Let’s Encrypt with Nginx
|
Posts: 12
Threads: 3
Joined: May 2016
Reputation:
6
[Solved]
Oct 14, 2016, 02:45 AM
(This post was last modified: Oct 14, 2016, 02:51 AM by armss001.)
Hello,
So I am looking to use lets encrypt with my Nginx setup but I am unable to seem to get it working. I looked at your guide and can see a few points that vary from my setup and I am wondering how I can adapt your guide to suit my current setup without having to redo everything. I run UniFi controller which doesn't allow for changes to the base url so keeping nginx in this setup is important.
1) Nginx is running on a different server, I listen for a subdomain per application and proxy based on that. i.e. htpc.mydomain.co.uk proxies to 10.1.1.3 which is my HTPC Manager install or unifi.mydomain.co.uk proxies to 10.1.1.4:8443 which is my unifi install.
2) You change the base url (/sickrage) and have everything in one configuration file, I have one subdomain per config file.
3) You force ssl for all connections, but doesn't Let's Encrypt require http to verify?
This is an example of my current default file, this forces https that uses self generated certs. This is what I want to correct so I can have the nice green lock at the top of my screen.
Code:
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name htpc.mydomain.co.uk;
ssl_certificate /etc/nginx/cert.crt;
ssl_certificate_key /etc/nginx/cert.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!eNULL:!EXPORT:!CAMELLIA:!DES:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/www.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://10.1.1.3:80;
proxy_read_timeout 90;
proxy_redirect http://10.1.1.3:80 https://htpc.mydomain.co.uk;
}
}
I hope you can give advice, I don't know what sort of information you require and I don't really know where to start, if you have any questions just ask.
Thank you in advance.
Posts: 1,646
Threads: 2
Joined: Aug 2015
Reputation:
42
[Solved]
Oct 15, 2016, 04:34 PM
I believe letsencrypt only requires port 80 open for the initial verification, renewal checks do not require port 80. So you should be able to just remove the return 301 line temporarily and follow the guide. @drake can you confirm?
Posts: 244
Threads: 1
Joined: Jul 2016
Reputation:
12
[Solved]
Oct 15, 2016, 05:48 PM
I'm not sure if for renewal port 80 is required or not. I think not.
To get the letsencrypt certificates, just use an nginx config that is in the guide. The point is that you need nginx to get the certificate, so you need to use http to get the certificate. Once you have the certificate, you need port 80 and http only to redirect immediately to https. I hope it is clear what I mean.
Try a basic config like in the guide, and then configure the default server block like in the guide. Nothing will change except that all the traffic will be forced to https (and the security settings might limit some functionality for example older browsers, etc).
As for the subdomains: I think LE doesn't support (yet) wildcard doamins, so you will need to add all the domains you use when requesting the certificates, like: yoursite.com http://www.yoursite.com sonarr.yoursite.com sickrage.yoursite.com, etc.
Let us know if this worked for you.
Posts: 12
Threads: 3
Joined: May 2016
Reputation:
6
[Solved]
Oct 16, 2016, 10:47 PM
Hello.
I have just seen the replies, thank you for your assistance. I have been away for the weekend and did more research and came up with the solution I think you are suggesting, maybe with a few tweaks. The main one being that the redirect needed to call the $host not the $server_name.
This code below seems to be functioning other than the QNAP but I am not sure if its the most secure or written correctly as I started from scratch (well looking at examples) on a VM to test it all out. Qnap page loads and allows me to enter my login details, but then continuously says "Loading..." This was working before I dont know what I broke.
