Profile Details

Toggle Sidebar
Recent updates
  • Proxypass is not free. As far as I know, it is not well maintained. Using live would be a better thing. Also having a hook on the file to restart the daemon would be an improvement (similar to how firewall.conf and smb.conf behave). That way it is not dependent on Let's Encrypt and could be any certificate.

  • Install an NGINx Reverse Proxy on ClearOS

    # Installing reverse proxy on ClearOS that uses certificates
    This will help you install and configure reverse proxy for ClearOS. We demonstrate in this guide the use of Let's Encrypt but you can use any certificate.


    #Preparation
    You will need to install things from the Marketplace and also from command line.


    ## ClearOS Modules
    Download and install the following support modules for ClearOS:
    * Dynamic DNS
    * Web Server
    * Let's Encrypt

    For Dynamic DNS, if you host a domain name with ClearOS you can easily tie the name of this server into the account for DNS and then create CNAME records on ClearOS for the various services that are running under this server.
    If you do not host the DNS with ClearOS you can simply use a 'poweredbyclear.com' domain. If you are ok with just using that, feel free to use just that. If you would like to use your own hostnames, configure the 'poweredbyclear.com' DNS name for Dynamic DNS and then create CNAME records that point to that name for all of your services.

    For Let's Encrypt to work it will need to talk to your ClearOS Web server on port 80. This is how it validates that you on the hostname that you are wanting to get a certificate for.

    For Let's Encrypt you may get prompted for prerequisites to configure Master/Slave/Standalone (always pick Master if this is your first server for this customer). You may also need to set up the directory (usually OpenLDAP). And lastly, you may need to set up the certificate server.


    ## NGINx
    The download and install the NGINX package for ClearOS is easy. From PuTTY run the following as root:

    ```
    yum install nginx
    ```


    # Configuration
    You will need to configure and setup Dynamic DNS and Let's Encrypt using the ClearOS Web GUI. You will need to configure NGINx from command line.

    ## Web Server
    This is pretty simple and you don't have to do much here. Simply start the Web server service and ensure that port 80 is open.

    ## Dynamic DNS
    This is configured from the Cloud section of the Webconfig GUI. You can pick whatever you want for the first part of the hostname so long as someone else hasn't grabbed it. If you have your DNS hosted by ClearCenter (not recommended) then you can use a custom hostname with that domain via Dynamic DNS (kind of like a vanity plate). Otherwise, just make one for the 'poweredbyclear.com' domain.

    ## Let's Encrypt
    The DNS must be working be working for this to properly register. You can register a number of different certificates provided that ALL of them resolve via DNS to this host and port 80 is open to the outside.
    If you have to make changes to your Dynamic DNS, it will take up to 5 minutes for Let's Encrypt to be able to use it.

    ## NGINx
    By default NGINx will conflict with the ClearOS Web Server (Apache Web Server) module on port 80. You will need to modify the default nginx.conf file in /etc/nginx/nginx.conf so that you comment out its default server configuration on port 80. Put hash marks in front of all these lines so that they look like this:


    ```
    # server {
    # listen 80 default_server;
    # listen [::]:80 default_server;
    # server_name _;
    # root /usr/share/nginx/html;
    #
    # # Load configuration files for the default server block.
    # include /etc/nginx/default.d/*.conf;
    #
    # location / {
    # }
    #
    # error_page 404 /404.html;
    # location = /40x.html {
    # }
    #
    # error_page 500 502 503 504 /50x.html;
    # location = /50x.html {
    # }
    # }
    ```

    Next, create a file called /etc/nginx/conf.d/proxypass.conf which contains something like this:

    ```
    server {
    listen 8888;
    ssl on;
    ssl_certificate /etc/letsencrypt/archive/something.poweredbyclear.com/fullchain1.pem;
    ssl_certificate_key /etc/letsencrypt/archive/something.poweredbyclear.com/privkey1.pem;
    location / {
    proxy_pass http://192.168.1.10:81;
    }
    }
    ```

    The 'listen 8888;' is the port that the server is listening on. You can make this 443 if you can get Apache to stop using that port.
    The 'ssl_certificate' parameter points to the server certificate file. It is best to join the cert chain to the server cert. Let's encrypt does this for you with the fullchain1.pem file.
    Let's Encrypt will place the current, active cert in the archive folder with the hostname of the cert. Point it there.
    The 'ssl_certificate_key' file must point to the private key file for this domain.
    Lastly the 'proxy_pass' line contains the internal lan URL for the service. It is important to remember that there is NO ENCRYPTION between the ClearOS server and this http server on the LAN. It is strongly advised to place ClearOS and this unsecure server on the same switch.

    # Starting the services
    Once configured, start the nginx service with the command:

    ```
    systemctl start nginx
    ```

    Look for any errors. If it starts ok, make sure to enable the service for boot:

    ```
    systemctl enable nginx
    ```

    # Cleaning up.
    You may need to open the port you are using for NGINx to the outside. It is also highly advised that you take precautions with reverse proxies. For example, placing the hosts on a HotLAN or even using a different ClearOS that is not your main firewall.

  • If ClearOS is working properly with Dynamic DNS, it can failover the IPSec to the secondary IP address if and ONLY IF your IPSec is compatible with using hostnames for its IPSec tunnel...on both sides. You can test if the hostname failover is working with a simple ping from a hotspot or 3rd party by pinging the hostname. This should change when the first ISP goes down based on a 5 minute TTL for the hostname.

    Sadly, most IPSec services only allow for IP addresses and not hostnames.

    Long ago I made a simple script to kick OpenVPN if a ping across the tunnel isn't working. This could be adapted to IPSec as well.

    https://documentation.clearos.com/content:en_us:kb_o_openvpn_connection_script

    -Dave Loper
    Community Member

  • Sorry for the outage, the server error on mirrorlist has been fixed. It should be stable now.

  • Dave Loper
    Dave Loper replied to a discussion, ClearOS 7.7 Community Release

    What python library does your system report if it gives the wc_repo error?

    [root@server clearos]# rpm -qi python-libs

    Name : python-libs
    Version : 2.7.5
    Release : 80.el7_6
    Architecture: x86_64
    Install Date: Fri 25 Oct 2019 04:13:38 PM EDT
    Group : Applications/System
    Size : 24714432
    License : Python
    Signature : RSA/SHA256, Fri 21 Jun 2019 12:50:10 PM EDT, Key ID 24c6a8a7f4a80eb5
    Source RPM : python-2.7.5-80.el7_6.src.rpm
    Build Date : Thu 20 Jun 2019 04:56:00 PM EDT
    Build Host : x86-02.bsys.centos.org
    Relocations : (not relocatable)
    Packager : CentOS BuildSystem <http://bugs.centos.org>;
    Vendor : CentOS
    URL : http://www.python.org/
    Summary : Runtime libraries for Python
    Description :
    This package contains runtime libraries for use by Python:
    - the libpython dynamic library, for use by applications that embed Python as
    a scripting language, and by the main "python" executable
    - the Python standard library

  • Dave Loper
    Dave Loper replied to a discussion, ClearOS 7.7 Community Release

    There is a beta ISO in the testing repos on the mirror but that has a known bug and should NOT be used unless you are trying to help solve the bug.

  • Dave Loper
    Dave Loper replied to a discussion, ClearOS 7.7 Community Release

    If you perform the following steps from console (Ctrl+Alt+F3) or from ssh, does the problem go away?

    yum -y update
    reboot