Questions about nginx with Certbot setup for small website?

General Discussion
1

Hi,

I have a couple of local services running (e.g. AdGuard Home, Wireguard, Unbound) and a small static website. The latter I plan to open up to the world wide web.
I’ve set it up with nginx, Certbot, and a custom domain.

One question I have is, if I only plan to serve it over https, should I only open port 443 or also 80 on my router?

A problem I encountered is that now that the nginx config of the site has been blessed by a Let’s Encrypt certificate, I can’t access the site locally anymore, meaning with the local IP address (e.g. 192.178.168.18) over port 80. I need to prefix it with https:// which is annoying!
Can I somehow allow the site to be accessed unencrypted from the home network?

Thanks.

2

Can I somehow allow the site to be accessed unencrypted from the home network?

You could enable redirecting http to https in ngninx, which will work inside of your LAN, because nothing is blocking port 80 there. But when you try to reach the website from the internet, it’s only accessible via https, because redirecting won’t work with the blocked port 80.
The problem is now, that https won’t work because you try to reach it via the an IP and not a domain. You can set up a local DNS record for your domain, pointing to the LAN IP of your server. Whenever you now request the domain from inside your LAN the request will never leave your LAN, so port 80 is not blocked and the redirecing http work from inside the LAN but not from the internet.

I’m not familiar with nginx, so I can’t help you to config the redirect.
And I’m sure there is a feature in AdGuard to set up a local DNS record.

2 Likes
3

Yes you need to open port 80 and 443 from internet. Otherwise your certificate can’t be renewed if required. because certbot is going to verify your domain on port 80. There is a checkbox on the certbot GUI to force redirect from http to https. From inside the local network, it should be possible to access your web site using your DDNS record as well.

2 Likes
4

OK, noted. So it’s going to connect from the Let’s Encrypt server to my Raspberry Pi over port 80 when renewing a certificate?

Yes, I believe I had chosen that option, but I did the setup via a terminal.
It redirects external http calls to https, but not local network ones.

I have a static external IP.

5

I believe I did that while setting it up, but it only seems to work for external calls from the internet, not local ones.

That must be it.

I’ll try that. Thanks.

6

Did you tried to open your website using the DDNS within your network? Maybe it’s working already and you don’t need to create a local DNS record.

Yes

If I’m not mistaken, the redirect is working for the domain only. Would need to do some testing.

7

It only works with the domain and https, which is great. However, when I try reaching the website with internal (192.168.178.18) or external, static IP address, I’m redirected to nginx 404 not found. The domain obviously points to the external IP address. But nginx and certbot are only setup for the domain.

I simply want the site to be accessible from the local network without https.

8

if the DDNS is working from internal as well as from external, why still using the IP address :slight_smile:

But getting a http error 404 means, page not found. This would indicate that you are reaching the web server but somehow the request page could not be displayed. Did you setup any configuration in addition?

9

No, just the one for both the domain and www.domain. Should I do a separate nginx config to reach the website from the local network?

Edit:
I tried to make a second nginx config for the local access to the website, but nginx complains about more than one default_server 0.0.0.0:80.

10

Don’t do this. This is not needed.

ok found it. It’s a setting of certbot to prevent access to the site without https using IP address or a different domain.

have a look to /etc/nginx/sites-available/default. On the bottom, you have a section defining what happen on port 80. It is set to return 404 :wink:

1 Like
11

OK.

Yes, I’ve noticed here:

server  {
  if ($host = www.domain.net) {
    return 301 https://$host$request_uri;
  }  # managed by Certbot

  if ($host = domain.net) {
    return 301 https://$host$request_uri;
  }  # managed by Certbot

  listen 80 default_server;
  listen [::]:80 default_server;

  server_name domain.net www.domain.net;
  return 404;  # managed by Certbot  <---- HERE
}

How shall I proceed? :slight_smile:

12

personally I would keep it as is and access the web site using the IP address. It’s some kind of security feature to ensure access to your web site on a valid domain only and not via someone who don’t know the domain but is trying to access just by scanning IP addresses on an open port 80. Or is there a strict need to access the site using the IP?

1 Like
13

You’re most certainly right, however I don’t like that people will get a 404 page, when they go to the local IP of the server.

14

You’re most certainly right, however I don’t like that people will get a 404 page, when they go to the local IP of the server.
But people are unable to connect via the local IP, when they connect from the internet via your domain.

15

Still the question, why not using the domain name from internal local network? Is there a strickt need to use the local IP?

16

No, but up to now they were used to that and now they’ll end up at a 404 page.

@Jappe I’m talking about people here that are connected to the local network.

17

life is changing :wink:

I’m not a nginx expert and I don’t know if the following is a good solution, but if you like to redirect all traffic from http to https, doesn’t matter where it is coming from, you could try replacing the server block

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}
18

Tell that to folks around here. :wink:

Thank you. I’ll try that!