Skip to main content
Unix & Linux

Return to Question

Bumped by Community user
Bumped by Community user
Bumped by Community user
Bumped by Community user
Bumped by Community user
Bumped by Community user
added 416 characters in body
Source Link
aterhorst
aterhorst
  • 101
  • 3

I enabled mod-proxy on my Nextcloud machine (my.domain.com) and it forwards requests to my.otherdomain.com to the weewx machine. I disabled port forwarding on the router to the weewx machine. However, dietpi-letsencrypt cannot generate a SSL certificate for the weewx machine - the challenges fail. I tried to run certbot on both machines. Here is the attempt for my Nextcloud machine (used as my proxy server):

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E 
Renewing an existing certificate for my.domain.com and my.otherdomain.com
Performing the following challenges:
http-01 challenge for aws.andrewterhorst.com
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Challenge failed for domain my.otherdomain.com
http-01 challenge for my.otherdomain.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: my.otherdomain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://my.otherdomain.com/.well-known/acme-challenge/p16SmhyufIGQ75fnhWQ4zxf49TCLfnX4SoWRmBqAHBg
   [129.151.176.124]: "<?xml version=\"1.0\"
   encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD
   XHTML 1.0 Transitional//EN\"\n         \"http://www."

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
[FAILED] DietPi-LetsEncrypt | Certbot failed, please check its above terminal output. Aborting...

I enabled mod-proxy on my Nextcloud machine (my.domain.com) and it forwards requests to my.otherdomain.com to the weewx machine. I disabled port forwarding on the router to the weewx machine. However, dietpi-letsencrypt cannot generate a SSL certificate for the weewx machine - the challenges fail.

I enabled mod-proxy on my Nextcloud machine (my.domain.com) and it forwards requests to my.otherdomain.com to the weewx machine. I disabled port forwarding on the router to the weewx machine. However, dietpi-letsencrypt cannot generate a SSL certificate for the weewx machine - the challenges fail. I tried to run certbot on both machines. Here is the attempt for my Nextcloud machine (used as my proxy server):

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E 
Renewing an existing certificate for my.domain.com and my.otherdomain.com
Performing the following challenges:
http-01 challenge for aws.andrewterhorst.com
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Challenge failed for domain my.otherdomain.com
http-01 challenge for my.otherdomain.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: my.otherdomain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://my.otherdomain.com/.well-known/acme-challenge/p16SmhyufIGQ75fnhWQ4zxf49TCLfnX4SoWRmBqAHBg
   [129.151.176.124]: "<?xml version=\"1.0\"
   encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD
   XHTML 1.0 Transitional//EN\"\n         \"http://www."

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
[FAILED] DietPi-LetsEncrypt | Certbot failed, please check its above terminal output. Aborting...
added 416 characters in body
Source Link
aterhorst
aterhorst
  • 101
  • 3
server.modules = (
    "mod_indexfile",
    "mod_setenv",
    "mod_access",
    "mod_alias",
    "mod_redirect",
        "mod_proxy",
)

server.document-root = "/var/www"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 80

# features
#https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_feature-flagsDetails
server.feature-flags       += ("server.h2proto" => "enable")
server.feature-flags       += ("server.h2c"     => "enable")
server.feature-flags       += ("server.graceful-shutdown-timeout" => 5)
#server.feature-flags       += ("server.graceful-restart-bg" => "enable")

# strict parsing and normalization of URL for consistency and security
# https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails
# (might need to explicitly set "url-path-2f-decode" = "disable"
#  if a specific application is encoding URLs inside url-path)
server.http-parseopts = (
  "header-strict"           => "enable",# default
  "host-strict"             => "enable",# default
  "host-normalize"          => "enable",# default
  "url-normalize-unreserved"=> "enable",# recommended highly
  "url-normalize-required"  => "enable",# recommended
  "url-ctrls-reject"        => "enable",# recommended
  "url-path-2f-decode"      => "enable",# recommended highly (unless breaks app)
 #"url-path-2f-reject"      => "enable",
  "url-path-dotseg-remove"  => "enable",# recommended highly (unless breaks app)
 #"url-path-dotseg-reject"  => "enable",
 #"url-query-20-plus"       => "enable",# consistency in query string
)

index-file.names            = ( "index.php", "index.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"

#server.compat-module-load   = "disable"
server.modules += (
    "mod_dirlisting",
    "mod_staticfile",
)


# proxy settings
$HTTP["host"]=~ "my.otherdomain.com"  {
        proxy.balance = "fair"
        proxy.server =  ("" =>
                                (
                                        ( "host" => "192.168.0.261", "port" => 80 ),
                                        ( "host" => "192.168.0.261", "port" => 443 )
                                ))
                        }

