Help with installing SNI Proxy to pass through certificates on different port

RS1 · 18. Januar 2017

Hi there,

I recently installed the LetsEncrypt plugin but haven't been able to figure out how to pass through certificates to different ports on the same domain. SNI Proxy supposedly works, but I get an error when I get to step 2 in the following guide github.com/dlundquist/sniproxy . I'm sure that I'm missing something really simple (I'm new to Linux in general!). Any guidance would be appreciated.

Thank you

Error:

Code

"./autogen.sh: command not found"

NB: I've installed autoconf and automake tools.

luxflow · 18. Januar 2017

try remount your disk executable that have ./autogen.sh
mount -o remount,exec <your disk mount path>
(find your disk mount path using mount)

RS1 · 18. Januar 2017

Zitat von luxflow

try remount your disk executable that have ./autogen.sh

Thanks for this. I'm not quite sure how to do that: when I do a search (using midnight commander) for "autogen", I receive 3 results:

usr/bin
usr/share
usr/share/doc

when I type 'mount' in terminal.. I see various paths, however, none consist of 'usr' or 'usr/bin'

Thoughts?

luxflow · 18. Januar 2017

oh I found what's wrong with you

just type following commands

git clone https://github.com/dlundquist/sniproxy
cd sniproxy
sudo apt-get install autotools-dev cdbs debhelper dh-autoreconf dpkg-dev gettext libev-dev libpcre3-dev libudns-dev pkg-config fakeroot devscripts./autogen.sh && dpkg-buildpackagesudo dpkg -i ../sniproxy_<version>_<arch>.deb

you might wonder why git clone, cd sniproxy is skipped in github page
that's because usually plugin developer expect user already know this procedure

although it is.. more like about linux not OMV
next time, ask in linux forum, or freenode #irc
you will get better faster answer

luxflow · 18. Januar 2017

I'm also wondering why you use

Zitat von RS1

how to pass through certificates to different ports on the same domain

could you explain more detail? I think you don't need sniproxy...

RS1 · 18. Januar 2017

Zitat von luxflow

I'm also wondering why you use

could you explain more detail? I think you don't need sniproxy...

Sure.. I installed letsencrypt and generated a certificate which works on my default domain / OMV. However, I also have other services, namely 'syncthing' and 'emby', running on the same domain but on different ports. I read the instructions on the letsencrypt thread and 'fubz' suggested that SNI Proxy would enable a way of passing through the same certificate to services running on the same domain but on different ports..

So, I just figured that SNI Proxy was what I needed. Thoughts?

luxflow · 18. Januar 2017

hmm try omv-nginx plugin rather than SNI proxy
it is more convinient sice it has web UI
I googled some info about SNI proxy and I think you don't need SNI proxy

so basically set your backend services(emby,syncthing..) to use http (it is default as I know)
and using nginx as reverse proxy, of course you can assign different port for each backend service

but I suggest you different hostname for services rather than only changing port if you possible
so
use syncthing.example.com, emby.example.com
rather than example.com:445, emby.example.com:446
I think it is more good practice

for example, emby listen http://localhost:8096

so omv-nginx -> server -> add -> follow below setting (change domain, port according to your needs)

and put it in extras options

Code

location / {
                # Send traffic to the backend
                proxy_pass http://127.0.0.1:8096;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-Proto $remote_addr;
                proxy_set_header X-Forwarded-Protocol $scheme;
                proxy_redirect off;


                # Send websocket data to the backend aswell
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
        }

Alles anzeigen

RS1 · 19. Januar 2017

Zitat von luxflow

use syncthing.example.com, emby.example.com

Thanks for this! I've spent the last few hours trying to set this up; unfortunately, I'm getting things a little confused. Would be great to receive your thoughts.

I have installed a plugin named 'local DNS/DHCP' to resolve domain names on the lan e.g. nas.xxx.local ---> 127.0.0.50 The plugin lets me only map an IP. I can't set a port.

Separately to this, I have registered a subdomain on freedns.com. This is mapped to my external IP e.g. 84.34.32.... ---> xxx.mydomain.com

What I'm trying to do is (1) pass through the SSL cert; and (2) set up a way of mapping emby.xxx.local to 127.0.0.50:8096 (which is for lan access); and (3) set up a way of mapping emby.mydomain.com to 84.34.32...:8096 (which is for remote access)

Do your instructions need to be amended given the way I've set things up?

