Skip to content
This repository has been archived by the owner on May 20, 2024. It is now read-only.

Latest commit

 

History

History
255 lines (212 loc) · 9.59 KB

SETUP.md

File metadata and controls

255 lines (212 loc) · 9.59 KB

Proxy Installation

Table of contents

  1. Create the DockerCompose-File
  2. Create a new VLAN in OPNsense
  3. Start container
  4. Connect to the web interface
  5. Login into webinterface
  6. Create a subdomain with the provider
  7. Create a Proxy "proxy.yourdomain.de"
  8. Create a Proxy "opnsense.yourdomain.de"
  9. Create a Proxy "proxmox.yourdomain.de"



1. Create the DockerCompose-File

We create a new folder called “nginx-proxy-manager” in /opt/stacks.

mkdir /opt/stacks/nginx-proxy-manager

We will now create our docker-compose.yml file in it. We open this straight away with the command “nano” or “vim”

nano docker-compose.yml

You can see what is written there from my docker compose file.
I have also written explanations there as a comment for the individual points that you can change.



2. Create a new VLAN in OPNsense

You should still be connected via the domain opnsense.yourdomain.de:9443 and a deactivated firewall in the Proxmox WebUI.
If not, please take another look at the OPNsense documentation on the topic: "Configurate the Access about opnsense.yourdomain.de".

Then create a new VLAN with the OPNsense documentation

The VLAN-Values is like this:

Device: vlan0.102
Parent: vtnet1
VLAN tag: 102
Descript: 102_Proxy



3. Start container

If you are no longer in the folder you previously created, go into the folder

cd /opt/stacks/nginx-proxy-manager

To start the container now, use the following command

docker compose up -d

Note

Explanation of the command
docker is the app
compose you address the container
up you start it
-d means that you do it covertly as detached


Note

If you want to know which container is currently active in docker, use Command: docker ps

Note

If you want to see the logs for a container, go to the folder and run the command: docker compose logs



4. Connect to the web interface

Create temporary firewall rule

We would like to create a temporary firewall rule to access the WebUI via port 81.
To do this, first open opnsense via the browser: opnsense.yourdomain.de:9443

  • Go to "Firewall > NAT > Port Forward"
  • Create a new NAT rule
    • Interface: WAN
    • Destination: WAN_ADDRESS
    • Destination Port from: (other) 81
    • Destination Port to: (other) 81
    • Redirect Target IP: Proxy-Alias

Now you can access the web interface of your proxy manager via http://yourip:81

Note

You can find all further information in the OPNsense setup documentation.



5. Login into webinterface

Please use the following data for the first login

E-Mailadress: [email protected]
PW: changeme

You will then be asked to change your userinformation and the password, but I recommend filling this out.
Save and Take over everything



6. Create a subdomain with the provider

In order to access this website, I first create an A record with my domain provider.
Now create all the other subdomains you need in the following diagram.
Here is a list of my subdomains, which I am still creating in this documentation.

  • proxmox.yourdomain.de
  • opnsense.yourdomain.de

Create a DNS record for all subdomains as described in the OPNsense documentation



7. Create a Proxy "proxy.yourdomain.de"

Allowing Access from wan to proxy

  • Open opnsense.yourdomain.de:9443
  • Go to "Firewall > NAT > Port Forward"
  • Create a new NAT rule
    • Interface: WAN
    • Destination: WAN_ADDRESS
    • Destination Port from: http (80)
    • Destination Port to: http (80)
    • Redirect Target IP: Proxy-Alias (10.1.2.2)
    • Redirect Target Port: http (80)
  • Safe

Repeat creating a NAT rule only with the ports HTTPS (443)


Add Proxy (proxy.yourdomain.de)

  • Open http://yourip:81
  • Go to "Hosts > Proxy Hosts"
  • Click green "Add Proxy Host"-Button
  • Now enter the following values
    • Details-Tab
      • Domainname: proxy.yourdomain.de
      • Scheme: http
      • Forward Hostname / IP: 127.0.0.1
      • Forward Port: 81
      • Websockets Support: True
    • SSL-Tab
      • SSL Certificate: "Requet a new SSL Certificalte"
      • Force SSL: True
      • HTTP/2 Support: True
      • Email Address for LE: Your E-Mailadress
      • I Agree to the LE ToS: True
  • Click Safe-button

It will now take a while as the SSL certificate is created.
Now delete the temporary NAT rule in OPNsense.

