Other Services with LetsEncrypt

Parkour_Lama · July 2, 2021, 5:07pm

Hello,
I recently installed a Letsencrypt certificate using dietpi-letsencrypt for my Nextcloud instance (installed bare metal).
The certificate works great on Nextcloud, put that’s all that’s covered.

The thing is, I also have deluge-web, jackett, etc. (from dietpi-software) on different ports that still use my self-signed certificate.
Now, I’ve tried to make each one of them use said certificate, but that isn’t working out.

If I’m able to do some like Nextcloud, forward [domain name]/nextcloud to [domain name]:port number(443) for all of them, that would encrypt all my traffic, while simultaneously making it much easier to manage correct?
i.e. [domain name]/deluge → [domain name]:8112
The question is, while it’s possible, how do I do it?

I’m on an apache2 web-sever, can anyone please provide any inputs or guide me to the correct articles that explain this?

Joulinar · July 2, 2021, 5:10pm

Hi,

usually you can use apache as revers proxy. There is a small config section how to do it for a couple of web server on deluge wiki https://dev.deluge-torrent.org/wiki/UserGuide/WebUI/ReverseProxy

Parkour_Lama · July 2, 2021, 6:26pm

As you say, many thanks, that did indeed solve my problem, I’ll assume it’s that exact same process with the rest.

Joulinar · July 3, 2021, 10:11am

yes in theory it should work same. Some application provider offer configuration example’s for their software. Just use Google or any other searching engine and search for revers proxy + app name.

if you like, could you share your Apache config file? it might be interesting for other as well. Just mask personal data if available.

Parkour_Lama · July 4, 2021, 6:48am

For sure

My apache2.conf file looks like this:

#Deluge-web:
ProxyPass /deluge http://localhost:8112/

<Location /deluge>
    ProxyPassReverse /
    ProxyPassReverseCookiePath / /deluge
    RequestHeader set X-Deluge-Base "/deluge/"
    Order allow,deny
    Allow from all
</Location>
#/Deluge-web

#Monit:
ProxyPass /monit http://localhost:2812/

<Location /monit>
    ProxyPassReverse /
    ProxyPassReverseCookiePath / /monit
    RequestHeader set X-Monit-Base "/monit/"
    Order allow,deny
    Allow from all
</Location>
#/Monit

#MineOS:
<Location /mineos/>
    ProxyPreserveHost On
    RequestHeader set X-Jackett-Base "/mineos/"
    ProxyPass http://127.0.0.1:8443/
    ProxyPassReverse /
</Location>
#/MineOS

#Jackett:
<Location /jackett/>
    ProxyPreserveHost On
    RequestHeader set X-Jackett-Base "/jackett/"
    ProxyPass http://127.0.0.1:9117/
    ProxyPassReverse /
</Location>
#/Jackett

Notes:

For this method to work, the server must be accessible from http:localhost:[port number] beforehand, not https.
Some services like Jackett, and MineOS require the extra backslash in the Location header in the .conf file, as well as the URL.
i.e. deluge-web can be accessed by using [Domain].com/deluge, but Jackett needs [Domain].com/jackett/

Joulinar · July 4, 2021, 6:54am

Still working on jackett, it appears to be a bit different from the others

Jackett has a demo configuration on their GitHub https://github.com/Jackett/Jackett/wiki/Reverse-Proxy

Did you checked that already?

Note for Monit: I’ve had to completely disable SSL, as that would keep interfering with the proxy

You mean on Monit application directly?

Parkour_Lama · July 4, 2021, 7:01am

Yep, I took a look and that, and the deluge config. Neither seem to work for jackett, due to URL issues, I’ve opened an issue for it, hopefully it’ll be resolved.
I’ll of course update the above once I have a working solution.

You mean on Monit application directly?

Yes, bascially I’ve just had to comment out:

#     with ssl {           
#         pemfile: /etc/apache2/ssl/certs/monit.pem
#         selfsigned: allow
#     }

under the login credentials in the monitrc file. That does remove the option to use https on my local network, but since everything is secured behind the LetsEncrypt certificate, it doesn’t seem to be too much of an issue.

Joulinar · July 5, 2021, 8:30am

but since everything is secured behind the LetsEncrypt certificate, it doesn’t seem to be too much of an issue.

Fully correct. For incoming internet traffic, SSL termination is done on the revers proxy (Apache). There is no need to use HTTPS/SSL inside your local network.

There is an important hint for Jackett on top of the GitHub page. Just asking, did you set Base URL correctly?

Parkour_Lama · July 5, 2021, 4:56pm

Yep, Base URL, Jackett Config, and Proxy Configuration, I’ve tried changing around bits and pieces of everything, but to no avail except the above.

I’m adding the jackett issue https://github.com/Jackett/Jackett/issues/11983 if you’re curious, but the TL:DR is the same.

Joulinar · July 5, 2021, 10:03pm

I see the issue closed. Is it working now?

Parkour_Lama · July 6, 2021, 3:15pm

With the modification I’ve stated? Yes it works.

I’m pretty sure it’s not the proper way to do it, but unfortunately I don’t have enough knowledge about Apache do be able to figure that out, so this stopgap will be used until a more suitable solution arises.

Joulinar · July 6, 2021, 11:21pm

as long as it is working you should be fine

Parkour_Lama · July 9, 2021, 5:29am

Words to live by

P.S. Is it just me, or are the emojis much better now?

Joulinar · July 9, 2021, 8:35am

for me emojis seems to be same as before.