Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. Cloudron and Apps Behind a Proxy

Cloudron and Apps Behind a Proxy

Scheduled Pinned Locked Moved Solved Support
reverseproxyproxymanager
31 Posts 7 Posters 5.7k Views 9 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • doodlemania2D Offline
      doodlemania2D Offline
      doodlemania2
      App Dev
      wrote on last edited by girish
      #1

      Has anyone tried to put an entire CR behind another NGinx proxy? I suspect that's a nono but wanted to check. I only get one IP address and want to route some things to CR and some things to "Other" stuff.

      robiR girishG 2 Replies Last reply
      0
      • doodlemania2D doodlemania2

        Has anyone tried to put an entire CR behind another NGinx proxy? I suspect that's a nono but wanted to check. I only get one IP address and want to route some things to CR and some things to "Other" stuff.

        robiR Offline
        robiR Offline
        robi
        wrote on last edited by
        #2

        @doodlemania2 isn't that the typical home setup, where in this case the proxy is the home router?

        Conscious tech

        mehdiM 1 Reply Last reply
        0
        • doodlemania2D doodlemania2

          Has anyone tried to put an entire CR behind another NGinx proxy? I suspect that's a nono but wanted to check. I only get one IP address and want to route some things to CR and some things to "Other" stuff.

          girishG Offline
          girishG Offline
          girish
          Staff
          wrote on last edited by
          #3

          @doodlemania2 You can just proxy_pass (https), it should work fine. I think if you have the programmatic DNS then Cloudron can gets certs with DNS automation with no problem as well (otherwise, you will have to somehow auto-magically redirect .well-known stuff required for LE).

          I recall this post - https://forum.cloudron.io/topic/2094/reverse-proxy-infront-of-cloudron-gives-me-to-many-redirects . Maybe @smilebasti has a config.

          doodlemania2D 1 Reply Last reply
          0
          • robiR robi

            @doodlemania2 isn't that the typical home setup, where in this case the proxy is the home router?

            mehdiM Offline
            mehdiM Offline
            mehdi
            App Dev
            wrote on last edited by
            #4

            @robi In a home setup, the home-router acts as a NAT, not a proxy. It's totally different, as it acts at level 3/4 of the network stack, not level 7

            robiR 1 Reply Last reply
            0
            • mehdiM mehdi

              @robi In a home setup, the home-router acts as a NAT, not a proxy. It's totally different, as it acts at level 3/4 of the network stack, not level 7

              robiR Offline
              robiR Offline
              robi
              wrote on last edited by
              #5

              @mehdi yes, but it's still a node where a transition happens with a similar config that points to CL the domains it hosts.

              Conscious tech

              1 Reply Last reply
              0
              • girishG girish

                @doodlemania2 You can just proxy_pass (https), it should work fine. I think if you have the programmatic DNS then Cloudron can gets certs with DNS automation with no problem as well (otherwise, you will have to somehow auto-magically redirect .well-known stuff required for LE).

                I recall this post - https://forum.cloudron.io/topic/2094/reverse-proxy-infront-of-cloudron-gives-me-to-many-redirects . Maybe @smilebasti has a config.

                doodlemania2D Offline
                doodlemania2D Offline
                doodlemania2
                App Dev
                wrote on last edited by doodlemania2
                #6

                @girish That seems like a good idea. I was thinking of doing this:

                Internet -> 1. NGinix Proxy Manager -> Cloudron
                2. NGinix Proxy Manager -> Other thing

                Where:

                1. Proxy host apps.mydomain.net (my cloudron) which has DNS set to public IP address.
                2. Proxy host blah.mydomain.net (my other thing) which has DNS set to public IP address.

                Looks a bit like this:
                4dd19714-1874-41d1-b527-edea98a525ea-image.png

                My Cloudron DNS is set up as Wildcard so that's happy. But I don't think I can have a cert in the proxy AND on the Cloudron resolving to same thing?

                robiR girishG mehdiM 3 Replies Last reply
                0
                • doodlemania2D doodlemania2

                  @girish That seems like a good idea. I was thinking of doing this:

                  Internet -> 1. NGinix Proxy Manager -> Cloudron
                  2. NGinix Proxy Manager -> Other thing

                  Where:

                  1. Proxy host apps.mydomain.net (my cloudron) which has DNS set to public IP address.
                  2. Proxy host blah.mydomain.net (my other thing) which has DNS set to public IP address.

