brokenlcd

@brokenlcd@feddit.it

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨issues setting up nginx as an https proxy⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
i’m not sure if it’s equivalent. but in the meantime i have cobbled up a series of commands from various forums to do the whole process, and i came up with the following openssl commands.
```
openssl genrsa -out servorootCA.key 4096

openssl req -x509 -new -nodes -key servorootCA.key -sha256 -days 3650 -out servorootCA.pem

openssl genrsa -out star.servo.internal.key 4096

openssl req -new -key star.servo.internal.key -out star.servo.internal.csr

openssl x509 -req -in star.servo.internal.csr -CA servorootCA.pem -CAkey servorootCA.key -CAcreateserial -out star.servo.internal.crt -days 3650 -sha256 -extfile openssl.cnf -extensions v3_req
```
with only the crt and key files on the server, while the rest is on a usb stick for keeping them out of the way.

hopefully it’s the same. though i’ll still go through the book out of curiosity… and come to think of it. i do also need to setup calibre :-).

thanks for everything. i’ll have to update the post with the full solution after i’m done, since it turned out to be a lot more messy than anticipated…
⁨Comment⁩ on ⁨issues setting up nginx as an https proxy⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
Don’t worry. Lemmy is asynchronous after all. Instant responses aren’t expected. Plus. I know life gets in the way :-).

It was basically a misconception I had about how the homelab router would route the connection

Basically with pihole set up. It routes servo.internal to 192.168.1.y, the IP of the homelab router. So when a machine from the inside of the homelab. On 10.0.0.*, connects to the server. It will refer to it via the 192.168.1.y IP of the router.

The misconception was that I thought all the traffic was going to bounce between the homelab router and the home router. Going through the horrendously slow LAN cable that connects them and crippling the bandwidth between 10.0.0.* machines and the server.

I wanted to setup another pihole server for inside of the homelab. So it would directly connect to the server on it’s 10.0.0.* address instead of the 192.168.1.y. And not go and bounce needlessly between the two routers.

But apparently the homelab router realizes he’s speaking to itself. And routes the data directly to the server. Without passing though the home router and the slower Ethernet. So the issue is nonexistent, and I can use one pihole instance with 192.168.1.y for the server without issue. (Thanks to darkan15 for explaining that).

While I do have my self-learned self-hosted knowledge, I’m not an IT guy, so I may be mistaken here and there.

I think most of us are in a similar situation. Hell. I weld for a living atm :-P.

However, I can give you a diagram on How it works on my setup right now and also gift you a nice ebook to help you setup your mini-CA for your lan :

The diagram would be useful. Considering that rn I’m losing my mind between man pages.

As for the book… I can’t accept. Just give me the name/ISBN and I’ll provide myself. Still. Thanks for the offer.
⁨Comment⁩ on ⁨issues setting up nginx as an https proxy⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:

No, the request would stop on Router B, and maintain all traffic, on the 10.0.0.* network it would not change subnets, or anything

OK perfect. That was my hiccup. I thought it was going to go the roundabout way and slow the traffic down. I was willing to Put in numbers if it meant I wouldn’t have to go needlessly through the slower cable. If the router keeps everything inside of it’s own subnet if he realizes he’s talking to itself then it’s perfect.

Thanks for the help
⁨Comment⁩ on ⁨issues setting up nginx as an https proxy⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
I think I didn’t explain myself the right way.

Computers from inside of Router B will access the server via it’s IP. Nginx will only serve an HTML file with the links. Basically acting as a bookmark page for the IP:port combos. While anything from Router A will receive a landing page that has the domain name, that will be resolved by pihole, exposed to the machines on Router A as an open port on router b`

So basically the DNS will only be used on machines from Router A, and the rules on nginx are just to give links to the reverse proxy if the machine is from router A (I.e. the connection is coming from 10.0.0.1 from the server’s POV), or the page with the raw IP of the server+ port of the service.

router A is Unfortunately junk from my ISP, and it doesn’t allow me to change the DNS. So I’ll just add Router B` ( and thus, the pihole instance that’s on the server) as a primary dns, and an external one as a secondary DNS as fallback.

