Outils pour utilisateurs

Outils du site


pub:pve_ct_reverse-proxy_https

ProxmoxVE container reverse-proxy HTTP/HTTPS avec Nginx et Let's Encrypt

Création d'un CT aussi petit que:

  • HDD 5GB
  • CPU 1
  • MEM 256MB
  • SWAP 512 MB
  • eth0 (vmbr0) 10.4.2.101/24

Installation des paquets :

  • nginx-full (nginx-lite suffirait ?)
  • python-certbot-nginx

Nginx core conf

/etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;
        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        gzip on;
        gzip_vary on;
        gzip_http_version 1.1;
        gzip_disable "MSIE [1-6]\.(?!.*SV1)";
        gzip_comp_level 6;
        gzip_min_length 1400;
        gzip_proxied any;
        gzip_types text/plain text/css application/x-javascript text/xml application/xml application/rss+xml text/javascript;

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;  
}

server {
        listen 80 default_server;
        server_name _;
        server_name_in_redirect off;
        return 444;
}

Let's Encrypt

Documentation certbot (Let's Encrypt) : https://certbot.eff.org/lets-encrypt/debianstretch-nginx

Après avoir monté le vhost “pre_tls”, il suffit de valider le domaine:
# certbot --nginx certonly

--> choisir le domaine à valider dans la liste des vhosts actifs proposée

Nginx vhost conf

vhost avant d'avoir un certificat TLS

$SETMYNAME doit être renseigné

vhost pre_tls
server {
  listen  80;
  server_name $SETMYNAME;
  root /var/www/html/;
}

vhost avec certificat TLS

$SETMYNAME & $SETMYPATH doivent être renseignés
:!: le renouvellement nécessite un bout de répertoire sur le vhost :!:

vhost with TLS cert
server {
  listen  80;
  server_name $SETMYNAME;
  return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl;
  server_name $SETMYNAME;

  # SSL stuff
  ssl_stapling         on;
  ssl_stapling_verify  on;
  ssl_certificate      /etc/letsencrypt/live/$SETMYNAME/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/$SETMYNAME/privkey.pem;
  include              /etc/letsencrypt/options-ssl-nginx.conf;
  ssl_dhparam          /etc/letsencrypt/ssl-dhparams.pem;

  # certbot renew
  location /.well-known {
    root /var/www/ssl/$SETMYNAME/;
  }

  # Reverse-proxy stuff
  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_read_timeout 900s;
    proxy_pass http://$SETMYPATH;
  }
}

Pour mémoire, vhost sans TLS mais avec redirection

$SETMYNAME & $SETMYPATH doivent être renseignés

simple vhost with redirect
server {
  listen  80;
  server_name $SETMYNAME;

  # Reverse-proxy stuff
  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_read_timeout 900s;
    proxy_pass http://$SETMYPATH;
  }
}
pub/pve_ct_reverse-proxy_https.txt · Dernière modification: 2018/12/16 23:28 par loran42o