Thanks

luxflow · 20. Januar 2017

There are 3 options I think

first of all, In all 3 options, your services should be listen at localhost(127.0.0.1)
that means all connection should pass proxy (whatever it is nginx, SNI..) unless connection made from OMV machine itself

First, very simple, easiest to configure but give up to use

Zitat von RS1

(2) set up a way of mapping emby.xxx.local to 127.0.0.50:8096 (which is for lan access);

instead make `server_name emby.local emby.mydomain.com`
or give up to use local address, access service only via emby.mydomain.com

Second,
set up omv-nginx for remote access
and set up omv-nginx for lan access (that means `server_name emby.mydomain.com emby.local`)
this can be done with omv-nginx UI

Third,
unlike above options, set your services to serve https
set up omv-nginx for remote access (that means `emby.mydomain.com localhost:8920`)
and set up omv-nginx for lan access (that means `emby.local localhost:8920`) note 8920 is https for emby

also don't forget to setup local dns, such as mDNS, DNS whatever... if you want to local domain
If you use option second, third one, you will encounter cert security warning this when you connect services from LAN
unless you manually add cert to trusted cert

My recommended choices are
first one or second one

RS1 · 20. Januar 2017

Zitat von luxflow

My recommended choices are
first one or second one

Thanks for taking the time to write this. I actually spent a large part of yesterday to get all of this to work. I think that my setup corresponds with your second option:

local: I used dnsmasq to create local server names that are resolved through the local dnsmasq server on OMV e.g. emby.lan
remote: I used freedns to register a subdomain for each of my main services that I may access remotely e.g. emby.mydomain.com
encryption: I used letsencrypt to generate an SSL cert for remote access; I created OMV self signed certs for each lan service
nginx: I created a pair of servers - one for remote; another for lan. In all servers, I am using SSL on 443 and selecting the appropriate certificate
I scoured the forums/net for the extra options depending on the server that I am configuring on nginx. You helped with emby. I did similarly for sickrage, syncthing etc.
Once setup, I accessed each of my services locally. Security warning received. I imported the certificate into keychain (Mac) and trusted the self signed certificate. I did similar for the remote access certificate.

How does my process appear to you? Am I fully covered? I think I'm nearly there. Here are a few loose ends that would be great to receive your thoughts on!

Emby:

I can't get it to work on port 8920. I just get an nginx error. Should I be using this port if I am using nginx with SSL:443/certificate? I have attached my emby nginx settings.

Syncthing

Similarly, I use a service called syncthing. I can't activate 'https for gui'. Any thoughts? I have attached my nginx config for syncthing.

Macbook Syncthing

Lastly, I haven't configured the syncthing client which is running on my macbook (127.0.0.1:8384) at all. I tried to setup SSL but didn't get very far. It doesn't seem as though I can pass through this instance to nginx which is running on the server.

Would be great to receive your thoughts on these final few issues! Thanks!

luxflow · 20. Januar 2017

Zitat von RS1

encryption: I used letsencrypt to generate an SSL cert for remote access; I created OMV self signed certs for each lan service

I'm not sure why you do, I think there is no difference self signed vs letsencrypt cert for lan services since either self or letsencrypt
it should be added trusted cert by manually to all of your computer which trying to lan services

Zitat von RS1

nginx: I created a pair of servers - one for remote; another for lan. In all servers, I am using SSL on 443 and selecting the appropriate certificate

try your Server name : emby.mydomain.com emby.lan
to manage only one configuration per service

Zitat von RS1

Emby:

I can't get it to work on port 8920. I just get an nginx error. Should I be using this port if I am using nginx with SSL:443/certificate? I have attached my emby nginx settings.

8920 port should be used when emby uses https (for SNI proxy), so your case, 8096
you should differentiate meaning between
proxy server using https and
service using https or http

for example, if proxy server uses https and service use http, when user connect proxy server, connection between user and service is https
1. user < -(https)- > proxy server
2. proxy server < -(http,https)- > service
In your case, your service is safe either http or https
because your service listen at localhost, user in LAN cannot directly access to service, only can access via proxy server

Usually service don't provide https
Because usually people use proxy server, and hide their service from directly access (for security reason, and load balacing, easy cert management)

SNI proxy says it is for
This enables HTTPS name-based virtual hosting to separate backend servers without installing the private key on the proxy machine.

But, in your case your proxy machine server and backend service server(emby...) are in same server, so SNI proxy for you is meaningless I think..

RS1 · 20. Januar 2017

Zitat von luxflow

I'm not sure why you do, I think there is no difference self signed vs letsencrypt cert for lan services since either self or letsencrypt
it should be added trusted cert by manually to all of your computer which trying to lan services

I was trying to use a single certificate, but i'd receive a 'not common name' error in google chrome when using the letsencrypt cert with my lan domain name. So to avoid the error, I created a new cert which is the same name as my local dns. Is this not necessary?

Zitat von luxflow

try your Server name : emby.mydomain.com emby.lan

Should I be writing this in extra options in nginx? Do you have the actual code (just so that I avoid any typos!)

Thanks

luxflow · 20. Januar 2017

Zitat von RS1

Should I be writing this in extra options in nginx? Do you have the actual code (just so that I avoid any typos!)

yeah omv-nginx option no extra option there is field named `server name`

but... if you get error 'not common name' after adding letsencrypt to trusted cert
just use self signed cert and two configuration per service

RS1 · 20. Januar 2017

Brilliant! So if I'm understanding your feedback correctly, I'm good to go right? The only issue that I have is that I'm slightly inefficient with two configs per service. But otherwise, ok..

luxflow · 20. Januar 2017

other things are good
no performance issue

RS1 · 20. Januar 2017

That's great ma man, thank you for the help!

Jetzt mitmachen!