Setup a reverse proxy to gain access to:
- My synology NAS (without quickconnect)
- DSM
- Moments
- Surveillance station
- Web station
- Home Automation Web server Jeedom (without using included OpenVPN)
- Personal website (php/js / MariaDB) hosted on NAS
- Others (maybe create interface to add/remove/edit proxy settings)
via https://<my domain>/path_to_service
Constraints:
- run on an unused Raspberry Pi B+
- Connection to anywhere has to be done through TLS encrypted https:
- target SSL Labs A or A+
- SSL/TLS certificates from Let's encrypt and renewed automatically
As i'm not at home for now, all config should be able to be done remotely
Initial steps to be able to work remotely:
-
Setup a functional Raspberry Linux version (Raspbian Lite)
- https://www.raspberrypi.org/downloads/
- check git RPi_Setup here
-
On ISP router:
- Bind Internal router MAC address to
- Place in DMZ
-
On internal router:
- Bind RPI MAC address to
- redirect port 22 to :22 (for remote setup)
-
Update packages
sudo apt-get update sudo apt-get upgrade
-
Install Nginx
sudo apt-get install nginx
-
Check if Nginx is running, by going in web browser to
- On internal router
- forward port 80 and 443 to
-
Install certbot
sudo apt-get install certbot python-certbot-nginx
-
Run certbot for Nginx for <yourdomain.com>
sudo certbot --nginx -d <yourdomain.com>
- enter email
- Agree terms of service
- Select whether or not to redirect HTTP traffic to HTTPS
-
ssllabs.com --> Grade A
-
improve SSL security:
sudo nano /etc/letsencrypt/options-ssl-nginx.conf
-
modify line as follow:
# Allow only TLS 1.2; #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_protocols TLSv1.2; # Change to more recommended ciphers #ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA3$ ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
-
-
For synology apps:
-
For Webstation:
-
Configure redirections:
-
Create and edit new configuration file
sudo nano /etc/nginx/sites-available/<yourdomain.com>.conf
-
Edit Nginx config file to look like this:
# Default HTTP server -> redirect to HTTPS server { listen 80 default_server; listen [::]:80 default_server; server_name <yourdomain.com>; return 301 https://$host$request_uri; } server { listen 443 ssl; listen [::]:443 ssl; ssl_certificate /etc/letsencrypt/live/<yourdomain.com>/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/<yourdomain.com>/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; server_name <yourdomain.com>; location /cpts/ { index index.php index.html; proxy_pass http://192.168.xx.xx:10001/; } location /php/ { index index.php; proxy_pass https://192.168.xx.xx:10010/; } location /moments/ { proxy_pass https://192.168.xx.xx:10005/; } location /drive/ { proxy_pass https://192.168.xx.xx:10003/; } location /surveillance/ { proxy_pass https://192.168.xx.xx:9901/; } location /dsm/ { proxy_pass https://192.168.xx.xx:5001/; } location /jeedom/ { root /var/www/html/; index index.php; proxy_pass http://192.168.xx.xx:80/; } # Close connections for any other subdomains location / { return 444; } }
-
-
Link config file
sudo ln -s /etc/nginx/sites-available/<yourdomain.com>.conf /etc/nginx/sites-enabled/<yourdomain.com>.conf
-
Edit Nginx config (to disable default config file):
sudo nano /etc/nginx/nginx.conf
-
modify line:
include /etc/nginx/sites-enabled/*; -
to: (so, it will not use anymore default file named "default")
include /etc/nginx/sites-enabled/*.conf;
-
-
Test new configuration
sudo nginx -t
-
Reload Nginx configuration files:
sudo nginx -s reload
-
Nginx
-
check which version is running:
nginx -v
-
check error log file
cat /var/log/nginx/error.log
-
-
Certbot
-
Test certificate renewal
sudo certbot renew --dry-run
-
Certificate renewal when needed
sudo certbot renew
-
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent