How to encrypt Proxmox UI with LetsEncrypt and Docker

No comments
We have docker on host system with nginx-proxy and can everything secure with SSL, but it works only with containers.
For sure we can setup LetsEncrypt on host system, but I choose docker way :)

To do that we need nginx container that will proxy requests from our proxmox, host system or different stuff that is not running by docker. In this example we'll add possibility to configure our router via external domain with SSL not exposing router pots to the world.
docker-compose.yml:
nginx-local:
  restart: on-failure:5
  image: nginx
  expose:
    - 80
  environment:
    - "VIRTUAL_HOST=pve.example.com,tplink.example.com"
    - "LETSENCRYPT_HOST=pve.example.com,tplink.example.com"
    - "LETSENCRYPT_EMAIL=email@example.com"
  volumes:
    - ./local-config:/etc/nginx/conf.d

In local-config I have default.conf file:
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}

# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
  default $http_x_forwarded_port;
  ''      $server_port;
}

# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
  default off;
  https on;
}

access_log off;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";

server {
        server_name _; # This is just an invalid value which will never trigger on a real hostname.
        listen 80;
        return 503;
}

# pve.example.com
server {
        server_name pve.example.com;
        listen 80 ;
        location / {
                proxy_pass https://192.168.0.10:8006/;
        }
}

# tplink.example.com
server {
        server_name tplink.example.com;
        listen 80 ;
        location / {
                proxy_pass http://192.168.0.1/;
        }
}


No comments :

Post a Comment