Well, looks like I’ll be away longer than I thought. Sadly the new home only offers a 15 GFI circuit breaker that is shared with the media room next to me. Between my gaming PC, basic networking equipment, ceiling fans, TV’s and sound bar plus lighting when I attempt to run my Ryzen server only I trip the breaker within 10 min of light load applications.
So, as the wife is not understanding at the moment, I cant get the funds to upgrade the wiring or get a dedicated 20amp drop, and there is no ethernet through the home to place a server else where I guess this is the end of me here for a while so I can give ya all a break from my less informed questions. lol
It’s been really fun. I appreciate all of you in this community. Hope the best for you all. Hopefully I will be back sometime in the future, till then I’ll be reading and doing what I can locally. o7
Well, it finally came… I got approval for getting an estimate for electrical work… woot woot!!! I have been tinkering with pihole and opnsense along with unbound. I have it slightly different than @PhaseLockedLoop… I run unbound on my pi with pihole and have it refer to internal net for access to unbound. I configured unbound and tested it in cli for dnssec. I dunno if that’s appropriate but it works.
I am beginning to follow this thread. Bookmarking now. My goal is to be able to exclude speicific ips on my lan from wireguard and whitelist only specific devices. I am using opnsense firewall to the internet, and have various devices on my network. My goal is by ip to route either through wireguard or to not route through wireguard.
Once I get electrical sorted, I’ll be able to finally be able to follow that plan I mapped out lol.
Next goal I think is learning my cisco switch to isolate VLANs inside the switch to certain ports. I’m currently just using the ports on the protectili directly to wifi AP’s. Hey, it works. Also, fun fact, that ASUS RT-AX92U works flawlessly as an AP mesh node. It still uses all the tools to optimize signal and connectivity without anything that messes with DHCP and other services from the firewall. Nice piece of gear. I’ll have to get to you on wifi bands to avoid being close to the airport sometime.
Yeah, @PhaseLockedLoop it’s a amazing write up. Honestly… it’s like going to a class on the subject. You did a amazing job sir, I hope it is as appreciated by others as it is by myself. If I was more involved in other avenues of internet social media I would for sure share it, BUT the level of this community is by far the best I’ve seen on the web in my searches (and I have ALOT of time on my hands at home all day LOL)
That was the intent. I am slowly evolving the way I write these to be a sort of flipped classroom deal. You get all the material and instructions and answers; then you ask questions and have them answered amongst yourselves. I think it will foster learning better. Time will tell. I love your threads because I draw inspiration from them. I cannot nearly draw the concept out like you have. You have a great deal more patience than I do on that front.
Yeah, I have a habbit of not just wanting to know “how” but the “WHY” and the concepts. I’m also a complete novice, so I can provide feed back in that way for people more involved daily who have some of that knowledge by default. I also have pages and pages of Notepad logs of every command I have done, tested, reverted, and explored along with the sources (IE web pages etc).
I try really hard to flush out what I want to do, why, and how it fits together.
The thing I love about your posts is it’s a “bridge” for me between the online manuals and documentation and the lay person.
I can ADD a lot, but its at least documented so I don’t lose my place lol (a good example I’m looking at VLAN manuals for Cisco, and Suricata on my OPNsense firewall…lol)
I was a mechanic for a long time, but then also in the military I read a ton of tech manuals, UCMJ, and FM’s (Field Manuals). Electrical diagrams totally make sense to me lol. To some its spaghetti lol
The NCO training is very focused on training and finding resources to answer questions so it kind of translates.
Dad always wanted me to be a engineer…lol I used to do amazing things with legos when I was small, I broke down my motorcycle and rebuilt it at 10…lol Just because.
Sorry I missed your post before. I was away from PC a bit dealing with some RL stuffs. Still a lot going on with move and settling in, but I can try to help.
My Pi-hole was a bit different. I had it installed on a Raspberry PI, then I installed unbound on the same device. I dunno if I could have helped. I did find a good post that had worked for me but I dont know if it would translate for you.
Well as I move to more headaches and head scratchers… I decided I wanted to try a reverse proxy and implement HTTPS in my network. I’m currently deciding where to run the Nginx instance… On my Pi-hole, On my protectili running opnsense? On a VM on my 24/7 server? Im currently looking over this article Reverse proxy with https without opening ports and guides by @PhaseLockedLoop. I know this is excessive, but I want the experience. I’m hoping it will give me some experience with https for hosting a server in a DMZ which I am also researching because I do not have a Linode or proxy, though I do have a VPN service (PIA). I’m hoping I can implement it on one network, my primary network. Now that I think about it I need to do VLANs lol… oh well still good notes so far.
