So I've spun up a couple of services at this point and I can see the number of open ports exploding if I keep finding cool services to play with. It's probably a good time to set up a reverse proxy. I've heard numerous people recommending NGINX's reverse proxy so hopefully since it is so popular I'll be able to find plenty of documentation to help me get it going.

Create Virtual Machine

On HV-03 I created a new virtual machine with Ubuntu 22.04 named NGINX-01. I set the virtual machine to have 1vCPU and 4GB of memory. That should be fine for a proxy server that has the potential for low traffic right?

Install Operating System

I power on NGINX-01 and walk through Ubuntu's installation wizard.

Configure Operating System

Configure SSH Key

Steps performed on desktop in Windows Terminal

• ssh-keygen -t ed25519
• Move-Item -Path c:\Users\david\filename* -Destination c:\Users\david\.ssh -Force
• I open Windows Terminal Settings
• I open the JSON file and add the following:

            {
                "colorScheme": "Ubuntu-ColorScheme",
                "commandline": "ssh -i \"~/.ssh/nginx-01\" [email protected]",
                "experimental.retroTerminalEffect": false,
                "font": 
                {
                    "face": "Cascadia Code"
                },
                "guid": "{0caa0dad-35be-5f56-a8ff-XXXXXXXXXXXX}",
                "hidden": false,
                "name": "NGINX-01",
                "tabTitle": "NGINX-01"
            },

• I make certain the GUID is unique and save the file

Configure SSH

Steps performed on NGINX-01

• mkdir /home/david/.ssh
• nano /home/david/.ssh/authorized_keys
• I paste in the public key
• I save the file
• chmod 600 /home/david/.ssh/authorized_keys
• sudo nano /etc/ssh/sshd_config
  • PermitRootLogin no
  • PubkeyAuthentication yes
  • PubkeyAcceptedKeyTypes ssh-ed25519
  • PasswordAuthentication no
  • AuthorizedKeysFile /home/david/.ssh/authorized_keys
• I save the file
• sudo sshd -t
• sudo systemctl restart ssh

Configure Firewall

Steps performed on NGINX-01

• sudo ufw allow 22/tcp
• sudo ufw allow 80/tcp
• sudo ufw allow 443/tcp
• sudo ufw enable

Install NGINX

Steps performed on NGINX-01

• sudo apt install nginx
• sudo systemctl status nginx
  • Active: active (running)

Well that was easy enough. I jumped on my network firewall and set up the port forwarding for ports 80 and 443 to point to NGINX-01. Then I confirm I can reach the server, it is bringing up the "Welcome to NGINX!" page. Nice and easy, I like that.

Configure NGINX

So I want to start by setting up a little testing site.
Steps performed on NGINX-01

• mkdir /var/www/html_test
• cd /var/www/html_test
• nano index.html

<HTML>
	<BODY>
		Hello World!
	</BODY>
</HTML>

• cd /etc/nginx/sites-available
• cp default html_test
• cd ../sites-enabled
• ln -s ../sites-available/html_test
• nano /etc/nginx/sites-available/html_test
  • I updated the root to /var/www/html_test
• sudo systemctl stop nginx
• sudo systemctl start nginx
  • nginx: configuration file /etc/nginx/nginx.conf test failed

After playing around for a while I have some of it working, but it seems like I'm struggling with the redirection from HTTP to HTTPS. I decide to install Certbot to see if a certificate will help me out.

Install Certbot

Steps performed on NGINX-01

• sudo apt install snapd
  • snapd is already the newest version (2.56.2+22.04ubuntul).
• sudo snap install core
  • core 16-2.56.2 from Canonical installed
• sudo snap refresh core
  • snap "core" has no updates available
• sudo apt remove certbot
  • Package 'certbot' is not installed, so not removed.
• sudo snap install --classic certbot
  • certbot 1.29.0 from Certbot Project (certbot-eff) installed
• sudo ln -s /snap/bin/certbot /usr/bin/certbot
• sudo certbot --nginx
  • Congratulations! You have successfully enabled HTTPS on....

NGINX crashed at this point and won't start. That stinks. I reboot the server. NGINX is running now but it isn't serving anything. Ahhh I see I have port 443 forwarded to my Unifi controller still. I switch that over to NGINX-01 but that didn't help me one bit. It turns out I had accidentally erased my A record for domain.com by overwriting it with an A record for www.domain.com. That was foolish of me. At this point I now have domain.com and www.domain.com properly redirecting to HTTPS serving a static page off of NGINX-01.

The next thing I try to do is set up a proxy forward for domain.com/monica, but all I can get returned is a 400 error. Checking the logs it shows me this is because it is failing to resolve the host name of https://10.10.10.XXX:443 which is baffling to me. After playing around with this for an hour and being unable to get it to work I decide to step back from this and try something else instead.

I now try to set up a proxy forward for monica.domain.com. I was able to get it working for the most part with this configuration:

server {
	listen 443;
    server_name monica.domain.com;
    location / {
    	proxy_set_header Host $host;
        proxy_pass https://monica.domain.com:44306;
        proxy_redirect off;
    }
}

The only trouble I have with it is the certificate is not showing up. Do I need to move the certificate to the proxy server to fix that? Or does the proxy need to pass it through? I've run out of time today so I'll have to come back to it tomorrow.