Reverse Proxy Configuration
For this guide, we will be using Linuxserver.io's LetsEncrypt docker. Before we begin, make sure than ports 80 & 443 are not in use on your server, and are being forwarded from your router. If using Unraid, you will have to use different ports due to Unraids built in webserver. In this case, I use ports 8000 and 4430. Then I just have my router forward ports 80 & 443 from the internet, to 8000 & 4430 on my Unraid server.
| Variable | Description | Type | Default value |
|---|---|---|---|
| PUID | User ID for permissions | optional | 991 |
| PGID | Group ID for permissions | optional | 991 |
| E-Mail address for cert registration | required | null | |
| URL | Base Domain (domain.com) | required | null |
| SUBDOMAINS | Subdomains seperated by commas | required | null |
| ONLY_SUBDOMAINS | Only get certs for subdomains | required | true |
| DHLEVEL | Diffie Hellman bit value | optional | 2048 |
docker run -d --name=letsencrypt \
-v /mnt/docker/nginx/certs:/config -p 80:80 -p 443:443 \
-e EMAIL=admin@domain.com -e URL=domain.com -e SUBDOMAINS="mail,postfix,webmail,spam" -e ONLY_SUBDOMAINS=true \
-e DHLEVEL=2048 linuxserver/letsencrypt
Inspect the logs, if all goes well, it should say something congratulating you.
For each subdomain you wish to add a reverse proxy with SSL for, you need to add a DNS record to your domain. You can use 'A' records to point individual subdomains to the main domain. For example, if I wanted to set an 'A' record for my webmail subdomain, It would look like this:
| HOSTNAME | CLASS | TYPE | PRIORITY | VALUE |
|---|---|---|---|---|
| webmail | IN | A | any | 1.2.3.4 |
You will want to do this for each subdomain you want to forward/reverse proxy.
In the /config volume that you mounted to the container, go into the nginx folder, then site-confs. Open the file 'default' for editing. Delete everything inside the file, and modify the example below for your needs. This example only shows one server block for the Webmail client. Simply copy the block and paste below it to create another, only modifying the 'server_name' and 'proxy_pass' properties to match your services.
server {
listen 80;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name webmail.domain.com;
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
client_max_body_size 0;
location / {
include /config/nginx/proxy.conf;
proxy_pass http://<server_ip>:8888;
}
}
The top block redirects all http traffic to SSL secured https, passing along the subdomain it received. Each server block below will be for a different subdomain. For example, to make a server block for Postfixadmin, copy the last block, change the 'server_name webmail.domain.com;' to 'server_name postfix.domain.com;'. Then change 'proxy_pass http://<server_ip>:8888;' to 'proxy_pass http://<server_ip>:8080;'. Rinse and repeat for each subdomain/service. If you properly forwarded those subdomains, you should be able to reach the services from outside your home.
For an Example file containing all server blocks for my mailserver + roundcube-postfixadmin dockers, goto the link below:
https://github.com/Malfurious/docker-examples/blob/master/reverse-proxy-example
If you want to use the SSL certificates generated from this docker with my mailserver docker (malfurious/mailserver), you will need to do a few steps.
- In the directory mounted for this docker, create a folder called 'live'.
- Inside that folder, create another folder named using your mailserber hostname (mail.domain.com).
- Back in the root folder, go into the keys folder, then letsencrypt. Copy all files in this folder.
- Paste inside the live->mail.domain.com folder.
- Add the LetsEncrypt root folder as a mounted volume on the mailserver docker as read-only.
- Start the mailserver docker. If done correctly, the logs for the docker should say how it found keys for the domain.