If you decide on doing the secondary local DNS on the server on Router B network, there is no need to loop back, as that DNS will maintain domain lookup and the requests on 10.0.0.x all internal to Router B network

Wouldn’t this link to the 192.168.0.y address of router B pass through router A, and loop back to router B, routing through the slower cable? Or is the router smart enough to realize he’s just talking to itself and just cut out `router A from the traffic?
⁨Comment⁩ on ⁨issues setting up nginx as an https proxy⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
I think I’ll do this with one modification. I’ll make nginx serve the landing page with the subdomains when computers from router A try to access. ( by telling nginx to serve the page with the subdomains when contacted by 10.0.0.1) while I’ll serve another landing page that bypasses the proxy, by giving the direct 10.0.0.* IP of the server with the port, for computers inside router B .

Mostly since the Ethernet between router a and b is old. And limits transfers to 10Mbps. So I’d be handicapping computers inside router B by looping back. Especially since everything inside router B is supposed to be safe. And they’ll be the ones transferring most of the data to it.

Thanks for the breakdown. It genuinely helped in understanding the Daedalus-worthy path the connections need to take. I’ll update the post with my final solution and config once I make it work.
⁨Comment⁩ on ⁨issues setting up nginx as an https proxy⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
I think that pihole would be the best option. But coming to think of it… I think that to make it work I’d need two instances of pihole. Since the server is basically straddling two nats. With the inner router port forwarding port 1403 from the server. Basically:

Home net (192.168.0.) { Laptop Homelab router (10.0.0., port 1403 forwarded) { Desktop
```
 Server( port 1403 forwarded to router)
}
```
}

To let me access the services both from the desktop and the laptop. I’d need to have two DNS resolvers, since for the laptop it needs to resolve to the 192.168.0.* address of the homelab router. While for the desktop it needs to resolve directly to the 10.0.0.* address of the server.

Also, little question. If I do manage to set it up with subdomains. Will all the traffic still go through port 1403? Since the main reason I wanted to setup a proxy was to not turn the homelab’s router into Swiss cheese.

… The rootCA idea though is pretty good… At least I won’t have Firefox nagging me every time I try to access it.

(specially with docker containers !)

Already on it! I’ve made a custom skeleton container image using podman, that when started. It runs a shell script that I customize for each service, while another script gets called via podman exec for all of them by a cronjob to update them. Plus they are all connected to a podman network with manually assigned IPs to let them talk to eachother. Not how you’re supposed to use containers. But hey, it works. Add to that a btrfs cluster, data set to single, metadata set to raid1. So I can lose a disk without losing all of the data. ( they are scrap drives. Storage is prohibitively expensive here) + transparent compression; + cronjob for scrub and decuplication.

I manage with most of the server. But web stuff just locks me up. :'-)
⁨Comment⁩ on ⁨issues setting up nginx as an https proxy⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
I’ll need to check. I doubt I’ll be able to setup a DNS resolver. Since I can’t risk the whole network going down if the DNS resolver fails. Plus the server will have limited exposure to the home net via the other router.

Still. Thanks for the tips. I’ll update the post with the solution once I figure it out.
⁨Comment⁩ on ⁨issues setting up nginx as an https proxy⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
If I remember correctly there was an option for that. I need to dig up the manual…

Still, I think I’m going to need to change approach. Eventually one of the other services will bite me if I keep using subdirectories.
⁨Comment⁩ on ⁨issues setting up nginx as an https proxy⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
I’m sorry. I forgot to mention it in the post. But the server is not facing the outside. It’s just behind an extra nat to keep my computers separate from the rest of the home. There’s no domain name linking to it. I’m not sure if that impacts using subomains.

The SSL certificates shouldn’t be a problem since it’s just a self signed certificate, I’m just using SSL as a peace of mind thing.

