-
Proxypass is not free. As far as I know, it is not well maintained. Using live would be a better thing. Also having a hook on the file to restart the daemon would be an improvement (similar to how firewall.conf and smb.conf behave). That way it is not dependent on Let's Encrypt and could be any certificate.
-
-
Install an NGINx Reverse Proxy on ClearOS
# Installing reverse proxy on ClearOS that uses certificates
This will help you install and configure reverse proxy for ClearOS. We demonstrate in this guide the use of Let's Encrypt but you can use any certificate.
#Preparation
You will need to install things from the Marketplace and also from command line.
## ClearOS Modules
Download and install the following support modules for ClearOS:
* Dynamic DNS
* Web Server
* Let's Encrypt
For Dynamic DNS, if you host a domain name with ClearOS you can easily tie the name of this server into the account for DNS and then create CNAME records on ClearOS for the various services that are running under this server.
If you do not host the DNS with ClearOS you can simply use a 'poweredbyclear.com' domain. If you are ok with just using that, feel free to use just that. If you would like to use your own hostnames, configure the 'poweredbyclear.com' DNS name for Dynamic DNS and then create CNAME records that point to that name for all of your services.
For Let's Encrypt to work it will need to talk to your ClearOS Web server on port 80. This is how it validates that you on the hostname that you are wanting to get a certificate for.
For Let's Encrypt you may get prompted for prerequisites to configure Master/Slave/Standalone (always pick Master if this is your first server for this customer). You may also need to set up the directory (usually OpenLDAP). And lastly, you may need to set up the certificate server.
## NGINx
The download and install the NGINX package for ClearOS is easy. From PuTTY run the following as root:
```
yum install nginx
```
# Configuration
You will need to configure and setup Dynamic DNS and Let's Encrypt using the ClearOS Web GUI. You will need to configure NGINx from command line.
## Web Server
This is pretty simple and you don't have to do much here. Simply start the Web server service and ensure that port 80 is open.
## Dynamic DNS
This is configured from the Cloud section of the Webconfig GUI. You can pick whatever you want for the first part of the hostname so long as someone else hasn't grabbed it. If you have your DNS hosted by ClearCenter (not recommended) then you can use a custom hostname with that domain via Dynamic DNS (kind of like a vanity plate). Otherwise, just make one for the 'poweredbyclear.com' domain.
## Let's Encrypt
The DNS must be working be working for this to properly register. You can register a number of different certificates provided that ALL of them resolve via DNS to this host and port 80 is open to the outside.
If you have to make changes to your Dynamic DNS, it will take up to 5 minutes for Let's Encrypt to be able to use it.
## NGINx
By default NGINx will conflict with the ClearOS Web Server (Apache Web Server) module on port 80. You will need to modify the default nginx.conf file in /etc/nginx/nginx.conf so that you comment out its default server configuration on port 80. Put hash marks in front of all these lines so that they look like this:
```
# server {
# listen 80 default_server;
# listen [::]:80 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
```
Next, create a file called /etc/nginx/conf.d/proxypass.conf which contains something like this:
```
server {
listen 8888;
ssl on;
ssl_certificate /etc/letsencrypt/archive/something.poweredbyclear.com/fullchain1.pem;
ssl_certificate_key /etc/letsencrypt/archive/something.poweredbyclear.com/privkey1.pem;
location / {
proxy_pass http://192.168.1.10:81;
}
}
```
The 'listen 8888;' is the port that the server is listening on. You can make this 443 if you can get Apache to stop using that port.
The 'ssl_certificate' parameter points to the server certificate file. It is best to join the cert chain to the server cert. Let's encrypt does this for you with the fullchain1.pem file.
Let's Encrypt will place the current, active cert in the archive folder with the hostname of the cert. Point it there.
The 'ssl_certificate_key' file must point to the private key file for this domain.
Lastly the 'proxy_pass' line contains the internal lan URL for the service. It is important to remember that there is NO ENCRYPTION between the ClearOS server and this http server on the LAN. It is strongly advised to place ClearOS and this unsecure server on the same switch.
# Starting the services
Once configured, start the nginx service with the command:
```
systemctl start nginx
```
Look for any errors. If it starts ok, make sure to enable the service for boot:
```
systemctl enable nginx
```
# Cleaning up.
You may need to open the port you are using for NGINx to the outside. It is also highly advised that you take precautions with reverse proxies. For example, placing the hosts on a HotLAN or even using a different ClearOS that is not your main firewall. -
-
If ClearOS is working properly with Dynamic DNS, it can failover the IPSec to the secondary IP address if and ONLY IF your IPSec is compatible with using hostnames for its IPSec tunnel...on both sides. You can test if the hostname failover is working with a simple ping from a hotspot or 3rd party by pinging the hostname. This should change when the first ISP goes down based on a 5 minute TTL for the hostname.
Sadly, most IPSec services only allow for IP addresses and not hostnames.
Long ago I made a simple script to kick OpenVPN if a ping across the tunnel isn't working. This could be adapted to IPSec as well.
https://documentation.clearos.com/content:en_us:kb_o_openvpn_connection_script
-Dave Loper
Community Member -
-
Sorry for the outage, the server error on mirrorlist has been fixed. It should be stable now.
-
-
What python library does your system report if it gives the wc_repo error?
[root@server clearos]# rpm -qi python-libs
Name : python-libs
Version : 2.7.5
Release : 80.el7_6
Architecture: x86_64
Install Date: Fri 25 Oct 2019 04:13:38 PM EDT
Group : Applications/System
Size : 24714432
License : Python
Signature : RSA/SHA256, Fri 21 Jun 2019 12:50:10 PM EDT, Key ID 24c6a8a7f4a80eb5
Source RPM : python-2.7.5-80.el7_6.src.rpm
Build Date : Thu 20 Jun 2019 04:56:00 PM EDT
Build Host : x86-02.bsys.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem <http://bugs.centos.org>
Vendor : CentOS
URL : http://www.python.org/
Summary : Runtime libraries for Python
Description :
This package contains runtime libraries for use by Python:
- the libpython dynamic library, for use by applications that embed Python as
a scripting language, and by the main "python" executable
- the Python standard library -
-
There is a beta ISO in the testing repos on the mirror but that has a known bug and should NOT be used unless you are trying to help solve the bug.
-
-
If you perform the following steps from console (Ctrl+Alt+F3) or from ssh, does the problem go away?
yum -y update
reboot -
-
Yeah...I'll get that fixed: https://gitlab.com/clearos/clearfoundation/app-storage/issues/32
-
Toggle Sidebar