I am not a Linux boffin and need some guidance on how to set up lighttpd to do forward and reverse proxies so my weewx machine can be secure. Most of the posts touching on this refer to Apache, nginx, or some specific web application setup. The syntax of the lighttpd conf settings is rather confusing using regex like notation. For example:

$HTTP['host'] =~ '^(www.example.com)$' {
        url.rewrite-once = ('^/(.*)' => '/vhost/http/%0/$1')
        # In lighttpd we alter the path manually using rewrite rule. %0
        # refers to the hostname and $1 is the path.
        proxy.server = ( '' =>
                ( (
                'host' => '127.0.0.1',
                'port' => 8080
                ) )
        )
}

There is no step by step tutorial in plain simple English for simpletons such as me.

server.modules = (
    "mod_indexfile",
    "mod_setenv",
    "mod_access",
    "mod_alias",
    "mod_redirect",
        "mod_proxy",
)

server.document-root = "/var/www"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 80

# features
#https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_feature-flagsDetails
server.feature-flags       += ("server.h2proto" => "enable")
server.feature-flags       += ("server.h2c"     => "enable")
server.feature-flags       += ("server.graceful-shutdown-timeout" => 5)
#server.feature-flags       += ("server.graceful-restart-bg" => "enable")

# strict parsing and normalization of URL for consistency and security
# https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails
# (might need to explicitly set "url-path-2f-decode" = "disable"
#  if a specific application is encoding URLs inside url-path)
server.http-parseopts = (
  "header-strict"           => "enable",# default
  "host-strict"             => "enable",# default
  "host-normalize"          => "enable",# default
  "url-normalize-unreserved"=> "enable",# recommended highly
  "url-normalize-required"  => "enable",# recommended
  "url-ctrls-reject"        => "enable",# recommended
  "url-path-2f-decode"      => "enable",# recommended highly (unless breaks app)
 #"url-path-2f-reject"      => "enable",
  "url-path-dotseg-remove"  => "enable",# recommended highly (unless breaks app)
 #"url-path-dotseg-reject"  => "enable",
 #"url-query-20-plus"       => "enable",# consistency in query string
)

index-file.names            = ( "index.php", "index.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"

#server.compat-module-load   = "disable"
server.modules += (
    "mod_dirlisting",
    "mod_staticfile",
)


# proxy settings
$HTTP["host"]=~ "my.otherdomain.com"  {
        proxy.balance = "fair"
        proxy.server =  ("" =>
                                (
                                        ( "host" => "192.168.0.261", "port" => 80 ),
                                        ( "host" => "192.168.0.261", "port" => 443 )
                                ))
                        }

I am not a Linux boffin and need some guidance on how to set up lighttpd to do forward and reverse proxies so my weewx machine can be secure. Most of the posts touching on this refer to Apache, nginx, or some specific web application setup. The syntax of the lighttpd conf settings is rather confusing using regex like notation. There is no step by step tutorial in plain simple English for simpletons such as me.

server.modules = (
    "mod_indexfile",
    "mod_setenv",
    "mod_access",
    "mod_alias",
    "mod_redirect",
    "mod_proxy",
)

server.document-root = "/var/www"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 80

# features
#https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_feature-flagsDetails
server.feature-flags       += ("server.h2proto" => "enable")
server.feature-flags       += ("server.h2c"     => "enable")
server.feature-flags       += ("server.graceful-shutdown-timeout" => 5)
#server.feature-flags       += ("server.graceful-restart-bg" => "enable")

# strict parsing and normalization of URL for consistency and security
# https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails
# (might need to explicitly set "url-path-2f-decode" = "disable"
#  if a specific application is encoding URLs inside url-path)
server.http-parseopts = (
  "header-strict"           => "enable",# default
  "host-strict"             => "enable",# default
  "host-normalize"          => "enable",# default
  "url-normalize-unreserved"=> "enable",# recommended highly
  "url-normalize-required"  => "enable",# recommended
  "url-ctrls-reject"        => "enable",# recommended
  "url-path-2f-decode"      => "enable",# recommended highly (unless breaks app)
 #"url-path-2f-reject"      => "enable",
  "url-path-dotseg-remove"  => "enable",# recommended highly (unless breaks app)
 #"url-path-dotseg-reject"  => "enable",
 #"url-query-20-plus"       => "enable",# consistency in query string
)

index-file.names            = ( "index.php", "index.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"

#server.compat-module-load   = "disable"
server.modules += (
    "mod_dirlisting",
    "mod_staticfile",
)


# proxy settings
$HTTP["host"]=~ "my.otherdomain.com"  {
        proxy.balance = "fair"
        proxy.server =  ("" =>
                                (
                                        ( "host" => "192.168.0.261", "port" => 80 ),
                                        ( "host" => "192.168.0.261", "port" => 443 )
                                ))
                        }