Well I managed to get an instance of Nginx up and running in a LXC container running docker using the “LinuxServer.io” image called “let’s encrypt” that is a Nginx instance that has the framework to handle https encryption and cert verification.
Steps- (basically)
1.) - Had a domain name I puchased via Namecheap (@PhaseLockedLoop Thank you)
2.) - Free account with DigitalOcean where I pointed my DNS for my Domain. I also changed the name servers of my domain.
3.) - I generated an API token in Digital Ocean (Copied to a notepad for later)
4.) - Next I made a dnsmasq entry in pi-hole via sudo nano /etc/dnsmasq.d/04-pihole-dns-reverse-proxy.conf
The entered address=/mydomainname.com/192.*.*.*(my nginx reverse proxy IP)
5.) - Next I created a docker-compose.yml with
OK… Now that this IS working I am having a bit of trouble figuring out how to use this proxy to connect to my local services via HTTPS. I THINK I need to create proxy config files. So my question is do I need to do this for each instance I want to connect with securely? Is there a way to use it with domains or include domains used by my DHCP server? I think I should be able to say type HSHS.haaztyletech.com and connect to that server, but instead I get that welcome page above… so I’m at a loss how to do this.
A little background here for networking I am using. I have a instance of OPNsense running as my firewall and DHCP server on my protectilli (thanks again @PhaseLockedLoop AND BIG THANKS to @ThatGuyB) with static connections to servers and important devices. I have Pi-hole and Unbound running on my Raspberry Pi 4 as a recursive DNS resolver. Are the settings I need to change in any of these services?
The folder in the nginx directory has a number of formats config/letsencrypt/nginx/proxy-confs but they are VERY hard to parse out.
Any resources to help understand these?
If this is too complicated I understand, This is more a theory testing for me than a necessity.
Also, side note… I have managed to become fairly proficient in my firewall rules to pass traffic between VLANS/subnets. Passing access to drives, servers and services limiting it down to even protocols, ports. I appreciate your help @ThatGuyB. It was a steep leaning curve and the more I mess with it the better I am getting. As long as I remember to hit “apply” then test the connection…lol that one had me fooled a few times disabling and re-enabling rules.
You are probably running Docker in Docker, not in LXC (unless you used the any of the lxc-* commands or lxc command from lxd - or, if you’re using docker in an LXC container inside proxmox, then never mind). LXC would have been easier for me to help you with, as I don’t know how nginx settings work inside docker.
Anyway, you have to find how to add vhosts (I think they are called server blocks in nginx) in docker. Probably likely to be through the docker-compose yaml file, but I could be wrong.
What you would do in a normal nginx install in a VM or LXC container would be to edit the nginx.conf file (usually under /etc/nginx and under the server blocks, add something like
So basically, by visiting https://yourdomain.tld/vaultwarden, the nginx reverse proxy would redirect it to your server hosting vaultwarden to port 8080 on your local network, so long as your nginx reverse proxy uses a local dns that can resolve the internal domain name (Pi-Hole or OPNSense Unbound). The encryption between the client and the reverse proxy would be encrypted, but the reverse proxy to the web server (last mile) will not. Encrypting the last mile is a bit overkill, but worth it in big companies, or when you seriously want to implement 0 trust on your network.
That’s how you’d normally do it, but I’m a docker pleb, so I don’t know how you’d set nginx in docker. It may be a bit different, it’s possible it may have an automated way through the docker-compose.
I don’t want to discourage you from using docker, just that I can’t help with that.
Ah no worries, I appreciate it. I’ll see if I can post some code I saw for examples of instances to port through nginx to see if I can get something like my opnsense, which despite my warnings from Kaspersky comes up as https (I selected it)…
Yes you had it right, proxmox → lxc debian image → docker → specialized nginx reverse proxy using let’s encrypt docker image.
I dunno if I could or should run the reverse proxy nginx on my firewall, or my pi… it doesn’t use a lot of resources. I’m not sure which is better from a security standpoint.
Yes I was trying to emulate zero trust… I didn’t realize the last bit wasn’t secured. Interesting I’ll have to look at it further.
I spent most the day trying to “repair” pihole… turns out the current version is bugged and you can’t flush logs or records… so I had a big mess trying to connect to the internet with opnsense pointing everything to pihole…lol there was much hilarity, but also learning that happened today lol
IMO, unless you have a special reason for using Docker, it’s easier to just run nginx over on the debian lxc directly. As long as it’s a non-privileged container, it should be fine.