                  Looks a bit like this:
                  4dd19714-1874-41d1-b527-edea98a525ea-image.png

                  My Cloudron DNS is set up as Wildcard so that's happy. But I don't think I can have a cert in the proxy AND on the Cloudron resolving to same thing?

                  robiR Offline
                  robiR Offline
                  robi
                  wrote on last edited by
                  #7

                  @doodlemania2 may have to copy the cert over manually..

                  Conscious tech

                  1 Reply Last reply
                  0
                  • doodlemania2D doodlemania2

                    @girish That seems like a good idea. I was thinking of doing this:

                    Internet -> 1. NGinix Proxy Manager -> Cloudron
                    2. NGinix Proxy Manager -> Other thing

                    Where:

                    1. Proxy host apps.mydomain.net (my cloudron) which has DNS set to public IP address.
                    2. Proxy host blah.mydomain.net (my other thing) which has DNS set to public IP address.

                    Looks a bit like this:
                    4dd19714-1874-41d1-b527-edea98a525ea-image.png

                    My Cloudron DNS is set up as Wildcard so that's happy. But I don't think I can have a cert in the proxy AND on the Cloudron resolving to same thing?

                    girishG Offline
                    girishG Offline
                    girish
                    Staff
                    wrote on last edited by
                    #8

                    @doodlemania2 said in Cloudron and Apps Behind a Proxy:

                    But I don't think I can have a cert in the proxy AND on the Cloudron resolving to same thing?

                    What do you mean by this? Cert doesn't resolve to anything (or did you mean DNS? even then I am not sure what you are asking...)

                    But you are on the right path! For Cloudron, choose https proxying.

                    1 Reply Last reply
                    0
                    • doodlemania2D doodlemania2

                      @girish That seems like a good idea. I was thinking of doing this:

                      Internet -> 1. NGinix Proxy Manager -> Cloudron
                      2. NGinix Proxy Manager -> Other thing

                      Where:

                      1. Proxy host apps.mydomain.net (my cloudron) which has DNS set to public IP address.
                      2. Proxy host blah.mydomain.net (my other thing) which has DNS set to public IP address.

                      Looks a bit like this:
                      4dd19714-1874-41d1-b527-edea98a525ea-image.png

                      My Cloudron DNS is set up as Wildcard so that's happy. But I don't think I can have a cert in the proxy AND on the Cloudron resolving to same thing?

                      mehdiM Offline
                      mehdiM Offline
                      mehdi
                      App Dev
                      wrote on last edited by
                      #9

                      @doodlemania2 I think you should just use traefik (or another reverse-proxy that handles Let'sEncrypt stuff by itself), and just disable certs on Cloudron's side. You don't really care about the encryption between the Reverse-Proxy and cloudron, if there are self-signed certs, it shouldn't be an issue (as long as the reverse-proxy is configured to accept it)

                      doodlemania2D 1 Reply Last reply
                      0
                      • mehdiM mehdi

                        @doodlemania2 I think you should just use traefik (or another reverse-proxy that handles Let'sEncrypt stuff by itself), and just disable certs on Cloudron's side. You don't really care about the encryption between the Reverse-Proxy and cloudron, if there are self-signed certs, it shouldn't be an issue (as long as the reverse-proxy is configured to accept it)

                        doodlemania2D Offline
                        doodlemania2D Offline
                        doodlemania2
                        App Dev
                        wrote on last edited by
                        #10

                        @mehdi this is kind of like that, just with a pretty GUI. https://github.com/jc21/nginx-proxy-manager?utm_source=nginx-proxy-manager

                        Haven't gotten it to work with CR yet, but I'm getting close!

                        doodlemania2D 1 Reply Last reply
                        2
                        • doodlemania2D doodlemania2

                          @mehdi this is kind of like that, just with a pretty GUI. https://github.com/jc21/nginx-proxy-manager?utm_source=nginx-proxy-manager

                          Haven't gotten it to work with CR yet, but I'm getting close!

