Reverse proxy: Difference between revisions
Brian Wilson (talk | contribs) mNo edit summary |
Brian Wilson (talk | contribs) mNo edit summary |
||
| Line 20: | Line 20: | ||
} # managed by Certbot | } # managed by Certbot | ||
== 2019-02-14 == | |||
Today I did it with method 2, method 1 fails and I have lost patience. | |||
First do "certbot certificates" to see what needs renewal. | |||
<pre> | |||
root@bellman:/etc/nginx/sites-available# systemctl stop nginx | |||
root@bellman:/etc/nginx/sites-available# certbot certonly --cert-name owncloud.wildsong.biz | |||
Saving debug log to /var/log/letsencrypt/letsencrypt.log | |||
How would you like to authenticate with the ACME CA? | |||
------------------------------------------------------------------------------- | |||
1: Place files in webroot directory (webroot) | |||
2: Spin up a temporary webserver (standalone) | |||
------------------------------------------------------------------------------- | |||
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 | |||
Cert is due for renewal, auto-renewing... | |||
Renewing an existing certificate | |||
Performing the following challenges: | |||
http-01 challenge for owncloud.wildsong.biz | |||
Waiting for verification... | |||
Cleaning up challenges | |||
Generating key (2048 bits): /etc/letsencrypt/keys/0012_key-certbot.pem | |||
Creating CSR: /etc/letsencrypt/csr/0012_csr-certbot.pem | |||
IMPORTANT NOTES: | |||
- Congratulations! Your certificate and chain have been saved at | |||
/etc/letsencrypt/live/owncloud.wildsong.biz/fullchain.pem. Your | |||
cert will expire on 2019-05-15. To obtain a new or tweaked version | |||
of this certificate in the future, simply run certbot again. To | |||
non-interactively renew *all* of your certificates, run "certbot | |||
renew" | |||
- If you like Certbot, please consider supporting our work by: | |||
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate | |||
Donating to EFF: https://eff.org/donate-le | |||
</pre> | |||
== Dockerized! == | == Dockerized! == | ||
Revision as of 20:34, 14 February 2019
Bellman runs a plain old web server with Let's Encrypt certificates. I have not gotten the automated renewal to work but this works:
sudo -s certbot certonly --cert-name bellman.wildsong.biz certbot certonly --cert-name owncloud.wildsong.biz certbot certonly --cert-name maps.wildsong.biz certbot certonly --cert-name map46.com
Actually today it's not working because my server is not reachable from outside now. Grr.
I used the option "1: Place files in webroot directory (webroot)". It prompts for webroot which of course is /var/www/hostname/html.
Each server listens on ports 80 and 443, and redirects all traffic from port 80 to port 443 via a thing like this
# Jump over to the HTTPS server if we're not there already.
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
2019-02-14
Today I did it with method 2, method 1 fails and I have lost patience.
First do "certbot certificates" to see what needs renewal.
root@bellman:/etc/nginx/sites-available# systemctl stop nginx root@bellman:/etc/nginx/sites-available# certbot certonly --cert-name owncloud.wildsong.biz Saving debug log to /var/log/letsencrypt/letsencrypt.log How would you like to authenticate with the ACME CA? ------------------------------------------------------------------------------- 1: Place files in webroot directory (webroot) 2: Spin up a temporary webserver (standalone) ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Cert is due for renewal, auto-renewing... Renewing an existing certificate Performing the following challenges: http-01 challenge for owncloud.wildsong.biz Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0012_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0012_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/owncloud.wildsong.biz/fullchain.pem. Your cert will expire on 2019-05-15. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Dockerized!
For a plain old web server, I am using richarvey's nginx, see https://hub.docker.com/r/richarvey/nginx-php-fpm/ It supports PHP. If I start it up like this and go to the page at http://bellman.wildsong.biz I see its PHP info.
You can add all the environment settings to have it pull code from github
docker run -d --dns=192.168.123.2 --name=web \ -e 'GIT_EMAIL=my email' -e 'GIT_NAME=my name' -e 'GIT_USERNAME=my username' -e 'GIT_REPO=my repo name' \ -e 'GIT_PERSONAL_TOKEN=<long_token_string_here>' \ richarvey/nginx-php-fpm:latest
Moving on to set up HTTPS with Let's Encrypt, I add more environment settings to the above,
-e "WEBROOT=/var/www/htdocs" -v /home/web/htdocs:/var/www/htdocs -e "DOMAIN=bellman.wildsong.biz" \
Then I can tell it I want HTTPS,
docker exec -t web /usr/bin/letsencrypt-setup
uWSGI
uWSGI lets me deploy flask applications without having to run the built in server.
This page helped me: http://markjberger.com/flask-with-virtualenv-uwsgi-nginx/
and this: http://uwsgi-docs.readthedocs.io
apt-get install uwsgi uwsgi-plugin-python
In the virtualenv environment install uwsgi
source venv/bin/activate pip install uwsgi
You can run from command line to test it
uwsgi -s 192.168.1.2:5001 --protocol=http --wsgi-file /var/lib/twilio-weatherman/pyweatherman/wsgi.py
and this should work: http://192.168.1.2:5001/home/
Right now I only need to deploy a single app, so I just hacked a shell script and set it to run at boot.
/var/lib/twilio-weatherman/pyweatherman/uwsgi.sh
I changed nginx to work with it.
Building Nginx for Owncloud and Windows
The reason is to get digest authentication, so that I can use Windows 7 as a WebDAV client.
So far this is a FAIL.
- I cannot convince Windows to store a self-signed certificate.
- I can't get digest authentication to work with owncloud.
If I did succeed then I would need a Docker container so that I can load it in the Synology server.
Windows is a pain.
and https://www.nginx.com/resources/wiki/modules/auth_digest/
git clone https://github.com/samizdatco/nginx-http-auth-digest.git cd nginx-1* ./configure --add-module=../nginx-http-auth-digest/ --with-http_ssl_module --with-cc-opt=-Wno-error make sudo make install
