PROD-PROXY-01 (NGINX)

Update system packages

sudo vim /etc/netplan/50-cloud-init.yaml

:%d [ENTER]

network:
  version: 2
  ethernets:
    enp6s18:
      dhcp4: no
      addresses:
        - 192.168.8.5/22
      gateway4: 192.168.8.1
      nameservers:
        addresses:
          - 1.1.1.1
          - 8.8.8.8

sudo netplan apply

Reboot the server and login using 192.168.8.4

sudo apt update && sudo apt upgrade -y

Enable Basic Firewall Rules:

sudo ufw allow 80

sudo ufw allow 443

sudo ufw reload

sudo ufw status

Install Nginx

sudo apt install nginx -y

Test Nginx Installation:

Open a browser:

http://192.168.8.5

Or run:

curl http://192.168.8.5

Enable Nginx to start on boot

sudo systemctl enable nginx

sudo systemctl start nginx

sudo systemctl status nginx

Install Certbot and Cloudflare DNS Plugin

Install the plugin for Certbot:

sudo apt install python3-certbot-nginx -y

Ensure all required Certbot plugins are installed:

sudo apt install python3-certbot-dns-cloudflare -y

Create a Cloudflare API credentials file

sudo nano /etc/letsencrypt/cloudflare.ini

Add the following content to the file:

dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN

Ensure the file is secure:

sudo chmod 600 /etc/letsencrypt/cloudflare.ini

Obtain SSL Certificates

Issue Certificate for udmse:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d udmse.aspireclan.com

Check the certificate:

sudo openssl x509 -text -noout -in /etc/letsencrypt/live/udmse.aspireclan.com/fullchain.pem | grep -A 1 "Subject Alternative Name"

Issue Certificate for pve:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d pve.aspireclan.com

Check the certificate:

sudo openssl x509 -text -noout -in /etc/letsencrypt/live/pve.aspireclan.com/fullchain.pem | grep -A 1 "Subject Alternative Name"

Issue Certificate for acfw:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d acfw.aspireclan.com

Check the certificate:

sudo openssl x509 -text -noout -in /etc/letsencrypt/live/acfw.aspireclan.com/fullchain.pem | grep -A 1 "Subject Alternative Name"

Issue Certificate for nas:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d nas.aspireclan.com

Check the certificate:

sudo openssl x509 -text -noout -in /etc/letsencrypt/live/nas.aspireclan.com/fullchain.pem | grep -A 1 "Subject Alternative Name"

Issue Certificate for dhcp:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d dhcp.aspireclan.com

Check the certificate:

sudo openssl x509 -text -noout -in /etc/letsencrypt/live/dhcp.aspireclan.com/fullchain.pem | grep -A 1 "Subject Alternative Name"

Configure Nginx for Reverse Proxy

Create a new Nginx configuration file:

sudo nano /etc/nginx/sites-available/prod-proxy-01.conf

Add this proxy setup:

server {
  listen 443 ssl;
  server_name udmse.aspireclan.com;
  
  ssl_certificate /etc/letsencrypt/live/udmse.aspireclan.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/udmse.aspireclan.com/privkey.pem;
  
  location / {
      proxy_pass https://192.168.8.1; # Backend IP for udmse
      proxy_ssl_verify off; # Disable SSL verification for UDMSE
      
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
  }
}

server {
  listen 443 ssl;
  server_name pve.aspireclan.com;

  ssl_certificate /etc/letsencrypt/live/pve.aspireclan.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/pve.aspireclan.com/privkey.pem;

  location / {
      proxy_pass https://192.168.8.23:8006; # Backend IP for udmse
      proxy_ssl_verify off; # Disable SSL verification for Proxmox self-signed cert

      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
  }
}

server {
  listen 443 ssl;
  server_name acfw.aspireclan.com;

  ssl_certificate /etc/letsencrypt/live/acfw.aspireclan.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/acfw.aspireclan.com/privkey.pem;

  location / {
      proxy_pass https://192.168.2.1; # Backend IP for udmse
      proxy_ssl_verify off; # Disable SSL verification for Proxmox self-signed cert

      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
  }
}

server {
  listen 443 ssl;
  server_name nas.aspireclan.com;

  ssl_certificate /etc/letsencrypt/live/nas.aspireclan.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/nas.aspireclan.com/privkey.pem;

  location / {
      proxy_pass https://192.168.8.20:5001; # Backend IP for udmse
      proxy_ssl_verify off; # Disable SSL verification for Proxmox self-signed cert

      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
  }
}

server {
  listen 443 ssl;
  server_name dhcp.aspireclan.com;

  ssl_certificate /etc/letsencrypt/live/dhcp.aspireclan.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/dhcp.aspireclan.com/privkey.pem;

  location / {
      proxy_pass http://192.168.8.2:8000; # Backend IP for udmse
      proxy_ssl_verify off; # Disable SSL verification for Proxmox self-signed cert

      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
  }
}

server {
  listen 80;
  server_name pve.aspireclan.com;
  return 301 https://$host$request_uri;
}

server {
  listen 80;
  server_name udmse.aspireclan.com;
  return 301 https://$host$request_uri;
}

server {
  listen 80;
  server_name acfw.aspireclan.com;
  return 301 https://$host$request_uri;
}

server {
  listen 80;
  server_name nas.aspireclan.com;
  return 301 https://$host$request_uri;
}

server {
  listen 80;
  server_name dhcp.aspireclan.com;
  return 301 https://$host$request_uri;
}

Save and enable the configuration:

sudo ln -s /etc/nginx/sites-available/prod-proxy-01.conf /etc/nginx/sites-enabled/

Test and reload Nginx:

sudo nginx -t

sudo systemctl reload nginx

[OPTIONAL] Restart Nginx:

sudo systemctl restart nginx

Configure Home Lab DNS

Add Internal DNS Records:

udmse.aspireclan.com --> 192.168.8.50

pve.aspireclan.com --> 192.168.8.50

Test DNS Resolution:

dig udmse.aspireclan.com

dig pve.aspireclan.com

Automate SSL Certificate Renewal

Test certificate renewal manually:

sudo certbot renew --dry-run

Certbot automatically adds a renewal timer to the system. Verify it:

sudo systemctl list-timers | grep certbot

Ensure Nginx Reload on Renewal:

Create a deploy hook script:

sudo nano /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh

Add:

#!/bin/bash
  systemctl reload nginx

Make it executable:

sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh