OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: Seimann on September 16, 2021, 04:57:41 pm
-
Here a tutorial for Nginx Proxy hosted under OPNsense with Let's Encrypt certificate
Primary testet for Plex / Emby / Jellyfin (or other services)
September 2021
Part 1 - WebGUI config
Go to System -> Settings -> Administration
TCP port: 8443 (change to what you want. don't use 80 or 443!)
HTTP Redirect: [X] Disable web GUI redirect rule (important!)
(https://i.postimg.cc/JG5xcmct/system01-settings.png) (https://postimg.cc/JG5xcmct)
Part 2 - Install plugins
Go to System -> Firmware -> Plugins
Install plugins:
os-nginx
os-acme-client
Part 3 - Create Let's Encrypt certificate
1. Go to Services -> ACME Client -> Settings -> Settings
Enable Plugin [X]
Auto Renewal [X]
HAProxy Integration [ ]
(https://i.postimg.cc/kB8n4YCn/acme01-settings.png) (https://postimg.cc/kB8n4YCn)
2. Go to Services -> ACME Client -> Settings -> Update Schedule
Minutes: 45
Hours: 5
Days of the week: 1
(https://i.postimg.cc/ThN9wQ9H/acme02-update.png) (https://postimg.cc/ThN9wQ9H)
3. Go to Services -> ACME Client -> Accounts
Create a new Account
Name: MyAccount (what you want)
E-Mail Address: my@mail.tld (your mail address)
ACME CA: Let's Encrypt [default]
(https://i.postimg.cc/QBqzn13G/acme03-account.png) (https://postimg.cc/QBqzn13G)
4. Go to Services -> ACME Client -> Automations
Create a new Automations
Name: Restart Nginx
Run Command: Restart Nginx (OPNsense plugin)
(https://i.postimg.cc/67zHhKrB/acme04-automation.png) (https://postimg.cc/67zHhKrB)
5. Go to Services -> ACME Client -> Challenge Types
Create a new Challenge Type
Name: MyChallenge
Challenge Type: HTTP-01
Or use "DNS-01" if you need DynDNS service
HTTP Service: OPNsense Web Service
IP Auto-Discovery [X]
Interface: WAN
(https://i.postimg.cc/n9xCVyWQ/acme05-challenge.png) (https://postimg.cc/n9xCVyWQ)
6. Go to Services -> ACME Client -> Certificates
Create a new Certificate
Enabled [X]
Common Name: emby.mydomain.com (change to your domain name!)
LE Account: MyAccount (select created name)
Challenge Type: MyChallenge (select created name)
Auto Renewal [X]
Key Length: ec-384
OCSP Must Staple: [ ]
Automations: Restart Nginx
(https://i.postimg.cc/dkvtCz2R/acme06-certificate.png) (https://postimg.cc/dkvtCz2R)
Now save and press the button "Issue or renew certificate", wait a minute and refresh the page
You see "Last ACME Status = OK"
Part 4 - Nginx config
1. Go to Services -> Nginx -> Configuration -> Upstream -> Upstream Server
Create a new Upstream Server
Description: Emby_Server (or what you want)
Server: 192.168.100.100 (change to the local server IP hostet plex/emby or your service)
Port: 8096 (change to service port of plex/emby, recommended http not https port)
Server Priority: 1
(https://i.postimg.cc/tZjRQL7Z/nginx01-Upstream-Server.png) (https://postimg.cc/tZjRQL7Z)
2. Go to Services -> Nginx -> Configuration -> Upstream -> Upstream
Create a new Upstream
Description: Emby_Upstream (or what you want)
Server Entries: Emby_Server (select your Upstream-Server)
Load Balancing Algorithm: Weighted Round Robin
(https://i.postimg.cc/HJG7ZWDb/nginx02-Upstream.png) (https://postimg.cc/HJG7ZWDb)
3. Go to Services -> Nginx -> Configuration -> HTTP(S) -> Location
Create a new Location
enable "advanced mode"
Description: Emby_Location
URL Pattern: /
Learning Mode: [X] (dont ban IPs, activate if you want)
Upstream Servers: Emby_Upstrem (select your Upstream)
(https://i.postimg.cc/Cz3jtsbZ/nginx03-Location1.png) (https://postimg.cc/Cz3jtsbZ)
Advanced Proxy Options
WebSocket Support [X]
Proxy Read Timeout: 3600
Proxy Send Timeout: 3600
Response Buffering [ ]
Request Buffering [ ]
Maximum Temporary File Size: 4096
(https://i.postimg.cc/K1NLpSfz/nginx04-Location2.png) (https://postimg.cc/K1NLpSfz)
4. Go to Services -> Nginx -> Configuration -> HTTP(S) -> Security Headers
Create a new Security Header
Description: EmbySecurityHeaders
Referrer: No Referrer
XSS Protection: Block
Don't Sniff Content Type [X]
Strict Transport Security: Time: 63072000
(https://i.postimg.cc/PN7kZCkf/nginx05-Security-Headers.png) (https://postimg.cc/PN7kZCkf)
5. Go to Services -> Nginx -> Configuration -> HTTP(S) -> HTTP Server
Create a new HTTP Server
enable "advanced mode"
Real IP Source: X-Forwarded-For
Server Name: emby.mydomain.com (change to your domain name!)
