Multiple web servers


Nem

Recommended Posts

I'm currently using the Nginx-letsencrypt app, where the nginx server is used as a reverse proxy for all of my other applications. I have a domain name pointing at the server so everything can be accessed with www.example.com/couchpotato for example

 

I also currently run my personal website on digital ocean, but my credit just expired and I'm looking for alternative ways to host it and thought that I could host is on my unraid server through a new docker container

 

Is it possible to set up a second nginx container to host my website such that when people go to www.example.com they'll get taken to the Nginx-letsencrypt container and hit my server apps, but when they go to www.personalwebsite.com they'll be taken to my new second nginx container and be taken to my personal website instead? So both domains will point to my server IP, but traffic will be redirected to the appropriate container depending on the domain

 

Ideally I'd like to do this with a second container rather than trying to do everything within Nginx-letsencrypt container so I can keep things separated

Link to comment

I personally don't see any issues about running a webserver on port 443 of unraid as long as it is secured for the known vulnerabilities.

 

Op is not suggesting putting the unraid gui on the Internet, but only proxies for other containers (I'm assuming secured with passwords over ssl since he is using letsencrypt)

 

Regarding op's question, Unfortunately the nginx-letsencrypt container can only handle one domain at the moment and that domain has to be accessible in port 443. So a second container would not work because it would need to be accessed at port 443 (on the router) as well.

 

So unless your router has the ability to forward requests on port 443 to different local ip's based on the destination domain,  it wouldn't work.

 

However, if you handle the ssl certs manually on one of the containers, then it could work with nginx forwarding and different ports.

Link to comment

my +1

 

As a security guy one rule you should stand by is "dont put anything on an insecure network when you dont control the patching"

In this case, isn't the patching controlled? The Internet requests are passed directly to an ubuntu docker container that is using the latest version of nginx with ssl

 

It is essentially the same setup used for my company's website. The only difference is one is hosted on a vps and one hosted at home in a container. Both running on Ubuntu 14.04

Link to comment

So unless your router has the ability to forward requests on port 443 to different local ip's based on the destination domain,  it wouldn't work.

Then get a new router My old Asus router could do that (and ofc also my edgerouter Lite).

Which asus router was that? As far as I know, most consumer routers don't do domain forwarding, which I believe requires packet inspection (L7?)

 

You might be thinking of forwarding different ports to different ip addresses. What I mentioned is forwarding the same port to different ip addresses based on the destination fqdn

Link to comment

So unless your router has the ability to forward requests on port 443 to different local ip's based on the destination domain,  it wouldn't work.

Then get a new router My old Asus router could do that (and ofc also my edgerouter Lite).

Which asus router was that? As far as I know, most consumer routers don't do domain forwarding, which I believe requires packet inspection (L7?)

 

You might be thinking of forwarding different ports to different ip addresses. What I mentioned is forwarding the same port to different ip addresses based on the destination fqdn

Woops, yes I was thinking on something else.

 

I thought first you talked about forwarding a random port, to a specific external one (443 in this case).

 

 

Link to comment

I personally don't see any issues about running a webserver on port 443 of unraid as long as it is secured for the known vulnerabilities.

 

Op is not suggesting putting the unraid gui on the Internet, but only proxies for other containers (I'm assuming secured with passwords over ssl since he is using letsencrypt)

 

Regarding op's question, Unfortunately the nginx-letsencrypt container can only handle one domain at the moment and that domain has to be accessible in port 443. So a second container would not work because it would need to be accessed at port 443 (on the router) as well.

 

So unless your router has the ability to forward requests on port 443 to different local ip's based on the destination domain,  it wouldn't work.

 

However, if you handle the ssl certs manually on one of the containers, then it could work with nginx forwarding and different ports.

 

So nginx-letsencrypt is running on 443, but for my personal website I dont actually need 443 and can run it without SSL. The site is entirely static and doesnt require the user to send/receive any personal data to the server. In other words I dont actually need a SSL cert for the personal site. Does this change things at all?

Link to comment

I personally don't see any issues about running a webserver on port 443 of unraid as long as it is secured for the known vulnerabilities.

 

Op is not suggesting putting the unraid gui on the Internet, but only proxies for other containers (I'm assuming secured with passwords over ssl since he is using letsencrypt)

 

Regarding op's question, Unfortunately the nginx-letsencrypt container can only handle one domain at the moment and that domain has to be accessible in port 443. So a second container would not work because it would need to be accessed at port 443 (on the router) as well.

 

So unless your router has the ability to forward requests on port 443 to different local ip's based on the destination domain,  it wouldn't work.

 

However, if you handle the ssl certs manually on one of the containers, then it could work with nginx forwarding and different ports.

 

So nginx-letsencrypt is running on 443, but for my personal website I dont actually need 443 and can run it without SSL. The site is entirely static and doesnt require the user to send/receive any personal data to the server. In other words I dont actually need a SSL cert for the personal site. Does this change things at all?

