HOW-TO: Set up NGINX to reverse proxy your jails w/ Certbot

[Jan Banan]

The NGINX conf is fine, but make a new ssl_common.conf to be formatted as the one in my first post.

awesome, did another copy/paste and made sure nothing shifted. A+ on ssl labs straight away. thank you for the help! now to setting up everything :)

 

[Maxobus]

I'm currently facing a few problems myself in nextcloud or others setups getting "ERR_TOO_MANY_REDIRECTS".

Facing the same problem with Nextcloud 12.0.4
Did you solve it?

 

[ZodiacUHD]

Facing the same problem with Nextcloud 12.0.4
Did you solve it?

I’m running the same version but i have no issues. Are you running nextcloud with NGINX or Apache?

 

[Maxobus]

Are you running nextcloud with NGINX or Apache?

Nextcloud on Apache.

 

[ZodiacUHD]

Nextcloud on Apache.

I’m running it on NGINX, i’m not very familiar with Apache... i’m afraid i cannot help you.

 

[weingeist]

First of all, awesome guide, thanks a lot @ZodiacUHD !

@Maxobus I've had that problem too at some point, maybe my config below helps? I have two questions for you though, regarding Transmission. Are you able to use magnet torrents remote? I'm using the chrome extension Remote Torrent Adder, which works perfectly locally, but throws an error popup in Chrome when done remote:

Code:

Failure, Server didn't accept data:
200: <!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type"... 

How do you handle it? And second question, are there any advantages to subdomains compared to mydomain.com/transmission (e.g)?

My main reason for posting here is I'm having trouble with Plex. Funny enough, remote access only works using the WebUI, but the server is not accessible in my Android app, or my brother's Samsung TV app. Locally, my Android app works fine. Google only found solutions for the opposite case when the WebUI is not working. My config was inspired by the last post here:
https://www.reddit.com/r/PleX/comments/3xz4ph/plex_behind_a_ssl_nginx_reverse_proxy/

Trying to connect with my android phone produces this error message in /var/log/nginx/error.log

Code:

2018/01/23 21:43:44 [error] 31721#101943: *765 open() "/usr/local/www/nginx/resources" failed (2: No such file or directory), client: xx.xx.xx.xx(<-- Android IP), server: my.server, request: "GET /resources?X-Plex-Token=jtz[...deleted...]PU HTTP/1.1", host: "my.server"

When connecting in local network, the same error message is produced, however the Plex app works normally.

Below are my configs:

Show : nginx.conf

Code:

load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_stream_module.so;

#user  nobody;
worker_processes  6;

# This default error log path is compiled-in to make sure configuration parsing
# errors are logged somewhere, especially during unattended boot when stderr
# isn't normally logged anywhere. This path will be touched on every nginx
# start regardless of error log location configured here. See
# https://trac.nginx.org/nginx/ticket/147 for more info.
#
#error_log  /var/log/nginx/error.log;
#

#pid		logs/nginx.pid;


events {
	worker_connections  1024;
}


http {
	include	   mime.types;
	default_type  application/octet-stream;

	#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
	#				  '$status $body_bytes_sent "$http_referer" '
	#				  '"$http_user_agent" "$http_x_forwarded_for"';

	#access_log  logs/access.log  main;

	sendfile		on;
	#tcp_nopush	 on;

	#keepalive_timeout  0;
	keepalive_timeout  65;

	#gzip  on;

	# Plex jail IP
	upstream plex {
		server xx.xx.xx.37:32400;
	}


	# listen on port 80 -> redirect to 443
	server {
	 listen 80;
		 return 301 https://$host$request_uri;
	}

	# listen on port 443 primarily
	server {
		listen 443 ssl;
		server_name my.server;
		
		include ssl_common.conf;
		include proxy_setup.conf;

		
		client_max_body_size 8196M;


		#charset koi8-r;

		#access_log  logs/host.access.log  main;

		location / {
			root   /usr/local/www/nginx;
			index  index.html index.htm;

			if ($args ~ (.*)X-Plex-Device(.*)) {
				proxy_pass http://plex;
			}

			if ($http_referer ~ (.*)plex(.*)) {
				proxy_pass http://plex;
			}
		}

		# redirect server error pages to the static page /50x.html
		error_page   500 502 503 504  /50x.html;
		location = /50x.html {
			root   /usr/local/www/nginx-dist;
		}
	}
}