Locations: Emby_Location (select your Location)
Maximum Body Size: 200m
TLS Certificate: emby.mydomain.com (ACME Client) (select your created domain cert)
Client CA Certificate: R3 (ACME Client)
(https://i.postimg.cc/KRXxw1pq/nginx06-HTTPServer.png) (https://postimg.cc/KRXxw1pq)
Enable Let's Encrypt Plugin Support [X]
HTTPS Only [X]
Disable Bot Protection [X] (recommended for Plex/Emby/Jellyfin)
Advanced ACL Authentication Backend: none
Enable Sendfile [ ]
Security Header: EmbySecurityHeaders (select your Security Header)
(https://i.postimg.cc/RWSFp3Nr/nginx07-HTTPServer2.png) (https://postimg.cc/RWSFp3Nr)
6. Now go to Services -> Nginx -> Configuration -> General Settings
Enable nginx [X]
Part 5 - Firewall rules
1. Go to Firewall -> Aliases
Create a new Aliase
Name: Webservice_Ports
Type: Port(s)
Content: 80, 443
(https://i.postimg.cc/14d2YbXy/fw01.png) (https://postimg.cc/14d2YbXy)
2. Go to Firewall -> Rules -> WAN
Create a new Rule
Action: Pass
Protocol: TCP
Source: any
Destination: WAN address
Destination port range: Webservice_Ports
Log: [X] Log packets that are handled by this rule (Logging access in FW protocol if you want)
Description: Allow Nginx-Proxy
(https://i.postimg.cc/wRzy6wTM/fw2.png) (https://postimg.cc/wRzy6wTM)
Finished!
1. Test your Site (Smartphone or other external internet connection)
2. If that works, test your certificate
Go to: https://www.ssllabs.com/ssltest/ (https://www.ssllabs.com/ssltest/)
and enter your domain. Wait until the test is finished.
Result: A+
(https://i.postimg.cc/dDSL1RQ5/SSLcert.png) (https://postimg.cc/dDSL1RQ5)
Ideas, question or suggestions for changes? please post it :)
-
here is a placeholder
-
No real 100 % A+ rating though. Or am I mistaking?
https://forum.opnsense.org/index.php?topic=23339.0 8)
-
No real 100 % A+ rating though. Or am I mistaking?
https://forum.opnsense.org/index.php?topic=23339.0 8)
Sure
(https://i.postimg.cc/dDSL1RQ5/SSLcert.png) (https://postimg.cc/dDSL1RQ5)
It doesn't matter if HAProxy or Nginx for an A+.
It's only the settings ;)
-
You do NOT have 100 % A+!
You have A+ okay, but only 90 % in key exchange and cipher strength since you are missing some critical key parts. ;)
See below my SSLLabs Rating.
(https://i.postimg.cc/2Lk3Fq7c/P005-016-SSLLabs-Rating.png) (https://postimg.cc/2Lk3Fq7c)
This is what happens when copying another persons guide without fully understanding what you are actually doing.
Of course it doesn't matter what reverse proxy someone is using, but the configuration surely matters!
Also at least give credit when copying / adopting another guide. ::) (no offense)
-
You do NOT have 100 % A+!
You have A+ okay, but only 90 % in key exchange and cipher strength since you are missing some critical key parts. ;)
See below my SSLLabs Rating.
(https://i.postimg.cc/2Lk3Fq7c/P005-016-SSLLabs-Rating.png) (https://postimg.cc/2Lk3Fq7c)
This is what happens when copying another persons guide without fully understanding what you are actually doing.
