moving ssl
Create the certs on the reverse proxy machine – move em to NAS
sudo certbot --nginx -d spiffynasty.com -d www.spiffynasty.com
sudo certbot --nginx -d brains.spiffynasty.com
then get location of ssl
ssl_certificate /etc/letsencrypt/live/brains.spiffynasty.com-0001/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/brains.spiffynasty.com-0001/privkey.pem; # managed by Certbot
sudo cp /etc/letsencrypt/live/brains.spiffynasty.com-0001/fullchain.pem /home/ubuntu
sudo cp /etc/letsencrypt/live/brains.spiffynasty.com-0001/privkey.pem /home/ubuntu
then
scp ubuntu@192.168.1.17:/home/ubuntu/fullchain.pem /Users/spiffy/Desktop/asustorssl
copy fullchain.prm - rename as privkey.pem
sudo nano /home/privkey.pem - copyout key and paste it onto the lcoal one sudo nano /Users/spiffy/Desktop/asustorssl/privkey.pem
##Nas Reverse Proxy
https://www.asustor.com/en/online/College_topic?topic=325
COURSE OBJECTIVES
Upon completion of this course you should be able to:
- Use a reverse proxy domain to protect the secure connection of multiple NAS.
- Use a reverse proxy domain to improve the security of Apps' HTTPS connection.
NAS 325
Introducing Reverse Proxies
Making your NAS and apps secure
2024-06-21
COURSE OBJECTIVES
Upon completion of this course you should be able to:
- Use a reverse proxy domain to protect the secure connection of multiple NAS.
- Use a reverse proxy domain to improve the security of Apps' HTTPS connection.
PREREQUISITES
*Course Prerequisites:*
NAS 324: Using HTTPS to Secure NAS Communication
*Students are expected to have a working knowledge of:*
HTTP/HTTPS
Yes, you can configure your NAS's reverse proxy settings to work in conjunction with your own proxy server. Many NAS devices, like the ASUSTOR NAS, offer built-in reverse proxy functionality to help manage traffic across multiple services or applications, especially when using DDNS or hosting multiple web services.
Here's how they can work together:
- NAS Reverse Proxy Handling Local Services: You can use the NAS's reverse proxy to manage internal traffic and route requests to various services hosted on the NAS (e.g., Nextcloud, a web server, etc.). This allows you to create different subdomains or paths to access these services (e.g.,
nextcloud.spiffynasty.comcould point to your Nextcloud instance running on the NAS). - External Proxy Server for Public Access: Your external proxy server can be used to manage incoming traffic from the internet. The external proxy can receive the request and route it to your NAS's reverse proxy, which will further direct the request to the correct internal service.
This setup creates a layered proxy system:
- External proxy manages incoming internet traffic and SSL.
- NAS reverse proxy distributes traffic within your network to specific services running on the NAS.
This setup can simplify service management and allow better scalability.
To set up your NAS reverse proxy to work with the external proxy server at 192.168.1.17, you can follow a layered proxy approach. Here's how to configure both the NAS and your external proxy server so they work together seamlessly:
Steps for NAS Reverse Proxy Configuration:
Configure NAS Reverse Proxy: On your ASUSTOR NAS, configure the reverse proxy to handle internal routing of traffic for specific services hosted on the NAS (e.g., Nextcloud, web apps). Here’s how to set it up:
Go to the ADM interface → Services → Web Server → Reverse Proxy settings.
Add reverse proxy rules for each service, such as:
- Source URL:
https://nextcloud.spiffynasty.com - Destination URL:
http://localhost:port(or the appropriate internal IP and port where the service is running, likehttp://192.168.1.30:8022for Nextcloud).
- Source URL:
Repeat for other services as needed.
Configure the External Proxy (192.168.1.17):
The external proxy server will handle incoming traffic and forward it to the NAS reverse proxy.
Set up your proxy server (e.g., NGINX or Apache) to forward traffic for specific subdomains or paths to the NAS. Example configuration for NGINX on
192.168.1.17:server { listen 443 ssl; server_name nextcloud.spiffynasty.com; ssl_certificate /etc/letsencrypt/live/nextcloud.spiffynasty.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/nextcloud.spiffynasty.com/privkey.pem; location / { proxy_pass http://192.168.1.50:443; # Pointing to the NAS IP address proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }Here,
192.168.1.50represents the IP address of your NAS. The external proxy will forward traffic fromnextcloud.spiffynasty.comto your NAS's reverse proxy.