                          doodlemania2D Offline
                          doodlemania2D Offline
                          doodlemania2
                          App Dev
                          wrote on last edited by
                          #11

                          have tried pretty much everything i can think of but can't seem to get cloudron to NOT try to do SSL. it's not that big of a deal, just something I was trying to figure out for fun.

                          girishG 1 Reply Last reply
                          0
                          • doodlemania2D doodlemania2

                            have tried pretty much everything i can think of but can't seem to get cloudron to NOT try to do SSL. it's not that big of a deal, just something I was trying to figure out for fun.

                            girishG Offline
                            girishG Offline
                            girish
                            Staff
                            wrote on last edited by
                            #12

                            @doodlemania2 said in Cloudron and Apps Behind a Proxy:

                            but can't seem to get cloudron to NOT try to do SSL

                            Cloudron will always do TLS. Have your just tried configuring reverse proxy to do TLS? Atleast in nginx, this is doable. See https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/#complete-example

                            doodlemania2D 1 Reply Last reply
                            0
                            • girishG girish

                              @doodlemania2 said in Cloudron and Apps Behind a Proxy:

                              but can't seem to get cloudron to NOT try to do SSL

                              Cloudron will always do TLS. Have your just tried configuring reverse proxy to do TLS? Atleast in nginx, this is doable. See https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/#complete-example

                              doodlemania2D Offline
                              doodlemania2D Offline
                              doodlemania2
                              App Dev
                              wrote on last edited by
                              #13

                              @girish this is likely just me not knowing how nginx works:
                              b0149683-057f-4568-a486-df75e7c59e1f-image.png
                              Was hoping crtest.altdomain would pass to existing my.apps.primarydomain and it would "just work" but I got the "You've found a cloudron in the wild"

                              That was somewhat expected cause the CR doesn't know about crtest.altdomain. Was kind of hoping NGinx would have done that translation for me by keeping the destination as the 'URL' that I wanted.

                              I suppose I could create a crtest.altdomain in CR and things would magically just start working, but I'd have to assign the altdomain names to each of my apps, I think??

                              girishG 1 Reply Last reply
                              0
                              • doodlemania2D doodlemania2

                                @girish this is likely just me not knowing how nginx works:
                                b0149683-057f-4568-a486-df75e7c59e1f-image.png
                                Was hoping crtest.altdomain would pass to existing my.apps.primarydomain and it would "just work" but I got the "You've found a cloudron in the wild"

                                That was somewhat expected cause the CR doesn't know about crtest.altdomain. Was kind of hoping NGinx would have done that translation for me by keeping the destination as the 'URL' that I wanted.

                                I suppose I could create a crtest.altdomain in CR and things would magically just start working, but I'd have to assign the altdomain names to each of my apps, I think??

                                girishG Offline
                                girishG Offline
                                girish
                                Staff
                                wrote on last edited by
                                #14

                                @doodlemania2 As a first step, you can try this to understand how it might work:

                                curl -k -H 'Host: app.domain.com' https://<cloudron-server-ip>
                                

                                To explain the above, first we try to reach the cloudron server by IP via https. In your case, (if I understood your setup), this IP will be the intranet cloudron server IP (and not the public one). Next, the Host header helps (cloudron) nginx decide which vhost/app the request is meant for. Finally, the -k is needed because curl will not be able to match the server cert because we are accessing by IP but the cert will be whatever the host header was set to.

                                If the above works, you just have to make it work in the above UI:

                                • Make sure destination is https://ip
                                • I am guessing the Host header is automatically set
                                • You have to accept the cert.
                                doodlemania2D 1 Reply Last reply
                                0
                                • girishG girish

                                  @doodlemania2 As a first step, you can try this to understand how it might work:

                                  curl -k -H 'Host: app.domain.com' https://<cloudron-server-ip>
                                  

                                  To explain the above, first we try to reach the cloudron server by IP via https. In your case, (if I understood your setup), this IP will be the intranet cloudron server IP (and not the public one). Next, the Host header helps (cloudron) nginx decide which vhost/app the request is meant for. Finally, the -k is needed because curl will not be able to match the server cert because we are accessing by IP but the cert will be whatever the host header was set to.