Of course it doesn't matter what reverse proxy someone is using, but the configuration surely matters!
Also at least give credit when copying / adopting another guide. ::) (no offense)
"You get TO 100% an A+ rating"
you are not blind and can see the screenshot like any other person?
what did i copy? all the pictures about Nginx? All texts about Nginx?
your statements are a bit psychological ...
like a child would like to argue about little things? that has no place here! think about it before you piss on someone's leg.
You would also like a donation for the fact that the title is similar in a tutorial theard ::) wow
-
You won. :)
But still in order to obtain a A+ rating with 100 % score in ALL points you need to alter some settings in nginx. You don't have a 100 % rating in all areas.
-
@Seimann
Thanks for your great tutorial. It's easy to follow and clear to understand with the screenshots.
Could you also explain how to handle more than on target ?
I mean a routing with subdomain for example:
subdomain1.my-domain.tld -> server1
subdomain2.my-domain.tld -> server2
....
Do i need to create a HTTP Server for every subdomain ?
How can i redirect to a server with the correct SSL Cert ?
Thanks for any hints and tips.
Greez,
BeNe
-
Came here to say that this is a really nice write-up! I adapted it to my needs for my Plex instance, but you got me 99% there. This really is the only tutorial I found that talks about Plex/Nginx/OPNsense. There are a few other tutorials about just general Nginx & Plex, but it's always difficult to adapt raw Nginx config files to how it needs to be configured on the OPNsense Nginx GUI. So... thank you!
I now also disabled remote access from the Plex server settings and removed my OPNsense firewall rule to close that hole as well. And... drum roll... yes, I also got an A+ rating on the Qualys site. However, Mozilla Observatory reported a less than stellar score, so I had to tweak the security headers a bit more.
Anyway, thank you!
-
I am exposing my Home Assistant server using the nginx plugin with no problem. Tried to do the same with Jellyfin (same setting) and the result is 502 Bad Gateway. Followed this (btw. awesome) tutorial but I still get a 502 Bad Gateway when I enter the domain that links to my Jellyfin Server. Any ideas? I already spent hours on this. Thank you
-
Hey. I am trying follow this (btw awesome) guide but ran issues with certification generation. When I add the new Certificate and try to generate it the "Last ACME Status" will be "Validation failed". Also, after the failure the connected clients (my computer, etc) loose internet access until I delete the certificate and reboot OPNsense.
I am not very knowledgeable about this topic so pointers would be great where should I look to diagnose the issue. Anything I might need to disable? Like unbound?
Also worth noting that I am on a DMZ network and WAN gets a 192.... local address from the router so the private/bogon block in the WAN setting is unchecked.
edit: or alternatively should I maybe follow the other/newer tutorial by TheHellSite? This one seemed to be more fitting to my specific use-case (jellyfin)
-
Thank you so much for this Seimann. It worked perfectly except I ended up getting a 100 on everything except for Cipher Strength which was 90, but I'm a-okay with that. All the tutorials I've found always use DNS-01 for their challenge type, but since I use No-IP it's not on the ACME-Client list. I don't want to use another company cause I've already dumped money into No-IP so thanks a bunch! You should make a youtube video as well!
-
Any suggestion on way you would get request denied when you are trying to reverse proxy to your firewall?
-
Getting this in the error log
*1 upstream prematurely closed connection while reading response header from upstream, client: 192.168.1.101, server: opn.mydomain.dedyn.io, request: "GET / HTTP/2.0", upstream: "http://192.168.1.1:8443/", host: "opn.mydomain.dedyn.io"
Can it be something related to this?
https://docs.opnsense.org/manual/how-tos/nginx_waf.html#background-information
-
Thanks a lot for your effort!
Jelle
-
@Seimann
Thanks for your great tutorial. It's easy to follow and clear to understand with the screenshots.
Could you also explain how to handle more than on target ?
I mean a routing with subdomain for example:
subdomain1.my-domain.tld -> server1
subdomain2.my-domain.tld -> server2
....
Do i need to create a HTTP Server for every subdomain ?
How can i redirect to a server with the correct SSL Cert ?
Thanks for any hints and tips.
Greez,
BeNe
Did you ever get multiple subdomains figured out to work with Let's Encrypt for each of the subdomains pointing to a different server in your LAN?