SSL Management:
- You can handle SSL termination either at the external proxy (
192.168.1.17) or at the NAS. If the external proxy handles SSL, the NAS can communicate via plain HTTP internally. - Ensure SSL certificates are properly configured on both proxies, or use the external proxy to handle SSL and forward plain HTTP to the NAS.
- You can handle SSL termination either at the external proxy (
Summary of Flow:
- External Proxy (192.168.1.17) receives incoming traffic from the internet (e.g.,
nextcloud.spiffynasty.com). - The external proxy forwards the traffic to the NAS reverse proxy.
- The NAS reverse proxy routes the traffic to the correct internal service (e.g., Nextcloud or other apps).
This layered approach ensures that both proxies work together smoothly.
Cert Locations Asustor Nas
/volume0/usr/builtin/etc/certificate
You may also find it on:
/volume1/.@plugins/AppCentral/letsencrypt/.CertBot/config/live/
Or download from ADM UI.
If your NAS doesn’t support setting up SSL directly, you can handle SSL termination on your external proxy server (the one at 192.168.1.17). This means that the external proxy will manage all the SSL encryption/decryption, and then it will forward plain HTTP traffic to the NAS. Here's how to configure that setup:
Steps for Handling SSL on the External Proxy and Using Plain HTTP to the NAS
Set up SSL on External Proxy (
192.168.1.17):Install an SSL certificate (e.g., using Let’s Encrypt) on your external proxy for the domain
nextcloud.spiffynasty.com. If you haven't done so, use the following command to request a certificate using Certbot:sudo certbot --nginx -d nextcloud.spiffynasty.comEnsure that NGINX (or Apache) on your external proxy is configured to use this certificate. Your configuration might look something like this:
server { listen 443 ssl; server_name nextcloud.spiffynasty.com; ssl_certificate /etc/letsencrypt/live/nextcloud.spiffynasty.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/nextcloud.spiffynasty.com/privkey.pem; # Proxy pass to NAS over HTTP location / { proxy_pass http://192.168.1.50:8022; # NAS IP and Nextcloud port, no SSL here proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }
Plain HTTP Communication Between External Proxy and NAS:
- Since the external proxy handles SSL, the communication between the external proxy (
192.168.1.17) and the NAS (192.168.1.50) can be done over plain HTTP. - The
proxy_passin your external proxy configuration should point to the internal HTTP URL for the service running on the NAS (e.g.,http://192.168.1.50:8022for Nextcloud).
- Since the external proxy handles SSL, the communication between the external proxy (
Disable SSL on NAS:
- You don’t need to worry about SSL on the NAS in this configuration because the external proxy is terminating the SSL connection. The NAS will only receive plain HTTP traffic from the proxy.
Test the Setup:
- After configuring everything, visit
https://nextcloud.spiffynasty.comin a browser. The external proxy should handle the SSL connection, and the NAS should receive plain HTTP traffic.
- After configuring everything, visit
Key Points:
- External proxy manages SSL encryption for public access.
- NAS communicates internally over plain HTTP, avoiding the need for SSL configuration on the NAS.
- This setup provides security for users accessing the site over the internet while keeping the internal network simple.
By handling SSL on your external proxy, you avoid the complexity of managing SSL on the NAS while still ensuring secure access for external users.
Let me know if this helps or if you need more details!
Reverse proxy
Nextcloud can be run through a reverse proxy, which can cache static assets such as images, CSS or JS files, move the load of handling HTTPS to a different server or load balance between multiple servers.
Defining trusted proxies
For security, you must explicitly define the proxy servers that Nextcloud is to trust. Connections from trusted proxies will be specially treated to get the real client information, for use in access control and logging. Parameters are configured in config/config.php
Set the trusted_proxies parameter as an array of:
- IPv4 addresses
- IPv4 ranges in CIDR notation
- IPv6 addresses
- IPv6 ranges in CIDR notation
to define the servers Nextcloud should trust as proxies. This parameter provides protection against client spoofing, and you should secure those servers as you would your Nextcloud server.