Code:
server {
listen 80;
location /.well-known {
alias /var/www/letsencrypt/.well-known;
}
}
server {
listen 80;
server_name cp.mydomain.co.uk htpc.mydomain.co.uk unifi.mydomain.co.uk sr.mydomain.co.uk plex.mydomain.co.uk plexpy.mydomain.co.uk qnap.mydomain.co.uk;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name htpc.mydomain.co.uk;
include /etc/nginx/snippets/strong-ssl.conf;
ssl_certificate /etc/letsencrypt/live/htpc.mydomain.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/htpc.mydomain.co.uk/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://10.1.1.3:80;
proxy_read_timeout 90;
proxy_redirect http://10.1.1.3:80 https://htpc.mydomain.co.uk;
}
}
server {
listen 443 ssl;
server_name cp.mydomain.co.uk;
include /etc/nginx/snippets/strong-ssl.conf;
ssl_certificate /etc/letsencrypt/live/cp.mydomain.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/cp.mydomain.co.uk/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://10.1.1.3:5050;
proxy_read_timeout 90;
proxy_redirect http://10.1.1.3:5050 https://cp.mydomain.co.uk;
}
}
server {
listen 80;
server_name unifi.mydomain.co.uk;
location / {
return 301 https://$server_name$request_uri;
}
location /.well-known {
alias /var/www/unifi/.well-known;
}
}
server {
listen 443 ssl;
server_name unifi.mydomain.co.uk;
include /etc/nginx/snippets/strong-ssl.conf;
ssl_certificate /etc/letsencrypt/live/unifi.mydomain.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/unifi.mydomain.co.uk/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://10.1.1.4:8443;
proxy_read_timeout 90;
proxy_redirect https://10.1.1.4:8443 https://unifi.mydomain.co.uk;
}
}
server {
listen 443 ssl;
server_name sr.mydomain.co.uk;
include /etc/nginx/snippets/strong-ssl.conf;
ssl_certificate /etc/letsencrypt/live/sr.mydomain.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sr.mydomain.co.uk/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://10.1.1.3:5051;
proxy_read_timeout 90;
proxy_redirect http://10.1.1.3:5051 https://sr.mydomain.co.uk;
}
}
server {
listen 443 ssl;
server_name plex.mydomain.co.uk;
include /etc/nginx/snippets/strong-ssl.conf;
ssl_certificate /etc/letsencrypt/live/plex.mydomain.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/plex.mydomain.co.uk/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://10.1.1.1:32400;
proxy_read_timeout 90;
proxy_redirect https://10.1.1.1:32400 https://plex.mydomain.co.uk;
}
}
server {
listen 443 ssl;
server_name plexpy.mydomain.co.uk;
include /etc/nginx/snippets/strong-ssl.conf;
ssl_certificate /etc/letsencrypt/live/plexpy.mydomain.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/plexpy.mydomain.co.uk/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://10.1.1.6:5054;
proxy_read_timeout 90;
proxy_redirect http://10.1.1.6:5054 https://plexpy.mydomain.co.uk;
}
}
server {
listen 443 ssl;
server_name qnap.mydomain.co.uk;
include /etc/nginx/snippets/strong-ssl.conf;
ssl_certificate /etc/letsencrypt/live/qnap.mydomain.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/qnap.mydomain.co.uk/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://10.1.1.2:8080;
proxy_read_timeout 90;
proxy_redirect http://10.1.1.2:8080 https://qnap.mydomain.co.uk;
}
}
The strong-ssl.conf is exactly the same as the one in the tutorial. Any pointers you guys have would be great and to anyone else looking to do the same I hope this code helps.
Cheers, Sam.
Posts: 1,646
Threads: 2
Joined: Aug 2015
Reputation:
42
[Solved]
Oct 16, 2016, 11:01 PM
Sam, please add some logging so we have some info to work with, in your server blocks create these appropriately. Looks like you will want to target the qnap block specifically
Code:
access_log /var/log/nginx/proxy-access.log;
error_log /var/log/nginx/proxy-error.log;
Posts: 12
Threads: 3
Joined: May 2016
Reputation:
6
[Solved]
Oct 16, 2016, 11:35 PM
So this is the access log -
Code:
xx.xxx.xx.68 - - [17/Oct/2016:01:24:42 +0200] "GET /cgi-bin/login.html?1476658678 HTTP/1.1" 200 2477 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 Google Favicon"
xx.xxx.xx.91 - - [17/Oct/2016:01:24:42 +0200] "GET /cgi-bin/ HTTP/1.1" 200 2913 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 Google Favicon"
xx.xxx.xx.91 - - [17/Oct/2016:01:24:42 +0200] "GET /images/favicon.gif HTTP/1.1" 200 1150 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 Google Favicon"