Show : proxy_setup.conf

Code:

location /nextcloud {
	 proxy_pass http://xx.xx.xx.32;
#	 proxy_redirect off;
	 proxy_redirect http://xxx.xx.xx.32 https://my.server/nextcloud;

	 proxy_headers_hash_max_size 512;
	 proxy_headers_hash_bucket_size 64;

	 proxy_set_header Host $host;
	 proxy_set_header X-Forwarded-Proto $scheme;
	 proxy_set_header X-Real-IP $remote_addr;
	 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	 add_header Front-End-Https on;
}


location /transmission {
	 proxy_pass http://xx.xx.xx.35:9091;
	 proxy_redirect off;
	 proxy_set_header Host $host;
	 proxy_set_header X-Real-IP $remote_addr;
	 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	 add_header   Front-End-Https   on;
}



# plex IP defined in nginx.conf (upstream plex {...}
location ~ ^/(\?(?:.*)(X-Plex-Device=)|web|video|photo|library|web|status|system|updater|clients|:|playQueues)(.*){
	proxy_pass http://plex;
	proxy_redirect  http://plex /;
	# set some headers and proxy stuff.
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_redirect off;

	# include Host header
	proxy_set_header Host $host;

	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_read_timeout 36000s;
	proxy_pass_request_headers on;
}

location /plex {
	error_log /var/log/nginx/plex.error.log debug;
	rewrite_log on;
	rewrite ^/plex(.*)$ /web$1 break;
	proxy_pass http://plex;
	proxy_headers_hash_max_size 51200;
	proxy_headers_hash_bucket_size 6400;
	proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
	proxy_set_header Host $host;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_read_timeout 36000s;
	proxy_pass_request_headers on;
}

I'm no pro, just a big fan of the forum ; ) Any help or comments in general for that matter are appreciated.

 

[biggyk]

when running the certbot challenge I get a timeout error. Says the server could not connect to the client to verify the domain.

 

[LIGISTX]

I think I am having the same issue as above. When I run

Code:

root@nginx_reverse:/certbot # ./letsencrypt-auto --debug certonly --standalone -d mydomain.net

I get:

Code:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.net
Waiting for verification...
Cleaning up challenges

Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: lmydomain.net
   Type:   connection
   Detail: Fetching
   http://mydomain.net/.well-known/acme-challenge/dG1Mv039gQ3qgWjszo92plHIvXdDhmq0_pv4wJh8tcM:
   Timeout during connect (likely firewall problem)

 

[ZodiacUHD]

I think I am having the same issue as above. When I run

Code:

root@nginx_reverse:/certbot # ./letsencrypt-auto --debug certonly --standalone -d mydomain.net

I get:

Code:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.net
Waiting for verification...
Cleaning up challenges

Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: lmydomain.net
   Type:   connection
   Detail: Fetching
   http://mydomain.net/.well-known/acme-challenge/dG1Mv039gQ3qgWjszo92plHIvXdDhmq0_pv4wJh8tcM:
   Timeout during connect (likely firewall problem)

Are port 443 and 80 open and assigned to the reverse proxy jail?

 

[LIGISTX]

Are port 443 and 80 open and assigned to the reverse proxy jail?

I figured that was the issue and tried to figure that out, looks like port 443 isn't actually being opened. I never tried to open 80, but according to https://portchecker.co/check 443 is closed...... No idea why, I am using google wifi and I can open other ports without issue.

 

[LIGISTX]

O, well... I opened 80 as well (did I miss this somewhere in the instructions....?) and even though the port shows as closed, it worked!

Thanks!!!

 

[glauco]

Hey ZodiacUHD, we're from the same country!
Thank you for this tutorial. A reverse proxy has been on my mind for quite a while. As soon as I have some spare time I'm going to tackle this!
By the way, is the tutorial still up to date (last update dates back to Sept 2017)?

 

[ZodiacUHD]

Hey ZodiacUHD, we're from the same country!
Thank you for this tutorial. A reverse proxy has been on my mind for quite a while. As soon as I have some spare time I'm going to tackle this!
By the way, is the tutorial still up to date (last update dates back to Sept 2017)?

Hey there :)
The tutorial is still working fine, you can also apply it to an iocage jail if you wish. In case you have any doubt or questions, don't hesitate to write here or send me a PM.
Cheers!

 

[Pyroson]

Which parts need to get changed out for the new iocage setup? I am having a lot of issues with the warden jails right now and have started moving everything over to iocage jails. I just need help in setting up the iocage jail for this one.

 

[ZodiacUHD]

You just create a iocage jail, then type

Code:

iocage console nameofthejail

After that you proceed with the tutorial, That’s it.

 

[SilentStrike]

Hello, thanks for this documentation! It'll be super useful once I get passed this issue I'm having!

For some reason, it's unable to perform the challenge, and I'm uncertain of what I'm doing wrong. I've followed it step by step so far, with only variance being the jail name (nginx instead of nginx_reverse) and the ip address of the jail. I've tried the exact names and address though with no difference in results.