                                  If the above works, you just have to make it work in the above UI:

                                  • Make sure destination is https://ip
                                  • I am guessing the Host header is automatically set
                                  • You have to accept the cert.
                                  doodlemania2D Offline
                                  doodlemania2D Offline
                                  doodlemania2
                                  App Dev
                                  wrote on last edited by
                                  #15

                                  @girish Some success! This is wicked cool - and, by the way, I now have BBB server up and running for CR folks to use anytime they/yall need.

                                  One question - when I go to my CR sites now, I am getting a cert error - you indicated that would likely happen I think. Any way to avoid that?

                                  https://conference.cloudromdomain is nginx proxy to https://ip-address-of-cloudron.

                                  girishG 1 Reply Last reply
                                  0
                                  • doodlemania2D doodlemania2

                                    @girish Some success! This is wicked cool - and, by the way, I now have BBB server up and running for CR folks to use anytime they/yall need.

                                    One question - when I go to my CR sites now, I am getting a cert error - you indicated that would likely happen I think. Any way to avoid that?

                                    https://conference.cloudromdomain is nginx proxy to https://ip-address-of-cloudron.

                                    girishG Offline
                                    girishG Offline
                                    girish
                                    Staff
                                    wrote on last edited by girish
                                    #16

                                    @doodlemania2 I think this is because nginx proxy manager does not have valid certs for the conference subdomain. Does it say it has valid certs?

                                    doodlemania2D 1 Reply Last reply
                                    0
                                    • girishG girish

                                      @doodlemania2 I think this is because nginx proxy manager does not have valid certs for the conference subdomain. Does it say it has valid certs?

                                      doodlemania2D Offline
                                      doodlemania2D Offline
                                      doodlemania2
                                      App Dev
                                      wrote on last edited by
                                      #17

                                      @girish I think it's clean now - I tweaked the nginx. Should be able to see it at https://conference.apps.thedoodleproject.net huzzah!

                                      girishG 1 Reply Last reply
                                      2
                                      • doodlemania2D doodlemania2

                                        @girish I think it's clean now - I tweaked the nginx. Should be able to see it at https://conference.apps.thedoodleproject.net huzzah!

                                        girishG Offline
                                        girishG Offline
                                        girish
                                        Staff
                                        wrote on last edited by
                                        #18

                                        @doodlemania2 Can confirm I can see it with proper certs 🙂

                                        doodlemania2D 1 Reply Last reply
                                        1
                                        • girishG girish

                                          @doodlemania2 Can confirm I can see it with proper certs 🙂

                                          doodlemania2D Offline
                                          doodlemania2D Offline
                                          doodlemania2
                                          App Dev
                                          wrote on last edited by
                                          #19

                                          well, spoke almost too soon - now that I've got that up and running, I thought that I could force https, but Let's Encrypt doesn't like that because it needs to hit HTTP at a well known endpoint. So, am going to continue to tinker to see if I can pass both http and https

                                          girishG 1 Reply Last reply
                                          0
                                          • doodlemania2D doodlemania2

                                            well, spoke almost too soon - now that I've got that up and running, I thought that I could force https, but Let's Encrypt doesn't like that because it needs to hit HTTP at a well known endpoint. So, am going to continue to tinker to see if I can pass both http and https

                                            girishG Offline
                                            girishG Offline
                                            girish
                                            Staff
                                            wrote on last edited by
                                            #20

                                            @doodlemania2 Cloudron does not require http for certs if you use the programmatic DNS backends (since it obtains certs by putting entries in DNS and not using http callbacks).

                                            doodlemania2D 1 Reply Last reply
                                            0
                                            Reply
                                            • Reply as topic
                                            Log in to reply
                                            • Oldest to Newest
                                            • Newest to Oldest
                                            • Most Votes


                                              • Login

                                              • Don't have an account? Register

                                              • Login or register to search.
                                              • First post
                                                Last post
                                              0
                                              • Categories
                                              • Recent
                                              • Tags
                                              • Popular
                                              • Bookmarks
                                              • Search