Categories
Linux nginx Virtualization

Nginx ProxMox Proxy using Letsencrypt SSL cert

Why use a nginx proxmox proxy using letsencrypt ssl?

1st: why not?
2nd: Load balancing! Nginx is built to handle many concurrent connections at the same time from multitude of clients. This makes it ideal for being the point-of-contact for said clients. The server can pass requests to any number of backend servers to handle the bulk of the work, which spreads the load across your infrastructure. This design also provides you with flexibility in easily adding backend servers or taking them down as needed for maintenance.
3rd: Security! Many times Nginx can be secured to not allow access to certain parts of the underlying application so life doesnt throw you a curveball at 3AM on December 24th 2006(dont ask 🙁 ).
4th: Port firewall constraints! Sometimes you need to access an application on port 34563 but firewall doesn’t allow access on random ports. You can allow incoming connections on port 80 via nginx but proxy them to the app on 34563.
5th: seriously… why not…..

Now you know why we may want nginx as  a frontend proxy for our underlying app. so let’s get to setting it up for our use case which is to protect proxmox from bad actors! and to provide reliable access to our proxmox for ourselves. We are going to setup nginx to forward all traffic from port 80 to port 443 where letsencrypt will provide us with ssl encrypted access!

Install nginx light instead of full, so you have a smaller set of utilities but also a lighter install. you can install nginx or nginx-full also if you wish.

apt-get install nginx-light

remove default nginx config

rm /etc/nginx/sites-enabled/default

add new nginx config copying the code below

nano /etc/nginx/sites-enabled/default

add the folllowing in there

upstream proxmox {
    server "proxmoxdomain.com";
}

server {
    listen 80 default_server;
    location ~ /.well-known {
      root "/var/www/html";
      allow all;
    }
    rewrite ^(.*) https://$host$1 permanent;

}

server {
    listen 443;
    server_name _;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/proxmoxdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/proxmoxdomain.com/privkey.pem;
    include ssl-params.conf;
    proxy_redirect off;

        location ~ /.well-known {
                root "/var/www/html";
                allow all;
        }

    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header  Host  $host;
        proxy_set_header  X-Real-IP  $remote_addr;
        proxy_pass https://localhost:8006;
        proxy_buffering off;
        client_max_body_size 0;
        proxy_connect_timeout  3600s;
        proxy_read_timeout  3600s;
        proxy_send_timeout  3600s;
        send_timeout  3600s;
    }
}

install git

apt-get -y install git

grab a copy of letsencrypt client

git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

get the certs

cd /opt/letsencrypt
./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/html -d proxmoxdomain.com

specify your email when asked, this is only to retrieve lost certs.
lets encrypt add emailAgree to the TOS.lets encrypt tos

you will get 4 files from this:

  • cert.pem: Your domain’s certificate
  • chain.pem: The Let’s Encrypt chain certificate
  • fullchain.pem: cert.pem and chain.pem combined
  • privkey.pem: Your certificate’s private key

these files are located in

  • /etc/letsencrypt/live/proxmoddomain.com

Now that your certs are live and running! restart your nginx and you are live!

service nginx restart

or

systemctl restart nginx
Categories
General Linux nginx shell

Letsencrypt ssl cert for mumble

I needed to set up a mumble server for a friends minecraft community. The Mumble software uses a client–server architecture which allows users to talk to each other via the same server. It has a very simple administrative interface and features high sound quality and low latency where possible. All communication is encrypted to make sure user privacy using either a self signed cert or a cert purchased via a vendor. The great thing about Mumble is that it’s free and open-source software, is cross-platform, and is released under the terms of the new BSD license. Since letsencrypt is awesome and provides completely free certs to the end users, I figured it would be perfect to use in this attempt.  So I started on the road to acquire a letsencrypt ssl cert for mumble.

First we need to acquire the letsencrypt client. for this you need git.

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly --standalone --standalone-supported-challenges tls-sni-01

A text / curses bases dialogue will start. it will ask you to input your domain(s) you want a cert for. If you want multiple domains or multiple subdomains at the same time just separate them via a space or a comma, follow the prompts and it will install your cert in /etc/letsencrypt/live/<domain>/cert.pem. So far so good! now you need to install murmur/mumble-server on your machine. I would like to tell you how to do it but due to the nature of software it might change, the best way to do it is via checking the official mumble wiki for info on how to do it for your OS. To do it in Ubuntu I used the following commands

sudo add-apt-repository ppa:mumble/release
sudo apt-get update
sudo apt-get install mumble-server
sudo dpkg-reconfigure mumble-server

Now lets setup the mumble server to use the certs we acquired earlier.  Edit /etc/mumble-server.ini , I prefer using nano but it’s because I am a pleb, you may be a super 1337 operator and use vi or vim or directly edit the 1’s and 0’s on the drive platters. Find the following keys and edit them or add if they don’t exist or are commented out.

sslCert=/etc/letsencrypt/live/<domain>/cert.pem
sslKey=/etc/letsencrypt/live/<domain>/privkey.pem
sslCA=/etc/letsencrypt/live/<domain>/fullchain.pem

the sslCA may not exist, thats fine, this allows all mumble clients to accept the cert from LE. One last issue you need to resolve before you can start mumble-server is the ssl cert is root only access at the moment. the way I resolved this is to change the group on the files and folders. you may have a better solution, please do share it in the comments.

chgrp -R ssl-cert /etc/letsencrypt
chmod -R g=rX /etc/letsencrypt

now start mumble-server with a service mumble-server restart or whatever your OS accepts, and Voila! you are now up and running using a valid letsencrypt ssl cert for mumble 🙂 if you have any questions, or comments, or better way of doing this please let me know.

 

Categories
Updates/Software

Heartbleed strikes again! new vulnerabilities patched by the Open SSL team

Heartbleed keeps giving head-aches to devs and programmers ever since it appeared this spring. The bug doesn’t let Open SSL catch a break and it keeps opening vulnerabilities to all versions (0.9.8, 1.0.0, 1.0.1 and 1.0.2).

CCS Injection is one of the worst in the Heartbleed suite of bugs, and it is considered extremely serious by the OpenSSL team. The updated versions of OpenSSL were published today and some vulnerabilities were patched. The first three versions were patched and 1.0.2 beta release is currently still vulnerable and did not receive an update.

Any user who has this Heartbleed bug is advised to upgrade his device as soon as possible to avoid further annoyance.

CCS Injection is a serious bug that affects Open SSL’s Change CipherSpec processing by intercepting encrypted data and decrypting them via malicious intermediate nodes. It forces SSL clients to use weaker keys which then are exposed to malicious tools and nodes. It can exploit and tamper with contents and authentication information over encrypted communication via web browsing, VPN or E-mail. Attackers can use vulnerable clients and servers when users communicate with them and they can falsify on these communications. Attackers can hijack an authenticated session, although they cannot steal private keys, unless the users transferred his private keys via protected paths by SSL or TLS.

Source: CloudFare