xx.xxx.xx.37 - - [17/Oct/2016:01:24:44 +0200] "GET /libs/extjs-3.3.3/resources/css/ext-all-notheme.css HTTP/1.1" 200 16413 "https://qnap.mydomain.co.uk/cgi-bin/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36"
xx.xxx.xx.37 - - [17/Oct/2016:01:24:44 +0200] "GET /libs/extjs-3.3.3/adapter/ext/ext-base.js HTTP/1.1" 200 11399 "https://qnap.mydomain.co.uk/cgi-bin/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36"
xx.xxx.xx.37 - - [17/Oct/2016:01:24:44 +0200] "GET /ajax_obj/extjs/languages.js HTTP/1.1" 200 574 "https://qnap.mydomain.co.uk/cgi-bin/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36"
xx.xxx.xx.37 - - [17/Oct/2016:01:24:44 +0200] "GET /cgi-bin/css/qos.css?_dc=4.2.2.20160901 HTTP/1.1" 200 25837 "https://qnap.mydomain.co.uk/cgi-bin/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36"
xx.xxx.xx.37 - - [17/Oct/2016:01:24:44 +0200] "GET /libs/headjs-0.9/head.load.min.js HTTP/1.1" 200 1361 "https://qnap.mydomain.co.uk/cgi-bin/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36"
xx.xxx.xx.37 - - [17/Oct/2016:01:24:44 +0200] "GET /libs/extjs-3.3.3/ext-all.js HTTP/1.1" 200 97875 "https://qnap.mydomain.co.uk/cgi-bin/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36"
xx.xxx.xx.37 - - [17/Oct/2016:01:24:44 +0200] "GET /redirect.html?count=0.055621701299609416 HTTP/1.1" 200 548 "https://qnap.mydomain.co.uk/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36"
xx.xxx.xx.37 - - [17/Oct/2016:01:24:44 +0200] "GET /favicon.ico HTTP/1.1" 499 0 "https://qnap.mydomain.co.uk/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36"
xx.xxx.xx.37 - - [17/Oct/2016:01:24:44 +0200] "GET /cgi-bin/QTS.cgi?count=719979 HTTP/1.1" 302 5 "https://qnap.mydomain.co.uk/redirect.html?count=0.055621701299609416" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36"
xx.xxx.xx.37 - - [17/Oct/2016:01:24:44 +0200] "GET /favicon.ico HTTP/1.1" 499 0 "https://qnap.mydomain.co.uk/redirect.html?count=0.055621701299609416" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36"
xx.xxx.xx.37 - - [17/Oct/2016:01:24:44 +0200] "GET /cgi-bin/jc.cgi?_dc=1476660284694&f=systemPreferences.json HTTP/1.1" 200 489 "https://qnap.mydomain.co.uk/cgi-bin/" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36"
Error log remains empty. Using Developer tools in chrome I do see this error,
Code:
Refused to execute script from 'https://qnap.mydomain.co.uk/cgi-bin/user-settings.json?_dc=4.2.2.20160901' because its MIME type ('text/plain') is not executable, and strict MIME type checking is enabled.
I hope this helps.
Posts: 1,646
Threads: 2
Joined: Aug 2015
Reputation:
42
[Solved]
Oct 16, 2016, 11:39 PM
Posts: 12
Threads: 3
Joined: May 2016
Reputation:
6
[Solved]
Oct 16, 2016, 11:47 PM
This page also doesn't work in I.E but for some reason does in edge.
I am not sure how HTPC Manager effects the QNAP, its 2 totally difference systems, the HTPC Manager loads perfectly and works 100%.
I had a quick read of the links, but not sure how that helps? I can't edit the code of the QNAP, and/or wouldn't even know where to look. Hardware is more my area of knowledge :
Thank you for all this support too very much appreciated
Posts: 1,646
Threads: 2
Joined: Aug 2015
Reputation:
42
[Solved]
Oct 16, 2016, 11:50 PM
Yes, QNAP is a separate system but when the nginx proxy is on a separate machine, nginx is the key variable with how it handles requests.
It seems Edge has different policies when dealing with these mime types, have you tried clearing cache and using a fresh browser?
Posts: 12
Threads: 3
Joined: May 2016
Reputation:
6
[Solved]
Oct 17, 2016, 12:04 AM
(This post was last modified: Oct 17, 2016, 12:06 AM by armss001.)
Just booted up the mac that's never connected to these devices and url's. It works in safari but still fails in chrome, cleared all saved data/history on the mac and it still fails in chrome.
Is this something I can adjust in NGINX?
UPDATE: While QNAP Interface loads in EDGE not all items function, IE I can't view the control panel. This does work in Safari though.
|
|
Recent Posts
|
Split Tunnel Docker Containers
jonesPhedra Mar 27, 2024, 03:10 AM
|
Plex server not powerful enough, but only with s...
jonesPhedra Mar 27, 2024, 03:02 AM
|
About Swap
jonescelinaa Mar 18, 2024, 02:11 AM
|
game Geometry Dash Scratch
jonescelinaa Jan 31, 2024, 04:21 AM
|
Find My IP Address - Kodi - Updated
jonesPhedra Jan 29, 2024, 02:56 AM
|
Latest unread posts | Unanswered posts |
|