You can run TLS on the last mile too. I’ve never managed it previously though. You would basically have your TLS certs over on your reverse proxy, then have other certificates running on your web server. The client / user connects to the reverse proxy using the certs for your public domain name on the reverse proxy, while the reverse proxy connects to the web server using the certificates for the internal network on the web server itself.
But managing TLS certificates will be an absolute PITA if you don’t automate certificate renewal. You could try using OPNSense as your Certificate Authority, it should come with a CA add-on by default. That could work for the internal stuff.
Lastly, to set up the last mile TLS, all you have to do is change proxy_pass from http to https and its designated port (assuming 443).
However, I’m not entirely sure it will work, due to cert on cert thing, it might not. I believe PLL did all the investigation for that, so you may ask him.
Yeah I reviewed it, but I’m trying to set up just internal https without an external proxy. I only have local assets at the moment so I have no linode to connect to.
It’s not a big deal this was mostly theory and experience. I’ve never used nginx, so the code is entirely foreign to me. I’ve been reading documentation, but the process of using my domain, API token from digital ocean, then certificate via cert bot i belive is used by the docker container to verify connections etc is still a bit foggy and not clear.
I get the theory it’s just the actual implementation on a different network setup from @PhaseLockedLoop. I’m attempting to get my head around. I’m also learning a lot more vocabulary and it’s proper use, so still an infant in that regard with the use of these tools.
I think instead of using a docker image for the purpose, I should build and code my own to get a better understanding of it. I just need to figure where to put the nginx instance so it won’t disturb other processes like the pi or opnsense. I also have proxmox I could do directly on too. I guess it’s not a big issue I can always mess with ports and such to not interfere with native processes.
I also am running unbound on pi, but I noticed opnsense has unbound built in. I assume I could run that and turn it into a recursive dns and point pi to it… I’m learning but it’s slow so far. I also have no idea of best practices so I am referencing the linux administrator handbook, but alot isn’t covered too well. I need to finish it cover to cover maybe to help myself out from stumbling around. I’m kind of peicemealing things and I need to have a definitive network layout, or diffrent testing environment that won’t mess with what I use day to day lol.
I almost didn’t have internet up before wife came home…lol that would have been crap show… I would have got a earful about making problems lol
Even internally, the connection from client to reverse proxy will be encrypted, but you have to set additional encryption between the reverse proxy and the web servers running, like say, Pi-Hole web GUI. So by that point, just running TLS certs straight on the clients may be an easier option. That way, all the traffic is encrypted top to bottom and you remove the administration of a reverse proxy. But that’s not to say reverse proxies aren’t cool to mess with.
I think it should work, but the process is a bit involved. You’re better off first learning how CAs work, so I suggest you do a local domain on your network (haastylecat.local being the domain and revprox.haastylecat.local being a subdomain for your reverse proxy - unless you already have one, which makes it easier then). Learn how to use the CA on OPNSense and generate certs there, then copy them over to say, Pi-Hole via SSH and have your Pi-Hole server run on certs generated by OPNSense CA. Then import your OPNSense CA cert on your device and trust it.
That way, you’ll get an understanding on how certbot works.
An LXC container on Proxmox is the lightest and fastest way. You won’t disturb anything by doing that.
I would say the other way around. Make the Pi-Hole a recursive DNS, it’s as easy as following PLL’s guide basically, then just have OPNSense be a DNS forwarder (like it is right now, by default). IMO it’s better to have less instead of more stuff, so I’d disable unbound on OPNSense and set the Pi-Hole as the primary DNS server for the entire network, but that’s just me. OPNSense is currently just a middleman, not doing much.
The what? lol. Never heard of that.
Now I guess why I didn’t.
^ This. You can make a whole virtual network inside Proxmox. Do an opnsense vm, do a lubuntu vm (client), do a lxc debian pi-hole, a lxc reverse proxy and idk, another few containers on different subnets, pretending they are iot devices or something. One for each should suffice. That way you can get a test environment to mess with.
You have vlans set on Proxmox, right? Create a few additional vlans on it, no need to add the vlans to the switch, as they should be restricted to inside proxmox only. Assign a new interface (bridge) for each. The opnsense VM should have an eth interface for each vlan and one to your main LAN (or put it in the untrusted vlan, doesn’t really matter, as long as it can access the internet and a DNS). Then, when you create new VMs and LXCs, assign them to the new vlans and pretend that’s your local network.
Well, you can assign one of the vlans to the switch and set a single port in mode-access on said vlan and have a physical machine, instead of a lubuntu VM, to test stuff inside your virtual network.The layer 2 route will be hilarious though, although it doesn’t matter that much (PC → switch vlan N+1 → proxmox → opnsense vm → proxmox → switch → opnsense router → internet and then back, kek).