Congratulations. You can now access your NGINX Proxy Manager via proxy.yourdomain.de.
Now we create the proxies for the other domains.



8. Create a Proxy "opnsense.grew-development.de"

We now create access to OPNsense via a subdomain.
The reason behind it is that we no longer need an SSL tunnel and we can leave the firewall permanently activated via the Proxmox WebUI
in the OPNsense console and no longer have to enter -pfctl -d.

Allowing Access from proxy to opnsense

  • Open opnsense.yourdomain.de:9443
  • Go to "Firewall > NAT > Port Forward"
  • Create a new NAT rule
    • Interface: Proxy VLAN
    • Destination: PROXY_ADDRESS
    • Destination Port from: (other) 9443 - Your Opnsense WebPort
    • Destination Port to: (other) 9443 - Your Opnsense WebPort
    • Redirect Target IP: 127.0.0.1
    • Redirect Target Port: (other) 9443 - Your Opnsense WebPort
  • Safe

Add Proxy (opnsense.yourdomain.de)

  • Open proxy.yourdomain.de
  • Go to "Hosts > Proxy Hosts"
  • Click green "Add Proxy Host"-Button
  • Now enter the following values
    • Details-Tab
      • Domainname: opnsense.yourdomain.de
      • Scheme: https
      • Forward Hostname / IP: 10.1.2.1 (OPNsense Gateway)
      • Forward Port: 9443
      • Websockets Support: True
    • SSL-Tab
      • SSL Certificate: "Requet a new SSL Certificalte"
      • Force SSL: True
      • HTTP/2 Support: True
      • Email Address for LE: Your E-Mailadress
      • I Agree to the LE ToS: True
  • Click Safe-button

It will now take a while as the SSL certificate is created.

Congratulations. You can now access your OPNsense via opnsense.yourdomain.de.
Now you could also close the SSL tunnels and access opnsense without deactivating the firewall.



9. Create a Proxy "proxmox.grew-development.de"

We now create access to Proxmox via a subdomain.
Advantage: you no longer have to enter my public IPv4 address in the browser.

Allowing Access from proxy to proxmox

  • Open opnsense.yourdomain.de
  • Go to "Firewall > NAT > Port Forward"
  • Create a new NAT rule
    • Interface: Proxy VLAN
    • Destination: ProxmoxGateway-Alias (10.10.10.0)
    • Destination Port from: (other) 8006
    • Destination Port to: (other) 8006
    • Redirect Target IP: ProxmoxGateway-Alias (10.10.10.0)
    • Redirect Target Port: (other) 8006
  • Safe

Add Proxy (proxmox.yourdomain.de)

  • Open proxy.yourdomain.de
  • Go to "Hosts > Proxy Hosts"
  • Click green "Add Proxy Host"-Button
  • Now enter the following values
    • Details-Tab
      • Domainname: proxmox.yourdomain.de
      • Scheme: https
      • Forward Hostname / IP: 10.10.10.0 (Proxmox Gateway)
      • Forward Port: 8006
      • Websockets Support: True
    • SSL-Tab
      • SSL Certificate: "Requet a new SSL Certificalte"
      • Force SSL: True
      • HTTP/2 Support: True
      • Email Address for LE: Your E-Mailadress
      • I Agree to the LE ToS: True
  • Click Safe-button

It will now take a while as the SSL certificate is created.

Congratulations. You can now access your Proxmox via proxmox.yourdomain.de.
We have now regulated all three important accesses via their own subdomain.
Now we can continue with the next steps in a relaxed manner.