Other Services with LetsEncrypt

Parkour_Lama · 2 July 2021 17:07

Hello,
I recently installed a Letsencrypt certificate using dietpi-letsencrypt for my Nextcloud instance (installed bare metal).
The certificate works great on Nextcloud, put that’s all that’s covered.

The thing is, I also have deluge-web, jackett, etc. (from dietpi-software) on different ports that still use my self-signed certificate.
Now, I’ve tried to make each one of them use said certificate, but that isn’t working out.

If I’m able to do some like Nextcloud, forward [domain name]/nextcloud to [domain name]:port number(443) for all of them, that would encrypt all my traffic, while simultaneously making it much easier to manage correct?
i.e. [domain name]/deluge → [domain name]:8112
The question is, while it’s possible, how do I do it?

I’m on an apache2 web-sever, can anyone please provide any inputs or guide me to the correct articles that explain this?

Joulinar · 2 July 2021 17:10

Hi,

usually you can use apache as revers proxy. There is a small config section how to do it for a couple of web server on deluge wiki https://dev.deluge-torrent.org/wiki/UserGuide/WebUI/ReverseProxy

Parkour_Lama · 2 July 2021 18:26

As you say, many thanks, that did indeed solve my problem, I’ll assume it’s that exact same process with the rest.

Joulinar · 3 July 2021 10:11

yes in theory it should work same. Some application provider offer configuration example’s for their software. Just use Google or any other searching engine and search for revers proxy + app name.

if you like, could you share your Apache config file? it might be interesting for other as well. Just mask personal data if available.

Parkour_Lama · 4 July 2021 06:48

For sure

My apache2.conf file looks like this:

#Deluge-web:
ProxyPass /deluge http://localhost:8112/

<Location /deluge>
    ProxyPassReverse /
    ProxyPassReverseCookiePath / /deluge
    RequestHeader set X-Deluge-Base "/deluge/"
    Order allow,deny
    Allow from all
</Location>
#/Deluge-web

#Monit:
ProxyPass /monit http://localhost:2812/

<Location /monit>
    ProxyPassReverse /
    ProxyPassReverseCookiePath / /monit
    RequestHeader set X-Monit-Base "/monit/"
    Order allow,deny
    Allow from all
</Location>
#/Monit

#MineOS:
<Location /mineos/>
    ProxyPreserveHost On
    RequestHeader set X-Jackett-Base "/mineos/"
    ProxyPass http://127.0.0.1:8443/
    ProxyPassReverse /
</Location>
#/MineOS

#Jackett:
<Location /jackett/>
    ProxyPreserveHost On
    RequestHeader set X-Jackett-Base "/jackett/"
    ProxyPass http://127.0.0.1:9117/
    ProxyPassReverse /
</Location>
#/Jackett

Notes:

For this method to work, the server must be accessible from http:localhost:[port number] beforehand, not https.
Some services like Jackett, and MineOS require the extra backslash in the Location header in the .conf file, as well as the URL.
i.e. deluge-web can be accessed by using [Domain].com/deluge, but Jackett needs [Domain].com/jackett/

Joulinar · 4 July 2021 06:54

Still working on jackett, it appears to be a bit different from the others

Jackett has a demo configuration on their GitHub Reverse Proxy · Jackett/Jackett Wiki · GitHub

Did you checked that already?

Note for Monit: I’ve had to completely disable SSL, as that would keep interfering with the proxy

You mean on Monit application directly?

Parkour_Lama · 4 July 2021 07:01

Yep, I took a look and that, and the deluge config. Neither seem to work for jackett, due to URL issues, I’ve opened an issue for it, hopefully it’ll be resolved.
I’ll of course update the above once I have a working solution.

You mean on Monit application directly?

Yes, bascially I’ve just had to comment out:

#     with ssl {           
#         pemfile: /etc/apache2/ssl/certs/monit.pem
#         selfsigned: allow
#     }

under the login credentials in the monitrc file. That does remove the option to use https on my local network, but since everything is secured behind the LetsEncrypt certificate, it doesn’t seem to be too much of an issue.

Joulinar · 5 July 2021 08:30

but since everything is secured behind the LetsEncrypt certificate, it doesn’t seem to be too much of an issue.

Fully correct. For incoming internet traffic, SSL termination is done on the revers proxy (Apache). There is no need to use HTTPS/SSL inside your local network.

There is an important hint for Jackett on top of the GitHub page. Just asking, did you set Base URL correctly?

Parkour_Lama · 5 July 2021 16:56

Yep, Base URL, Jackett Config, and Proxy Configuration, I’ve tried changing around bits and pieces of everything, but to no avail except the above.

I’m adding the jackett issue https://github.com/Jackett/Jackett/issues/11983 if you’re curious, but the TL:DR is the same.

Joulinar · 5 July 2021 22:03

I see the issue closed. Is it working now?

Parkour_Lama · 6 July 2021 15:15

With the modification I’ve stated? Yes it works.

I’m pretty sure it’s not the proper way to do it, but unfortunately I don’t have enough knowledge about Apache do be able to figure that out, so this stopgap will be used until a more suitable solution arises.

Joulinar · 6 July 2021 23:21

as long as it is working you should be fine

Parkour_Lama · 9 July 2021 05:29

Words to live by

P.S. Is it just me, or are the emojis much better now?

Joulinar · 9 July 2021 08:35

for me emojis seems to be same as before.