Code:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for emby.random.com
http-01 challenge for freenas.random.com
http-01 challenge for ftp.random.com
http-01 challenge for ipmi.random.com
http-01 challenge for jackett.random.com
http-01 challenge for random.com
http-01 challenge for qbittorrent.random.com
http-01 challenge for radarr.random.com
http-01 challenge for sonarr.random.com
http-01 challenge for www.random.com
Waiting for verification...
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
	sys.exit(main())
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 1364, in main
	return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 1254, in certonly
	lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 120, in _get_and_save_cert
	lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate
	cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 334, in obtain_certificate
	orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 370, in _get_order_and_authorizations
	authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
	self._respond(aauthzrs, resp, best_effort)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 155, in _respond
	self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 226, in _poll_challenges
	raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. random.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://random.com/.well-known/acme-challenge/X7iPY5s4bX5SQQ-lmaFTFXhgVNZ0GXK6fMxThdP1lvQ: Timeout during connect (likely firewall problem), www.random.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.random.com/.well-known/acme-challenge/Sr6U-hvmlYvkJLLuxlEarrU5MOo7RuyoMZs8LF6tAsg: Timeout during connect (likely firewall problem), emby.random.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://emby.random.com/.well-known/acme-challenge/bIN2l9knVr_ENmwD588zOy-IbqAMw_bTHjxCjFWBBsw: Timeout during connect (likely firewall problem), jackett.random.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://jackett.random.com/.well-known/acme-challenge/cFzp4lfOWqZRkeFYm9KHCLNpsHRRVA653V0GLSOi5s4: Timeout during connect (likely firewall problem), radarr.random.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://radarr.random.com/.well-known/acme-challenge/5iSag4HfmHEdw0WdtvuYLFjDTccMtt97tz2EvxQbyXU: Timeout during connect (likely firewall problem), sonarr.random.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://sonarr.random.com/.well-known/acme-challenge/2hxpjB8GBs8-lLdz9jKZgq7QktlulGviXUXJqfQ9TLA: Timeout during connect (likely firewall problem), freenas.random.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://freenas.random.com/.well-known/acme-challenge/8u5224h2G4oZtVtmfoj1Tm-vKz0lYLYReubu6Z3jmBQ: Timeout during connect (likely firewall problem), ipmi.random.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://ipmi.random.com/.well-known/acme-challenge/27-1zg_AQ-5RKlYhI06d5ipl2eHhS9SUD5tpJurJDj0: Timeout during connect (likely firewall problem), ftp.random.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://ftp.random.com/.well-known/acme-challenge/zLDu8HvdWN6GGRhDNqEcMm7S7t6HRIKnFexrjsHN5Bk: Timeout during connect (likely firewall problem), qbittorrent.random.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://qbittorrent.random.com/.well-known/acme-challenge/eX_yIl6GOX8P9In0XJjwQvURbfGpEuErrJ7VpVyj0vE: Timeout during connect (likely firewall problem)

I've also made sure to re-route my ports to the jail in question. Tried only port 80, only port 443 and both ports.

I've had challenges manually setup on my domain previously because I set them up manually in the past. Could these interfere with these challenges? I've renamed the challenges, so technically I figured they wouldn't, but maybe I was wrong?

 

[ZodiacUHD]

Hey there, are you trying this on warden or iocage?

 

[SilentStrike]

Hey Zodiac, if I go to jails and press "Add Jail", I think that's on warden, correct?

 

[ZodiacUHD]

Hey Zodiac, if I go to jails and press "Add Jail", I think that's on warden, correct?

Well, unless you're on 11.2 beta, yes: you're on warden. Did you try getting the cert just for the domain? (random.com)

 

[SilentStrike]

Then yeah, I'm on warden. And yes, I had tried just random.com, here's the result.

Code:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for random.com
Waiting for verification...
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
	sys.exit(main())
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 1364, in main
	return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 1254, in certonly
	lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 120, in _get_and_save_cert
	lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate
	cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 334, in obtain_certificate
	orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 370, in _get_order_and_authorizations
	authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
	self._respond(aauthzrs, resp, best_effort)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 155, in _respond
	self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 226, in _poll_challenges
	raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. random.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://random.com/.well-known/acme-challenge/oBpbM2kFZ1OjG1pnbSYx-6wGsvjz_0sNwFJWscEQF20: Timeout during connect (likely firewall problem)
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: random.com
   Type:   connection
   Detail: Fetching
   http://random.com/.well-known/acme-challenge/oBpbM2kFZ1OjG1pnbSYx-6wGsvjz_0sNwFJWscEQF20:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.