lubavb
January 18, 2024, 2:48pm
1
Hello, I want to hide the admin panel behind Nginx on port 8443, but this scheme does not work. I receive a non-working page on port 443, but I can access the admin console via https://mydomain.com:8443
The directive was indicated in different wayshttps://127.0.0.1:8443 ;http://127.0.0.1:8443 ;https://mydomain8443 ;https://127.0.0.1:8443 ;http://127.0.0.1:8443 ;https://192.168.2.76:8443 ;
pritunl set app.reverse_proxy true, pritunl set app.server_ssl false then pritunl set app.server_port 8443
For example conf which nginx:
root /usr/share/pritunl/www;
server_name mydomain.com;
location / {
return 301 https://$host$request_uri;
}
}
server {mydomain.com ;https://mydomain:8443 ;
#this is the maximum upload size
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffering off;
proxy_request_buffering off; # Required for HTTP CLI commands
proxy_set_header Connection ""; # Clear for keepalive
}
This is what the page looks like on port 443 via Nginx
thanks.
zach
January 19, 2024, 12:31am
2
It’s likely one of the header modifications is preventing the page from rendering correctly. Open Chrome Developer Tools to check for errors.
You are also mixing HTTP and HTTPS configurations. The nginx server can be configured to forward to HTTPS. Run the commands below to configure the Pritunl server to use SSL.
sudo pritunl set app.reverse_proxy true
sudo pritunl set app.redirect_server false
sudo pritunl set app.server_ssl true
sudo pritunl set app.server_port 8443
Below is an nginx configuration, replace demo.pritunl.com and 123.123.123.123. If the configuration is copied the \$ escaping for the tee command needs to be removed and replaced with $.
sudo openssl req -x509 -nodes -days 18250 -newkey rsa:2048 -keyout /etc/nginx/ssl/notfound.key -out /etc/nginx/ssl/notfound.crt
sudo tee /etc/nginx/nginx.conf << EOF
user nginx;
worker_processes auto;
worker_cpu_affinity auto;
worker_rlimit_nofile 400000;
pcre_jit on;
events {
worker_connections 20000;
multi_accept on;
use epoll;
}
http {
server_tokens off;
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
access_log off;
client_header_timeout 45;
client_body_timeout 45;
keepalive_timeout 65;
connection_pool_size 1024;
request_pool_size 8k;
client_header_buffer_size 2k;
client_body_buffer_size 32k;
server_names_hash_bucket_size 512;
server_names_hash_max_size 1024;
types_hash_max_size 2048;
server {
listen 80;
listen [::]:80;
server_name _;
return 404;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/nginx/ssl/notfound.crt;
ssl_certificate_key /etc/nginx/ssl/notfound.key;
server_name _;
return 404;
}
include /etc/nginx/conf.d/*.conf;
}
EOF
sudo tee /etc/nginx/conf.d/pritunl-vpn.conf << EOF
upstream pritunl-vpn {
server 123.123.123.123:8443;
}
server {
listen 80;
listen [::]:80;
root /usr/share/nginx/html;
server_name demo.pritunl.com;
location / {
return 301 https://demo.pritunl.com\$request_uri;
}
}
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/nginx/ssl/demo.pritunl.com.crt;
ssl_certificate_key /etc/nginx/ssl/demo.pritunl.com.key;
server_name demo.pritunl.com;
location / {
proxy_pass https://pritunl-vpn;
proxy_ssl_verify off;
proxy_set_header Host \$http_host;
proxy_set_header X-Forwarded-For \$remote_addr;
proxy_set_header X-Real-IP \$remote_addr;
}
}
EOF
The certificate paths above will need to either use the certbot script below or another certificate configured at that path.
sudo dnf -y install certbot
sudo tee /etc/systemd/system/certbot.target << EOF
[Unit]
Description=Cerbot target
StopWhenUnneeded=yes
EOF
sudo tee /etc/systemd/system/certbot.timer << EOF
[Unit]
Description=Cerbot timer
[Timer]
OnCalendar=*-*-* 8:00:00
Unit=certbot.target
[Install]
WantedBy=basic.target
EOF
sudo tee /etc/systemd/system/certbot.service << EOF
[Unit]
Description=Cerbot
Wants=certbot.timer
[Service]
ExecStart=/usr/bin/certbot-nginx
[Install]
WantedBy=certbot.target
EOF
sudo tee /usr/bin/certbot-nginx << EOF
#!/bin/bash
getcert () {
echo "Getting certificate email=\$1 domain=\$2"
/usr/bin/certbot --webroot --agree-tos --non-interactive --webroot-path /usr/share/nginx/html --preferred-challenges http --email \$1 -d \$2 certonly
/usr/bin/cp -f /etc/letsencrypt/live/\$2/fullchain.pem /etc/nginx/ssl/\$2.crt
/usr/bin/chown nginx:nginx /etc/nginx/ssl/\$2.crt
/usr/bin/cp -f /etc/letsencrypt/live/\$2/privkey.pem /etc/nginx/ssl/\$2.key
/usr/bin/chown nginx:nginx /etc/nginx/ssl/\$2.key
}
getcert "contact@pritunl.com" "demo.pritunl.net"
/usr/bin/chown -R nginx:nginx /etc/nginx/ssl
/usr/bin/chmod 600 /etc/nginx/ssl/*
/usr/sbin/restorecon -R -v /etc/nginx
/usr/bin/systemctl reload nginx
EOF
sudo chmod +x /usr/bin/certbot-nginx
Generate the initial certificate and start the server.
sudo /usr/bin/certbot-nginx
sudo systemctl daemon-reload
sudo systemctl enable certbot.service
sudo systemctl enable certbot.timer
sudo systemctl start certbot.timer
sudo systemctl restart nginx
sudo systemctl enable nginx
lubavb
January 22, 2024, 1:15pm
3
Your change didn’t help me, the page didn’t open either, but after reading the errors from the browser console, I was inspired to think that it wouldn’t be a bad idea to have it statically look at the directory and here’s the working server config via nginx. I’ll share it here so as not to waste time.
server {vpn.demo.com ;
location / {
return 301 https://vpn.demo.com$request_uri;
}
}
server {vpn.demo.com ;
location / {
proxy_pass https://127.0.0.1:8443;
proxy_ssl_verify off;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_max_temp_file_size 0;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block" always;
}
location /css {
location /js {
alias /usr/share/pritunl/www/js;
}
location /fonts {
