Forums

Resolved
0 votes
# Installing reverse proxy on ClearOS that uses certificates
This will help you install and configure reverse proxy for ClearOS. We demonstrate in this guide the use of Let's Encrypt but you can use any certificate.


#Preparation
You will need to install things from the Marketplace and also from command line.


## ClearOS Modules
Download and install the following support modules for ClearOS:
* Dynamic DNS
* Web Server
* Let's Encrypt

For Dynamic DNS, if you host a domain name with ClearOS you can easily tie the name of this server into the account for DNS and then create CNAME records on ClearOS for the various services that are running under this server.
If you do not host the DNS with ClearOS you can simply use a 'poweredbyclear.com' domain. If you are ok with just using that, feel free to use just that. If you would like to use your own hostnames, configure the 'poweredbyclear.com' DNS name for Dynamic DNS and then create CNAME records that point to that name for all of your services.

For Let's Encrypt to work it will need to talk to your ClearOS Web server on port 80. This is how it validates that you on the hostname that you are wanting to get a certificate for.

For Let's Encrypt you may get prompted for prerequisites to configure Master/Slave/Standalone (always pick Master if this is your first server for this customer). You may also need to set up the directory (usually OpenLDAP). And lastly, you may need to set up the certificate server.


## NGINx
The download and install the NGINX package for ClearOS is easy. From PuTTY run the following as root:

```
yum install nginx
```


# Configuration
You will need to configure and setup Dynamic DNS and Let's Encrypt using the ClearOS Web GUI. You will need to configure NGINx from command line.

## Web Server
This is pretty simple and you don't have to do much here. Simply start the Web server service and ensure that port 80 is open.

## Dynamic DNS
This is configured from the Cloud section of the Webconfig GUI. You can pick whatever you want for the first part of the hostname so long as someone else hasn't grabbed it. If you have your DNS hosted by ClearCenter (not recommended) then you can use a custom hostname with that domain via Dynamic DNS (kind of like a vanity plate). Otherwise, just make one for the 'poweredbyclear.com' domain.

## Let's Encrypt
The DNS must be working be working for this to properly register. You can register a number of different certificates provided that ALL of them resolve via DNS to this host and port 80 is open to the outside.
If you have to make changes to your Dynamic DNS, it will take up to 5 minutes for Let's Encrypt to be able to use it.

## NGINx
By default NGINx will conflict with the ClearOS Web Server (Apache Web Server) module on port 80. You will need to modify the default nginx.conf file in /etc/nginx/nginx.conf so that you comment out its default server configuration on port 80. Put hash marks in front of all these lines so that they look like this:


```
# server {
# listen 80 default_server;
# listen [::]:80 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
```

Next, create a file called /etc/nginx/conf.d/proxypass.conf which contains something like this:

```
server {
listen 8888;
ssl on;
ssl_certificate /etc/letsencrypt/archive/something.poweredbyclear.com/fullchain1.pem;
ssl_certificate_key /etc/letsencrypt/archive/something.poweredbyclear.com/privkey1.pem;
location / {
proxy_pass http://192.168.1.10:81;
}
}
```

The 'listen 8888;' is the port that the server is listening on. You can make this 443 if you can get Apache to stop using that port.
The 'ssl_certificate' parameter points to the server certificate file. It is best to join the cert chain to the server cert. Let's encrypt does this for you with the fullchain1.pem file.
Let's Encrypt will place the current, active cert in the archive folder with the hostname of the cert. Point it there.
The 'ssl_certificate_key' file must point to the private key file for this domain.
Lastly the 'proxy_pass' line contains the internal lan URL for the service. It is important to remember that there is NO ENCRYPTION between the ClearOS server and this http server on the LAN. It is strongly advised to place ClearOS and this unsecure server on the same switch.

# Starting the services
Once configured, start the nginx service with the command:

```
systemctl start nginx
```

Look for any errors. If it starts ok, make sure to enable the service for boot:

```
systemctl enable nginx
```

# Cleaning up.
You may need to open the port you are using for NGINx to the outside. It is also highly advised that you take precautions with reverse proxies. For example, placing the hosts on a HotLAN or even using a different ClearOS that is not your main firewall.
Saturday, October 02 2021, 12:07 AM
Share this post:
Responses (4)
  • Accepted Answer

    Saturday, October 02 2021, 08:42 PM - #Permalink
    Resolved
    0 votes
    I need to make some corrections here. There is no point in cloning the file I mentioned earlier, /etc/clearsync.d/filewatch-samba-configuration-event.conf, as all that does is trigger the scripts in /var/clearos/events/samba_configuration. A better template would be /etc/clearsync.d/filewatch-httpd.conf which directly fires off a command. That command could be to restart nginx with a condrestart.

    The other thing to note is that there does not appear to be a any trigger to restart samba on an smb.conf change.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, October 02 2021, 02:17 PM - #Permalink
    Resolved
    0 votes
    Dave Loper wrote:
    Using live on Let's Encrypt would be a better thing. Also having a change awareness hook on the file to restart the daemon would be an improvement (similar to how firewall.conf and smb.conf behave). That way it is not dependent on Let's Encrypt and could be any certificate.
    You could set up a watcher on your proxypass.conf just by cloning /etc/clearsync.d/filewatch-samba-configuration-event.conf and editing it accordingly, but it won't help if you use the LE live certificates as you would never have to change the certificate files in proxypass.conf when the certificate renews. I think this is where Team Canada started rewriting the Certificate Manager app years ago to try to cope with both conventional and LE certificates in a unified way but it was never finished.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, October 02 2021, 12:43 PM - #Permalink
    Resolved
    0 votes
    Proxypass is not free. As far as I know, it is not well maintained.

    Using live on Let's Encrypt would be a better thing. Also having a change awareness hook on the file to restart the daemon would be an improvement (similar to how firewall.conf and smb.conf behave). That way it is not dependent on Let's Encrypt and could be any certificate.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, October 02 2021, 08:12 AM - #Permalink
    Resolved
    0 votes
    Hi Dave, long time no hear! Thanks for your write up.

    Can I suggest a bit of a mod. For Let's Encrypt I suggest you link to the certificates in /etc/letsencrypt/live/something.poweredbyclear.com or whatever your domain is. Then when Let's Encrypt rotates your certificate every two months, it maintains the symlinks to always point to current certificate. You may also need to restart or reload nginx to read the new certificates. Please see the Using Let's Encrypt Certificates for Mail and other Apps HowTo for one simple way of doing it. You can also drop a configlet into /etc/letsencrypt/renewal-hooks/deploy, I believe.

    Also from the HowTo, if nginx does not run as root you may need to adjust permissions on the key and one of the folders for nginx to be able to read the certificate.

    Can ask what this is doing that the Proxy Pass App is not? The main thing I think I see is that you are passing any port whereas the Proxy Pass app is limited to 80 and 443.

    Note, I am considering releasing an update to the Let's Encrypt app to remove all but the last x certificates and keys from the archive folder and the csr and key folder as they build forever and take up your valuable free backup space. In my case, having a number of certificates, that ended up taking quite a lot of space. The update is already in clearos-contribs-testing and it would delete your certificate in about 12 months, but your certificate would have been expired for 9 months by then.
    The reply is currently minimized Show
Your Reply