A reverse proxy can define HTTP headers with the original client IP address, and Nextcloud can use those headers to retrieve that IP address. Nextcloud uses the de-facto standard header ‘X-Forwarded-For’ by default, but this can be configured with the forwarded_for_headers parameter. This parameter is an array of PHP lookup strings, for example ‘X-Forwarded-For’ becomes ‘HTTP_X_FORWARDED_FOR’. Incorrectly setting this parameter may allow clients to spoof their IP address as visible to Nextcloud, even when going through the trusted proxy! The correct value for this parameter is dependent on your proxy software.
Overwrite parameters
The automatic hostname, protocol or webroot detection of Nextcloud can fail in certain reverse proxy situations. This configuration allows the automatic detection to be manually overridden. If Nextcloud fails to automatically detect the hostname, protocol or webroot you can use the overwrite parameters inside the config/config.php.
overwritehostset the hostname of the proxy. You can also specify a port.overwriteprotocolset the protocol of the proxy. You can choose between the two options http and https.overwritewebrootset the absolute web path of the proxy to the Nextcloud folder.overwritecondaddroverwrite the values dependent on the remote address. The value must be a regular expression of the IP addresses of the proxy. This is useful when you use a reverse SSL proxy only for https access and you want to use the automatic detection for http access.overwrite.cli.urlthe base URL for any URLs which are generated within Nextcloud using any kind of command line tools. For example, the value set here will be used by the notifications area.
Leave the value empty or omit the parameter to keep the automatic detection.
Service Discovery
The redirects for CalDAV or CardDAV does not work if Nextcloud is running behind a reverse proxy. The recommended solution is that your reverse proxy does the redirects.
Apache2
RewriteEngine On
RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
Thanks to @ffried for apache2 example.
Traefik 1
Using Docker labels:
traefik.frontend.redirect.permanent: 'true'
traefik.frontend.redirect.regex: 'https://(.*)/.well-known/(?:card|cal)dav'
traefik.frontend.redirect.replacement: 'https://$$1/remote.php/dav'
Using traefik.toml:
[frontends.frontend1.redirect]
regex = "https://(.*)/.well-known/(?:card|cal)dav"
replacement = "https://$1/remote.php/dav
permanent = true
Thanks to @pauvos and @mrtumnus for traefik examples.
Traefik 2
Using Docker labels:
- "traefik.http.routers.nextcloud.middlewares=nextcloud_redirectregex@docker"
- "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.permanent=true"
- "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.regex=https://(.*)/.well-known/(?:card|cal)dav"
- "traefik.http.middlewares.nextcloud_redirectregex.redirectregex.replacement=https://$${1}/remote.php/dav"
Using a TOML file:
[http.middlewares]
[http.middlewares.nextcloud-redirectregex.redirectRegex]
permanent = true
regex = "https://(.*)/.well-known/(?:card|cal)dav"
replacement = "https://${1}/remote.php/dav"
HAProxy
acl url_discovery path /.well-known/caldav /.well-known/carddav
http-request redirect location /remote.php/dav/ code 301 if url_discovery
NGINX
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
or
rewrite ^/\.well-known/carddav https://$server_name/remote.php/dav/ redirect;
rewrite ^/\.well-known/caldav https://$server_name/remote.php/dav/ redirect;
Caddy
subdomain.example.com {
redir /.well-known/carddav /remote.php/dav/ 301
redir /.well-known/caldav /remote.php/dav/ 301
reverse_proxy {$NEXTCLOUD_HOST:localhost}
}
Example
Multiple domains reverse SSL proxy
If you want to access your Nextcloud installation http://domain.tld/nextcloud via a multiple domains reverse SSL proxy https://ssl-proxy.tld/domain.tld/nextcloud with the IP address 10.0.0.1 you can set the following parameters inside the config/config.php.
<?php
$CONFIG = array (
'trusted_proxies' => ['10.0.0.1'],
'overwritehost' => 'ssl-proxy.tld',
'overwriteprotocol' => 'https',
'overwritewebroot' => '/domain.tld/nextcloud',
'overwritecondaddr' => '^10\.0\.0\.1$',
'overwrite.cli.url' => 'https://domain.tld/,
);
Note
If you want to use the SSL proxy during installation you have to create the config/config.php otherwise you have to extend the existing $CONFIG array.