add nginx reverse proxy guide

sudocarlos · May 30, 2024 · db22052 · db22052
1 parent dc080ab
commit db22052
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 2 deletions.
diff --git a/nginx-reverse-proxy.md b/nginx-reverse-proxy.md
@@ -0,0 +1,55 @@
+# Create nginx reverse proxy service
+
+I created a script to create a reverse proxy service for nginx. The script is 
+based on https://docs.btcpayserver.org/Deployment/ReverseProxyToTor. The script
+assumes a Debian-based system and will use certbot to obtain a certificate and
+upgrade HTTP connections to HTTPS.
+
+# Requirements
+
+- Debian system
+- Domain record configured
+- Root access
+- HTTP or HTTPS service to be proxied
+
+# Usage
+
+1. View the script at https://gist.github.com/sudocarlos/6d0e640f25101b0017e68ebd4c08c147
+and make sure you're comfortable with what it's doing
+
+1. Download the script
+
+        wget https://gist.github.com/sudocarlos/6d0e640f25101b0017e68ebd4c08c147/raw/287b9ac1c4456ad3cbe3e433d00b2432d9c4397e/create_nginx_service.sh
+
+1. Make the script executable
+
+        chmod +x create_nginx_service.sh
+
+1. Run the script as root and specify the domain and address/port to proxy to
+
+        sudo ./create_nginx_service.sh btcpayserver.mydomain.com http://localhost:80
+
+    __More examples__
+
+        sudo ./create_nginx_service.sh mymempooldomain.com http://start9:8080
+        sudo ./create_nginx_service.sh lnd.mydomain.com https://start9:3001
+
+# Notes
+
+- __All issuance requests are subject to a Duplicate Certificate limit of 5 per week__
+    - https://letsencrypt.org/docs/duplicate-certificate-limit/
+- Use `sudo ./create_nginx_service.sh clear DOMAIN` to remove related files from your system. This will remove:
+    - /etc/nginx/sites-available/DOMAIN.conf
+    - /etc/nginx/sites-enabled/DOMAIN.conf
+    - /etc/letsencrypt/live/DOMAIN*
+    - /etc/letsencrypt/archive/DOMAIN*
+    - /etc/letsencrypt/renewal/DOMAIN*
+- If `nginx` or `certbot` are not installed, they are installed using `apt`
+- If `/etc/ssl/certs/dhparam.pem` does not exist, a 4096 bit DH params is generated. This can take a while.
+- If `/var/lib/letsencrypt/.well-known` does not exist, it is created and appropriate permissions and groups are applied
+- If expected map parameters are missing from `/etc/nginx/conf.d/map.conf`, they are added
+- New configs are placed in `/etc/nginx/sites-available/` and enabled in `/etc/nginx/sites-enabled`
+
+# Resources
+
+- [https://docs.btcpayserver.org/Deployment/ReverseProxyToTor]()
diff --git a/start9-socat.md b/start9-socat.md
@@ -7,7 +7,6 @@ that will describe how to install and connect to Tailscale so that you can use t
 exposed ports from any other device in your tailnet, and how to use that Tailscale
 connection to expose services on the Internet using a VPS.
 
-
 1. Create a backup: https://docs.start9.com/0.3.5.x/user-manual/backups/backup-create
 1. SSH to your Start9: https://docs.start9.com/0.3.5.x/user-manual/ssh
 1. Enable the chroot-and-upgrade context
@@ -111,7 +110,7 @@ connection to expose services on the Internet using a VPS.
 
         tcp        0      0 0.0.0.0:8081            0.0.0.0:*               LISTEN      2795077/socat       
 
-1. Enable the service service to start automatically
+1. Enable the socat service to start automatically
 
         systemctl enable [email protected]
 
@@ -121,3 +120,7 @@ connection to expose services on the Internet using a VPS.
             ip route | grep default | awk '{print $9}'
 
 1. Create more services by repeating the previous steps, starting from 9
+
+# Resources
+
+- https://community.start9.com/t/diy-exposing-electrs-and-bitcoind-over-lan-in-startos-0-3/754