Best Practice for Reverse Proxy?


TexasDave

Recommended Posts

I am in the process of trying to allow friends to monitor the status of Plex and Ombi. This will avoid texts coming to me asking "Is Plex up"? 🙂

 

I am looking at Monitorr and OrganizrV2. I have been checking out a set of blog posts from @GilbN (which are awesome). His one areticle discussed how he got an A+ score on both https://securityheaders.com/ and https://www.ssllabs.com/
 

Blog Post: https://technicalramblings.com/blog/how-to-setup-organizr-with-letsencrypt-on-unraid/ (it is a bit old but I still think there is good stuff in this)

 

Right now, I am exposing Ombi and Ubooquity. When I type in URLS for these - I get an F. Probably not good?

I am wondering:

 

  1. Does the above matter? That is, my services geting an F?
  2. Is there a way to configure Ombi and Ubooquity so I can get better scores? Any pointers?

 

Thanks s always....

PS: will be posting some actual questions on using Monitorr and OrganizrV2 in a seperate thread.

Link to comment

Atached. I use the indivdua conf files rather than the master. No real reason - I think because that is how SpaceInvader One's videos did it?

 

Thanks for any suggestions and thanks for your articles. I may be posting for some help on what lead me to your original blog post.

 

Having some issues with OrganizrV2 and Monitorr...Is there a good place to post those questions?

Clipboard02.png

Link to comment

 

proxy-confs/ubooquity.subdomain.conf

 

# make sure that your dns has a cname set for ubooquity and that your ubooquity container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name dz-comics.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_ubooquity ubooquity;
        proxy_pass http://$upstream_ubooquity:2202;
    }

    location ~ (/ubooquity)?/api {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_ubooquity ubooquity;
        proxy_pass http://$upstream_ubooquity:2202;
    }
}

 

site-confs/default
 

## Version 2019/08/01 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default

# redirect all traffic to https
server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;
	return 301 https://$host$request_uri;
}

# main server block
server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;

	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	# enable subfolder method reverse proxy confs
	include /config/nginx/proxy-confs/*.subfolder.conf;

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;

	# enable for ldap auth
	#include /config/nginx/ldap.conf;

	client_max_body_size 0;

	location / {
		try_files $uri $uri/ /index.html /index.php?$args =404;
	}

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}

# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
#	location ^~ /cp {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
#		include /config/nginx/proxy.conf;
#		proxy_pass http://192.168.1.50:5050/cp;
#	}

}

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
#server {
#	listen 443 ssl http2;
#	listen [::]:443 ssl http2;
#
#	root /config/www;
#	index index.html index.htm index.php;
#
#	server_name cp.*;
#
#	include /config/nginx/ssl.conf;
#
#	client_max_body_size 0;
#
#	location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
#		include /config/nginx/proxy.conf;
#		proxy_pass http://192.168.1.50:5050;
#	}
#}

# sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
# ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
# notice this is a new server block, you need a new server block for each subdomain
#server {
#	listen 443 ssl http2;
#	listen [::]:443 ssl http2;
#
#	root /config/www;
#	index index.html index.htm index.php;
#
#	server_name heimdall.*;
#
#	include /config/nginx/ssl.conf;
#
#	include /config/nginx/ldap.conf;
#
#	client_max_body_size 0;
#
#	location / {
#		# the next two lines will enable ldap auth along with the included ldap.conf in the server block
#		auth_request /auth;
#		error_page 401 =200 /login;
#
#		include /config/nginx/proxy.conf;
#		resolver 127.0.0.11 valid=30s;
#		set $upstream_heimdall heimdall;
#		proxy_pass https://$upstream_heimdall:443;
#	}
#}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

 

I am using the individual conf files instead of a site one. Thanks!!

Link to comment

@GilbN - Boom! You nailed it - Thanks!! See attached . 😀

I made the change in both the indivdual conf files and the single one. Was not sure which ones to change.

 

Question: Is this more of a housekeeping / nice to have thing? Or does it help secure the services I expose? Or just give others confidence that these are legit sites. Just curious.

Now to get back to why I was originaly reading your blog - to pimp a page I want to share with friends so they can see Plex Ststus. Thanks so much for your help and blog posts!

Clipboard01.png

Link to comment
  • 6 months later...

I just recently switched swag and a validation by DNS vs http and I now get an F from https://securityheaders.com/ .... previously I used http and letsencrypt.  Even when I switch the old docker container on, it still fails the security test.  Any thoughts?  I am using the strong-ssl.conf that you recommended and worked previously.

 

Thanks in advance.

Link to comment

@GilbN Also when looking at the strong-ssl.conf, when would I also need to use the sub-strong-ssl.conf?  

 

And for:

add_header Content-Security-Policy "frame-ancestors https://*.DOMAIN.COM https://DOMAIN.COM https://$server_name"; #Add your domains you want to enable iframing on
add_header X-Frame-Options "allow-from https://DOMAIN.COM https://$server_name"; #Add your domains you want to enable iframing on. https://$server_name = sub.domain.com in this server block

do I actual put in my domain?  For example ... would it be mysubdomain.mydomain.com.

 

Link to comment
21 hours ago, Biff Bojangles said:

@GilbN Also when looking at the strong-ssl.conf, when would I also need to use the sub-strong-ssl.conf?  

 

And for:


add_header Content-Security-Policy "frame-ancestors https://*.DOMAIN.COM https://DOMAIN.COM https://$server_name"; #Add your domains you want to enable iframing on
add_header X-Frame-Options "allow-from https://DOMAIN.COM https://$server_name"; #Add your domains you want to enable iframing on. https://$server_name = sub.domain.com in this server block

do I actual put in my domain?  For example ... would it be mysubdomain.mydomain.com.

 

yup

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.