I’m sorry if I’m not making sense. It’s the first time I’m working with webservers. And I genuinely have no idea of what I’m doing.
issues setting up nginx as an https proxy
Submitted ⁨⁨2⁩ ⁨weeks⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨23⁩ ⁨comments⁩
⁨Comment⁩ on ⁨Lies, all lies⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
on the topic of music… the title of the post makes me think about one song in particular
⁨Comment⁩ on ⁨Bank forced to rehire workers after lying about chatbot productivity: Australia’s biggest bank regrets messy rush to replace staff with chatbots.⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
Well… Considering that salt renders soil infertile… Not that far off frankly
⁨Comment⁩ on ⁨Jump on in.⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
Small remider than when injected, serotonin basically overdrives pain receptors. That’s why it’s in there. It won’t make you happy. It will make you feel even more in hell. (I know it’s a joke. But come on i couldn’t resist)
⁨Comment⁩ on ⁨PARTY TIME⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
I can’t speak. I’ve used cut up propane tanks to hold wine.
⁨Comment⁩ on ⁨If I invented a shirt that caused cameras to be damaged when filmed/photographed, would I be committing a crime by wearing the shirt at events with cameras?⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
Best i can do is an Elton John style jacket. Dazzle them to.hell and back.
⁨Comment⁩ on ⁨If you went to an island, and formed a new country and forcibly inject everyone there with a drug that makes them happy, you new country could surpass Finland as the "Happiest country in the world"⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
we happy few has entered the chat
⁨Comment⁩ on ⁨run⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Who dehydrated my chain chomp?
⁨Comment⁩ on ⁨Are you so young that you have never been in a car with one of these?⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Ah. The memories of being a wee kid and heating them up. And touching the red hot element. I think that’s one of those experiences that everyone that has been near them as a kid has had.
⁨Comment⁩ on ⁨It's always the same.⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
By experience, social anxiety works too.
⁨Comment⁩ on ⁨Just one of the differences⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
Pretty sure you can be in both situations while crying. Think of crying like a modifier asset.
⁨Comment⁩ on ⁨Plastic knives are surprisingly dangerous.⁩ ⁨⁨2⁩ ⁨months⁩ ago⁩:
They can kill as well. But indiscriminately and slowly.
⁨Comment⁩ on ⁨Full Moon Rising!⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
No no no. You don’t get it. The turd is turning into a werewolf mid-shit.
⁨Comment⁩ on ⁨Might be time to find another job⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Don’t give me ideas… I love spicy stuff, and it has been a pretty good deterrent in of itself from having my foodstuffs stolen. So two birds with one stone…
⁨Comment⁩ on ⁨Might be time to find another job⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
I remember solving something similar using an opaque bottle with “GI supplements, don’t drink” written in sharpie. Especially since the first time it was actually true and they didn’t believe the warning.
⁨Comment⁩ on ⁨Shhhhh⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
My microwave is so old the hum of the transformer is louder than the worn out bell that signals when it’s done. Eventually i’ll pillage the transformer out of another one to keep it going. I refuse to lose the mechanical dials that are on it.
⁨Comment⁩ on ⁨Some things just refuse to die⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Basically that phone was a continuous hand me down. My dad, a construction worker, bought it for himself, hence the cement mixer. Then, he managed to get a phone plan with insurance, so if it broke at work he wouldn’t have to pay for another phone. And the s5 got handed over to my mom. Where the pasta sauce happened.

Last. It got handed to me. A wee kid that was starting to dabble into the deeper side of IT. And thats were the rooting came from.

That phone is a trooper. And i genuinely miss when phones were not as fragile as tissue paper.
⁨Comment⁩ on ⁨Some things just refuse to die⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Galaxy s5. That phone fell twice in boiling pasta sauce, survived falling in a cement mixer. And managed to not get corrupted by 13 y.o. me rooting a phone for the fist time. No replacements parts other than a new battery. It still fucking runs.
⁨Comment⁩ on ⁨You mean I can't say 11⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
It’s a logarithmic scale.
⁨Comment⁩ on ⁨Hell Yeah⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
Everything the light touches. But not the light itself. Checkmate.
⁨Comment⁩ on ⁨For me it's $20⁩ ⁨⁨3⁩ ⁨months⁩ ago⁩:
What Americans don’t resort to in order to avoid using the metric system. Smh.

/s