for subscriptions?
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, February 13 2020, 07:17 PM - #Permalink
    Resolved
    0 votes
    If you set one server as the gateway and the other behind it and use the ProxyPass app, you can probably achieve what you want but each server would have to look after its own certificates. You'd need the ProxyPass app to allow the web server (Let's Encrypt runs its own mini webserver) to run on both servers, otherwise you still have the certificate distribution issue.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, February 13 2020, 05:05 PM - #Permalink
    Resolved
    0 votes
    Hi Nick, thank you so much for your reply. I did no special thing on my certificate to enable it for e-mail. I'll follow these steps.

    Nevertheless, wouldn't it be possible to get my router out of the equation, have all traffic on port 80, 8080 and the e-mail ports come in on VM #1, handle all the certificate stuff on VM #1, and only serve the contents of my mail. and owncloud. subdomains from VM #2? That would make a lot of things easier, no? I just have the feeling no-one in the world would have arranged things like I did.

    Thank you!
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, February 12 2020, 04:57 PM - #Permalink
    Resolved
    0 votes
    Have a look at the Let's Encrupt HowTo for ideas. You should be able to put something into a file in /var/clearos/events/lets_encrypt which will fire every time the certificates are renewed. In that file you could scp or rsync the files from /etc/letsencrypt/live/{your_domain} over to your new box but be a bit careful as they are currently symlinks and you want to transfer the files across. The same job should be able to reload httpd or webconfig with something like:
    ssh root@other_box systemctl reload httpd webconfig
    For this to work best, you should set up ssh keys so one box trusts the other. It is not so easy to embed passwords into rsync or ssh commands.

    If Dave were to do it, he'd do it in to parts, rsync the files across in to a staging area then, on the other box have something to move them into the right place and restart the services.

    If you have to maually accept certificates in mail clients then something is wrong. I had to update the howto last September as the underlying app, certbot (which is out of our control), changed how keys were handled and you now need to update the permissions on the latest key. Once done, it will carry forward on renewal. Check this and also check you have implemented correctly in your mail apps. I never have to re-accept my certificates
    The reply is currently minimized Show
Your Reply