# nginx proxy manager Set up a reverse proxy through Nginx Proxy Manager and enforce all Podman services to use HTTPS connections. ## Generate self-signed private key and certificate ``` # generate ecdsa key openssl ecparam -name prime256v1 -genkey -noout -out hynas.key # Generate a Certificate Signing Request (CSR) openssl req -new -key hynas.key -out hynas.csr # Generate a Self-Signed ECDSA Certificate openssl req -x509 -key hynas.key -in hynas.csr -out hynas.crt -days 365 # verified openssl x509 -in hynas.crt -text -noout # Combine the Key and Certificate (Optional) cat hynas.key hynas.crt > hynas.pem ``` And upload the ssl certificates in SSL certificates->Custom. ``` podman inspect --format '{{json .NetworkSettings}}' <container_name> | jq ``` ## set up nginx proxy url Assume the calibre IP is at 10.89.0.2:8083.    ``` location /calibre/ { rewrite ^/calibre(/.*)$ $1 break; proxy_pass http://10.89.0.2:8083/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } ``` ## pi-hole deploy the pi-hole and set the dns name for local server. It's important to add the following settings into the docker-compose.yaml. ``` environment: - DNSMASQ_LISTENING=all ``` After all setup pi-hole DNS server IP address into router and test the dns request: ``` dig @192.168.1.200 hynas.local ``` ## curl example ``` curl -L --insecure -v --resolve hynas.home:53:192.168.1.200 https://hynas.home/calibre ``` ## home use exmaple ```mermaid flowchart TD subgraph s1["📦 Gateway (DNS / Firewall / VPN )"] pihole["🧩 DNS server"] VPN["🔒 VPN Server"] firewall["🛡️ Firewall"] end subgraph homelab["🖥️ Nas"] subgraph containers["containers"] k8s["🚢 k8s clusters(test area)"] podman["🐳 podman containers"] end nginx["🌐 Nginx Reverse Proxy<br>• TLS 1.3+<br>• Default Authz<br>• FQDN only<br>• VPN Net only<br>• Audit Log"] auditlog[("📝 Audit Log")] end subgraph C1["🖥️ Other computing unit"] compute1["🖥️ I am a computing unit"] end subgraph C2["☁️ Cloud computing"] compute2["☁️ I am a cloud computing unit"] end user["👤 Remote User"] --> firewall firewall --> VPN VPN -- DNS force redirect --> pihole nginx <-- DNS resolve --> pihole VPN -- VPN Net IP Only --> nginx nginx -- Reverse Proxy --> containers nginx --> auditlog k8s <-- RPC --> C1 k8s <-- RPC --> C2 C2 <-- RPC --> C1 ``` :::spoiler 1. 關閉所有的podman/microk8s對外Port，所有服務都必須經過Nginx reverse proxy代理，強制使用TLS 1.3+連線連接，enable Default Authorize，nginx reverse proxy一律拒絕其他網段的連線 2. 不使用IP:Port作為服務端口，一率使用FQDN 3. 只允許wireguard VPN網段的IP訪問Nginx reverse proxy 4. 接入Audit Log ::: ## Reference [自訂網域很難嗎？DNS 的限制與實踐 by Ken Chen](https://blog.kenwsc.com/custom-domain-and-dns/) [IOT device security](https://hackmd.io/A9RWxZOfRW6wPY13kt5GeA) [第一次自幹NAS就上手](https://hackmd.io/6IgNCLE4Sh-gaL_XDyx0Dw) [Why you should have a self hosted NAS. How big tech company use your data and turn it into commercial profit.](https://hackmd.io/73nTYnS3T4ak3-EYhHnO6g) [squid(reverse proxy) enable https](/HbC4EsqWQG6Iwd1BQ3rZfw) [gateway DDNS](/JTcqYlmSSqaeJBW_Y32ynw)