HOW-TO: Set up NGINX to reverse proxy your jails w/ Certbot

ZodiacUHD

Patron
Joined
Aug 28, 2015
Messages
226
When i go to test it i just put the "mynas.net". How are you trying to do that?
 

q_fleuren

Explorer
Joined
Jun 3, 2015
Messages
57
as my app is just on example.org
i just put example.org to test server
 

ZodiacUHD

Patron
Joined
Aug 28, 2015
Messages
226
I think we need someone with a little more of knowledge here. I'm afraid i cannot help you.
 

q_fleuren

Explorer
Joined
Jun 3, 2015
Messages
57
when i get home i will go over your guide and follow all of the steps without making changes other than my own domain.

see if this helps
 

q_fleuren

Explorer
Joined
Jun 3, 2015
Messages
57
Hey, were you able to get an A?
Hey!

well i've tried the following so far,

using different apps on background.
using no apps (meanin itworks nginx)
using different recommended settings from cipherli.st for ssl_common.conf
using different nginx.conf settings and setups
tried using nginx.conf stated above
pkg update and upgrade comes back with everything up to date already
using template 9.10 latest

other than breaking my proxies (eventually) it did nothing :D
 

ZodiacUHD

Patron
Joined
Aug 28, 2015
Messages
226
Hey!

well i've tried the following so far,

using different apps on background.
using no apps (meanin itworks nginx)
using different recommended settings from cipherli.st for ssl_common.conf
using different nginx.conf settings and setups
tried using nginx.conf stated above
pkg update and upgrade comes back with everything up to date already
using template 9.10 latest

other than breaking my proxies (eventually) it did nothing :D

Ouch, sorry to hear that... i'll have a look again tomorrow when i'm at home. I still cannot figure it out why this is happening to you.
 

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,974
Hi there,

So i've build a proxy using this guide, however ssl labs is giving me an F rating
Main cause:
Openssl padding OpenSSL Padding Oracle vuln. (CVE-2016-2107)

Any way to fix this?
Did you install nginx from ports or the package version? The CVE-2016-2107 vulnerability affects the package version because it's built against the base version of openssl in FreeBSD 10.3. To mitigate this you need to install the ports version as well as the ports version of openssl with DEFAULT_VERSIONS+=ssl=openssl option added to your /etc/make.conf file.
 

q_fleuren

Explorer
Joined
Jun 3, 2015
Messages
57
Did you install nginx from ports or the package version? The CVE-2016-2107 vulnerability affects the package version because it's built against the base version of openssl in FreeBSD 10.3. To mitigate this you need to install the ports version as well as the ports version of openssl with DEFAULT_VERSIONS+=ssl=openssl option added to your /etc/make.conf file.

I've just followed the guide 1 on 1
so just ran
Code:
pkg update && pkg upgrade 

then
Code:
pkg install nginx nano git and so on


just check version with
Code:
pkg info nginx

its version number 1.12

besides adding DFAULT_VERSIONS+=ssl=openssl to make.conf

How would i go about installing nginx via ports?
 

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,974

q_fleuren

Explorer
Joined
Jun 3, 2015
Messages
57
cd /usr/ports/www/nginx/ && make install clean

I would strongly suggest you read the manual before you proceed any further.

So in current jail that would be

Code:
portsnap fetch
portsnap[ extract
portsnap update
cd /usr/ports/www/nginx/ && make install clean

Or seeing pkg was used
Code:
portsnap fetch
portsnap[ extract
portsnap update
cd /usr/ports/www/nginx/ && pkg install clean nginx

am i right?
 

fracai

Guru
Joined
Aug 22, 2012
Messages
1,212
Or seeing pkg was used
Code:
portsnap fetch
portsnap[ extract
portsnap update
cd /usr/ports/www/nginx/ && pkg install clean nginx

am i right?
With 'pkg' there's no need to 'portsnap' or 'cd'. You can 'pkg install nginx' (no need to "clean") from anywhere.
 

q_fleuren

Explorer
Joined
Jun 3, 2015
Messages
57
With 'pkg' there's no need to 'portsnap' or 'cd'. You can 'pkg install nginx' (no need to "clean") from anywhere.
i am told to try and install nginx via ports

cd /usr/ports/www/nginx/ && make install clean

I would strongly suggest you read the manual before you proceed any further.

read the manual but it's confusing giving me a total of 3 different sets of commands that all rip the jail xD
 

q_fleuren

Explorer
Joined
Jun 3, 2015
Messages
57
cd /usr/ports/www/nginx/ && make install clean

I would strongly suggest you read the manual before you proceed any further.


i created a new jail and did this
added DEFAULT_VERSIONS+=ssl=openssl to make.conf
Code:
portsnap fetch
portsnap extract
cd /usr/ports/www/nginx/ && make install clean

then installed packages python git
too install certbot and followed the guide.

resulting in the same problem as with normal pkg install nginx
an F rating because openssl padding leak
 

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,974

silverback

Contributor
Joined
Jun 26, 2016
Messages
134
Thanks for the Guide and to all the contributors,

I have tried a number of ways to obtain certs from letsencrypt and I never propagate a folder at /etc/letsencrypt/live.

I assume /etc/letsencrypt/live is the path to the location of the .pem files needed by nginx.

Can someone with a successful configuration please share where their key files are located.

Thanks
 

adrianwi

Guru
Joined
Oct 15, 2013
Messages
1,231
Using certbot mine are saved to /usr/local/etc/letsencrypt
 

Jailer

Not strong, but bad
Joined
Sep 12, 2014
Messages
4,974
Thanks for the Guide and to all the contributors,

I have tried a number of ways to obtain certs from letsencrypt and I never propagate a folder at /etc/letsencrypt/live.

I assume /etc/letsencrypt/live is the path to the location of the .pem files needed by nginx.

Can someone with a successful configuration please share where their key files are located.

Thanks
Check the log. That's the only way you are going to be able to definitively know if everything is working.

CHECK THE LOG.......

Code:
/var/log/letsencrypt
 

silverback

Contributor
Joined
Jun 26, 2016
Messages
134
Thanks,
I was able to obtain certs. I must have missed the instruction in the op to forward port 443 to the jail.

Cheers
 

ArgaWoW

Patron
Joined
Jul 4, 2015
Messages
444
Hello,

I tryed this how-to and everything goes on without any error. I tryed to reach my plexpy server via this proxy without success. I got only this message:

Error 404: Not Found
Sorry, the requested URL 'http://example.something.com/plexpy' caused an error:

Not found: '/plexpy'

I hope someone can point me in the right direction :)
 
Last edited:
Top