Well, in that case, you can install the regular nginx container and set your personal site with that. Pick any random port, just not 80 because unraid uses it. And on your router, forward port 80 to the new container's port.

 

When you go to http://yourpersonalweburl it will be redirected to the second nginx container

Link to comment

I thought about doing something like that, but the way I have nginx-letsencrypt set up is all port 80 traffic it receives gets automatically redirected to 443

 

Furthermore, a splitting traffic by protocol alone would lead to problems. lets say on my router I forward 80 to nginx (personalsite.com) and 443 to nginx-letsencrypt (proxysite.com). Both domains will point to the same IP. So if someone goes to https://personalsite.com, they will be incorrectly taken to the proxy site, and if someone goes to http://proxysite.com they will be taken to personal site because of how the ports are forwarded...unless theres a way in nginx config to redirect the user back to the "other" site or something?

Link to comment

my +1

 

As a security guy one rule you should stand by is "dont put anything on an insecure network when you dont control the patching"

In this case, isn't the patching controlled? The Internet requests are passed directly to an ubuntu docker container that is using the latest version of nginx with ssl

 

It is essentially the same setup used for my company's website. The only difference is one is hosted on a vps and one hosted at home in a container. Both running on Ubuntu 14.04

 

There is a bit of reality versus theory at play here. Sure if your a competent sysadmin and understand about patching up and down the whole application and protocol stack ythen ou understand risk and how to mitigate it. That however is a tiny percentage of users.

 

Containerization reduces risk by its very nature but think about all the patching delays even here that are completely outwith most users control. Docker spent 9 months + unpatched last year and we are fast approaching 3 months this year. What about the container itself....if a massive security hole is found how does a user know about this in a timely fashion and then patch it.

 

What about monitoring for attacks how do users do this (important when a rooted box is you home NAS when compared to a hosted VPS or $2 web host).

 

There is lattitude in here to be really insecure IN THEORY but it is my experience most users wont patch even if oyu make it easy for them.

 

YMMV but I err on the side of caution, you cant teach users to be secure you have to keep it secure for them and thats not currently 100% possible on unRAID

Link to comment

Yeah, even with all the caveats listed by aptalca, there is no way I'd ever let inbound internet touches to a web server on unraid, regardless of it being in a Docker or a VM. I've seen far too many escalation and escapes happen to know that it is an absolutely horrible idea to do so with unraid, especially given the declarations by LimeTech.

Link to comment

So nginx-letsencrypt is running on 443, but for my personal website I dont actually need 443 and can run it without SSL. The site is entirely static and doesnt require the user to send/receive any personal data to the server. In other words I dont actually need a SSL cert for the personal site. Does this change things at all?

 

Yes that does change things. 

 

You would set both DNS aliases (example.com and personalwebsite.com) to point to your public IP address.

Then you forward port 80 on your router to whatever port your nginx server is listening to (it most likely isn't 80 as that is what unraid uses by default)

Forward port 443 on your router to whatever SSL port your nginx server is listening to (might be 443, but is configurable)

In the nginx configuration nginx\sites-conf\ folder create a configuration for personalwebsite.com that looks something like this ...

server {
listen 80;
#listen 443 ssl;

server_name *.personalwebsite.com;

root /config/www/personalwebsite.com;

location / {
	try_files $uri $uri/ /index.html /index.php?$args =404;
}
}

The website will be placed in /config/www/personalwebsite.com/ in this scenario.

Nginx will examine web requests for personalwebsite.com and if it matches then it will server those files.  The limitation in this setup is that a single IP can only host one SSL certificate.  And your lets-encrypt cert will most likely have the example.com certs on it.  So if you do happen to go to https://personalwebsite.com you will get a certificate error in your web browser about names not matching.  There are lines you can add to the config file that will force https back to http for all personalwebsite.com connections.  What may be a better option for you would be to get the lets-encrytp cert for personalwebsite.com and let the mismatch name occur on example.com, only because I am assuming you will be the only one going to example.com so you will know to ignore the certificate error and go on your way.  however if you really have no need for SSL on your personalwebsite.com then continue using the cert from example.com.

 

Another option, instead of serving the site via an unraid docker is to just have the docker act as a reverse proxy and forward the request to a real server or a VM where you have more control over things.

 

As far as the security concerns of having an nginx docker on the public internet.  In my opinion, using nginx solely as a reverse proxy or static html server it is a risk I am willing to live with.  I probably wouldn't host PHP or some other dynamic site on it though.

Link to comment

The gold solution is always a VPN running on your edge firewall/router. The is secure, far more flexible and maintainable as a long term solution with minimal sysadmin workload to keep it secure.

 

I dont often recommend spending money but this one is worth it. The feeling of being able to plug into any random network and know you are secure is more than a nice added benefit.

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.