New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
let's encrypt in vestacp domain behind nat
I am not familiar with ssl in complex situations. Although I installed a couple of LE certs in a vesta environment, I would appreciate any guidance in this scenario:
I have a vesta installation in a NAT LXC vps (the node is mine, with a proxmox installation and nat container, using nginx as reverse proxy for the domain).
I installed LE in the container for my domain.
I use cloudflare mostly for dns resolving/name servers.
I use nginx reverse proxy redirecting from the node to the container, using the domain, with this config:
server {
listen 80;
server_name xxxxxx.com *.xxxxxx.com;
location / {
proxy_pass http://10.0.0.xx;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 150;
proxy_send_timeout 100;
proxy_read_timeout 100;
proxy_buffers 4 32k;
client_max_body_size 8m;
client_body_buffer_size 128k;
}
}
What are the steps to enable https to this domain in the container, using nginx reverse proxy? And how can I force https?
Thanks all!
Comments
You need to do the LetsEncrypt install on the host node (where nginx is), you can't proxy back over only port 80 and expect SSL to work. Need the SSL on the reverse proxy itself.
If you're not running any other web servers on that node, I'd suggest doing port forwarding with IPTables and just push all port 80/443 traffic back to that container.
I haven't tried using NAT and LE for certificates but should be easy to follow what vestacp says about the CLI:
v-add-letsencrypt-domain admin domain.tld
Then to force SSL just edit to:
/home/admin/conf/web/nginx.conf
Search the domain that will contain be force to SSL and add:
return 301 https://$server_name$request_uri;
At the end should be something like this:
server { listen 192.168.1.85:80; server_name domain.tld www.domain.tld; error_log /var/log/apache2/domains/domain.tld.error.log error; return 301 https://$server_name$request_uri; ....
this!
I use cloudflare mostly for dns resolving/name servers.
I use nginx reverse proxy redirecting from the node to the container, using the domain, with this config:
If you have dedicated IPv6 on the container then run it over :443 on IPv6 and use Cloudflare as a proxy for IPv4 traffic?