I am not a Linux boffin and need some guidance on how to set up lighttpd to do forward and reverse proxies so my weewx machine can be secure. Most of the posts touching on this refer to Apache, nginx, or some specific web application setup. The syntax of the lighttpd conf settings is rather confusing using regex like notation. For example:

$HTTP['host'] =~ '^(www.example.com)$' {
        url.rewrite-once = ('^/(.*)' => '/vhost/http/%0/$1')
        # In lighttpd we alter the path manually using rewrite rule. %0
        # refers to the hostname and $1 is the path.
        proxy.server = ( '' =>
                ( (
                'host' => '127.0.0.1',
                'port' => 8080
                ) )
        )
}

There is no step by step tutorial in plain simple English for simpletons such as me.

Source Link
aterhorst
aterhorst
  • 101
  • 3

lighttpd reverse proxy

I have two raspberry pi servers running. These were set up with DietPi. The one server is used as a NextCloud server. The other (new) server is running weewx. Both use lighttpd as the webserver. Each operates under a different domain my.domain.com and my.otherdomain.com.

My router has a single IP address and I use port forwarding to access both servers. The NextCloud server (my.domain.com) has SSL enabled using dietpi-letsencrypt. I cannot run certbot on my.otherdomain.com because I only have one public IP address.

I enabled mod-proxy on my Nextcloud machine (my.domain.com) and it forwards requests to my.otherdomain.com to the weewx machine. I disabled port forwarding on the router to the weewx machine. However, dietpi-letsencrypt cannot generate a SSL certificate for the weewx machine - the challenges fail.

I guess my reverse proxy settings are wrong. Searching the Internet for answers has been challenging. Here is my /etc/lighttpd/lighttpd.conf file on the Nextcloud machine:

server.modules = (
    "mod_indexfile",
    "mod_setenv",
    "mod_access",
    "mod_alias",
    "mod_redirect",
        "mod_proxy",
)

server.document-root = "/var/www"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog             = "/var/log/lighttpd/error.log"
server.pid-file             = "/run/lighttpd.pid"
server.username             = "www-data"
server.groupname            = "www-data"
server.port                 = 80

# features
#https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_feature-flagsDetails
server.feature-flags       += ("server.h2proto" => "enable")
server.feature-flags       += ("server.h2c"     => "enable")
server.feature-flags       += ("server.graceful-shutdown-timeout" => 5)
#server.feature-flags       += ("server.graceful-restart-bg" => "enable")

# strict parsing and normalization of URL for consistency and security
# https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails
# (might need to explicitly set "url-path-2f-decode" = "disable"
#  if a specific application is encoding URLs inside url-path)
server.http-parseopts = (
  "header-strict"           => "enable",# default
  "host-strict"             => "enable",# default
  "host-normalize"          => "enable",# default
  "url-normalize-unreserved"=> "enable",# recommended highly
  "url-normalize-required"  => "enable",# recommended
  "url-ctrls-reject"        => "enable",# recommended
  "url-path-2f-decode"      => "enable",# recommended highly (unless breaks app)
 #"url-path-2f-reject"      => "enable",
  "url-path-dotseg-remove"  => "enable",# recommended highly (unless breaks app)
 #"url-path-dotseg-reject"  => "enable",
 #"url-query-20-plus"       => "enable",# consistency in query string
)

index-file.names            = ( "index.php", "index.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"

#server.compat-module-load   = "disable"
server.modules += (
    "mod_dirlisting",
    "mod_staticfile",
)


# proxy settings
$HTTP["host"]=~ "my.otherdomain.com"  {
        proxy.balance = "fair"
        proxy.server =  ("" =>
                                (
                                        ( "host" => "192.168.0.261", "port" => 80 ),
                                        ( "host" => "192.168.0.261", "port" => 443 )
                                ))
                        }

Technically, the proxy settings should be in 10-proxy.conf. I need to run this command:

lighty-enable-mod proxy

This creates a symbolic link in /etc/lighttpd/conf-enabled to 10-proxy.conf in /etc/lighttpd/conf-available. I read I could simply add proxy settings in lighttpd.conf - it was not necessary to use 10-proxy.conf.

The current set-up means incoming traffic to my.otherdomain.com ends up on the second weewx machine. However, certbot needs to communicate out. I am confused about where I should run certbot - from my weewx machine or from my NextCloud machine?

I am not a Linux boffin and need some guidance on how to set up lighttpd to do forward and reverse proxies so my weewx machine can be secure. Most of the posts touching on this refer to Apache, nginx, or some specific web application setup. The syntax of the lighttpd conf settings is rather confusing using regex like notation. There is no step by step tutorial in plain simple English for simpletons such as me.