Lighttpd reverse proxy Topic is solved

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
Post Reply
Deathbeard

Lighttpd reverse proxy

Post by Deathbeard »

So I am extremely new to the entire world of Linux, Raspberry Pi's, webservers and whatnot but I have always loved messing around on computers and got a raspberry pi for my birthday so I am diving in :D

I was following a lot of the guides at http://www.htpcguides.com/ and am working on having plex and deluge be accessible by reverse proxy. I found your site after already configuring a split vpn (so I can access the pi remotely while still downloading torrents safely) described on the site. They suggest using a reverse proxy to keep things secure so I decided to use lighttpd instead of nginx as my webserver as only my wife and I will ever be accessing the webserver and lighttpd seems to fit better if I won't be having a lot of traffic. The setup of the server and using let's encrypt was a breeze thanks to dietpi (I am so thankful I found this place).

The problem I run into now is enabling the modules and editing the lighttpd.conf file in order to set up the reverse proxy. I have found people online saying that they have setup lighttpd as a reverse proxy and I tried to make it work on something simple (just plex in this example) based off of htpc's guide here http://www.htpcguides.com/configure-ple ... inx-linux/ but I'm lost. I don't know how to enable mods and I don't know enough to translate the instructions from working with nginx to working with lighttpd.

Ideally I would love to enable the auth.conf for lighttpd (to secure entry into the webserver) and then have it set up so https//:mydynamicdns/plex would go to plex and https//:dynamicdns/deluge would bring up the deluge web ui. Does anyone have any experience with this or should I just start over with nginx as my webserver?
Zone

Re: Lighttpd reverse proxy

Post by Zone »

When it comes to Web servers I'm a little bit of a Noob. I am much in the same boat. It would be neat with Dietpi to have a reverse proxy configuration for Dietpi software that web facing a service.

I'm in the middle of trying to figure out how to set up reverse proxies as well. Unfortunately I might have to use Apache as let's encrypt with Dietpi does not work with nginx.
User avatar
johnvick
Legend
Posts: 693
Joined: Wed Jun 08, 2016 11:53 am
Location: New Zealand

Re: Lighttpd reverse proxy

Post by johnvick »

As a beginner you have taken on a difficult project - I know as I spent hours doing what you are doing. Here is a link to my solution:

https://forum.htpcguides.com/Thread-Pi- ... xy#pid4100
User avatar
k-plan
Posts: 416
Joined: Sun Feb 28, 2016 5:28 pm

Re: Lighttpd reverse proxy

Post by k-plan »

Hmmm ...

what is the target of this action? What do you like to have?

- a Reverse proxy

- a TLS termination proxy

- or a password protection for different Web-Server directory like .htaccess/mod-rewrite on Apache or nginx Web-Server?
If you find our project or support useful, then we’d really appreciate it if you’d consider contributing to the project however you can.
Donating is the easiest – you can use PayPal and Bitcoin.
Gigabit
Posts: 27
Joined: Fri Dec 23, 2016 6:28 pm

Re: Lighttpd reverse proxy

Post by Gigabit »

k-plan wrote:Hmmm ...

what is the target of this action? What do you like to have?

- a Reverse proxy

- a TLS termination proxy

- or a password protection for different Web-Server directory like .htaccess/mod-rewrite on Apache or nginx Web-Server?

From my understanding you can have a reverse proxy that performs TLS_termination as well.

I would like to have the reverse proxy for all web facing applications. While all applications will be behind a reverse proxy those that support https would maintain an end to end encryption. That means there would be assigned certificate through 'let's encrypt' from the proxy to clients. Most likely from the proxy to the server would be a self signed certificate. For any other application that doesn't support https the traffic from the proxy to Web server would be unencrypted.

Unrelated password protection for all services that don't support authentication such as Node-RED and so on that and in general might want to be accessible from the web.

I really do love dietpi and hope to see integrate best practice security measures as a matter of default. For now I hope to figure out measures that are back end in independent that could be used to that goal.

I see there's some Githubs tickets that have been opened up related to these two issues of reverse proxies and password protecting Web server directories.
Zone

Re: Lighttpd reverse proxy

Post by Zone »

I'm all for improved security by default. Although I imagine that it might take a while to Implement.

Meanwhile...
Gigabit, if you don't mind helping out a noob could talk over Skype or something like that?
Gigabit
Posts: 27
Joined: Fri Dec 23, 2016 6:28 pm

Re: Lighttpd reverse proxy

Post by Gigabit »

Deathbeard wrote:I don't know enough to translate the instructions from working with nginx to working with lighttpd.

Ideally I would love to enable the auth.conf for lighttpd (to secure entry into the webserver) and then have it set up so https//:mydynamicdns/plex would go to plex and https//:dynamicdns/deluge would bring up the deluge web ui. Does anyone have any experience with this or should I just start over with nginx as my webserver?
This resource was on the GitHub page issues/664

That might help you translate between different Web servers. As for locking down password-protected web directories this guide seems informative for lighttpd.

@Zone
Perhaps once my setup is complete we can talk. It just makes more sense to share working examples especially when they're tied to specific web servers.
Deathbeard

Re: Lighttpd reverse proxy

Post by Deathbeard »

Hope that everyone had a merry Christmas.


@johnvick I did come across your solution a few days ago but noted that you had said that you could not do it on a port by port basis. Have you had any luck since then for coming up with a solution?

@k-plan I am not 100% sure of all the differences between all your listed options as I'm still a bit new to all this but I think @Gigabit has the right idea. I have the lighttpd webpage up and secured with let's encrypt. Now I just want to be able to have a password for the site and the web apps accessible through the page.

Once I get home I will try to follow some of the guides everyone posted and let you know if I can figure out anything. Hopefully between all of us we can make something work. Thanks for all the responses.
Deathbeard

Re: Lighttpd reverse proxy

Post by Deathbeard »

So I went and restarted my build and have everything ready except for the webserver now as I am on the fence on whether to go with Nginx or LIghttpd. I am starting to lean towards nginx just because it seems like more people use it and it is easier to find resources for even if it is not as lite as lighttpd. I am bummed that let's encrypt doesn't work on nginx at the moment as I would probably try it out now if it were automated.

In my hunting I did find a article that I think will help with lighttpd http://www.makerdyne.com/blog/tag/lighttpd/.
It looks like he was able to get transmission to work without taking up the whole domain therefore leaving room for reverse proxies to multiple programs (i.e. plex, sickrage). Once I get a chance I may try and make it work.

As a side question can you make multiple backups with dietpi-backup if you use another usb? It would be nice to have my normal build and an experimental one so I can mess around and save my progress as I go when something works instead of trying to do it all in one go or having a broken build that I need to completely start over.
User avatar
johnvick
Legend
Posts: 693
Joined: Wed Jun 08, 2016 11:53 am
Location: New Zealand

Re: Lighttpd reverse proxy

Post by johnvick »

Deathbeard wrote:Hope that everyone had a merry Christmas.


@johnvick I did come across your solution a few days ago but noted that you had said that you could not do it on a port by port basis. Have you had any luck since then for coming up with a solution?
I didn't take it any further as I decided a better solution was to have a separate machine with all its traffic going through a VPN and another regularly connected machine for other stuff.
Post Reply