SOLVED Cloudron and Apps Behind a Proxy
Has anyone tried to put an entire CR behind another NGinx proxy? I suspect that's a nono but wanted to check. I only get one IP address and want to route some things to CR and some things to "Other" stuff.
@doodlemania2 isn't that the typical home setup, where in this case the proxy is the home router?
@doodlemania2 You can just proxy_pass (https), it should work fine. I think if you have the programmatic DNS then Cloudron can gets certs with DNS automation with no problem as well (otherwise, you will have to somehow auto-magically redirect .well-known stuff required for LE).
I recall this post - https://forum.cloudron.io/topic/2094/reverse-proxy-infront-of-cloudron-gives-me-to-many-redirects . Maybe @smilebasti has a config.
@robi In a home setup, the home-router acts as a NAT, not a proxy. It's totally different, as it acts at level 3/4 of the network stack, not level 7
@mehdi yes, but it's still a node where a transition happens with a similar config that points to CL the domains it hosts.
@girish That seems like a good idea. I was thinking of doing this:
Internet -> 1. NGinix Proxy Manager -> Cloudron
2. NGinix Proxy Manager -> Other thing
- Proxy host apps.mydomain.net (my cloudron) which has DNS set to public IP address.
- Proxy host blah.mydomain.net (my other thing) which has DNS set to public IP address.
Looks a bit like this:
My Cloudron DNS is set up as Wildcard so that's happy. But I don't think I can have a cert in the proxy AND on the Cloudron resolving to same thing?
@doodlemania2 may have to copy the cert over manually..
But I don't think I can have a cert in the proxy AND on the Cloudron resolving to same thing?
What do you mean by this? Cert doesn't resolve to anything (or did you mean DNS? even then I am not sure what you are asking...)
But you are on the right path! For Cloudron, choose https proxying.
@doodlemania2 I think you should just use traefik (or another reverse-proxy that handles Let'sEncrypt stuff by itself), and just disable certs on Cloudron's side. You don't really care about the encryption between the Reverse-Proxy and cloudron, if there are self-signed certs, it shouldn't be an issue (as long as the reverse-proxy is configured to accept it)
@mehdi this is kind of like that, just with a pretty GUI. https://github.com/jc21/nginx-proxy-manager?utm_source=nginx-proxy-manager
Haven't gotten it to work with CR yet, but I'm getting close!
have tried pretty much everything i can think of but can't seem to get cloudron to NOT try to do SSL. it's not that big of a deal, just something I was trying to figure out for fun.
but can't seem to get cloudron to NOT try to do SSL
Cloudron will always do TLS. Have your just tried configuring reverse proxy to do TLS? Atleast in nginx, this is doable. See https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/#complete-example
@girish this is likely just me not knowing how nginx works:
Was hoping crtest.altdomain would pass to existing my.apps.primarydomain and it would "just work" but I got the "You've found a cloudron in the wild"
That was somewhat expected cause the CR doesn't know about crtest.altdomain. Was kind of hoping NGinx would have done that translation for me by keeping the destination as the 'URL' that I wanted.
I suppose I could create a crtest.altdomain in CR and things would magically just start working, but I'd have to assign the altdomain names to each of my apps, I think??
@doodlemania2 As a first step, you can try this to understand how it might work:
curl -k -H 'Host: app.domain.com' https://<cloudron-server-ip>
To explain the above, first we try to reach the cloudron server by IP via https. In your case, (if I understood your setup), this IP will be the intranet cloudron server IP (and not the public one). Next, the
Hostheader helps (cloudron) nginx decide which vhost/app the request is meant for. Finally, the -k is needed because curl will not be able to match the server cert because we are accessing by IP but the cert will be whatever the host header was set to.
If the above works, you just have to make it work in the above UI:
- Make sure destination is https://ip
- I am guessing the Host header is automatically set
- You have to accept the cert.
@girish Some success! This is wicked cool - and, by the way, I now have BBB server up and running for CR folks to use anytime they/yall need.
One question - when I go to my CR sites now, I am getting a cert error - you indicated that would likely happen I think. Any way to avoid that?
@doodlemania2 I think this is because nginx proxy manager does not have valid certs for the
conferencesubdomain. Does it say it has valid certs?
@doodlemania2 Can confirm I can see it with proper certs
well, spoke almost too soon - now that I've got that up and running, I thought that I could force https, but Let's Encrypt doesn't like that because it needs to hit HTTP at a well known endpoint. So, am going to continue to tinker to see if I can pass both http and https
@doodlemania2 Cloudron does not require http for certs if you use the programmatic DNS backends (since it obtains certs by putting entries in DNS and not using http callbacks).