New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Proxmox and reverse proxy
Hi people !
I've got one of this nice new KS-LE, and I'm configuring it fo a local association. They have few web services to host (a nextcloud, the vitrine website, maybe the websites of friendly associations, etc).
For this I've deployed a Proxmox, but I wonder how to manage the reverse-proxy side ? Part of the issue is that Proxmox needs access to the 80 port, for getting its Let's Encrypt cert for the administration webui (the ACME plugin works in standalone). How do you usually manage this ?
Comments
I myself use HAProxy inside a container, portforward 80&443. Haproxy does TLS termination and forwards traffic to my other services using plain http (locally only)
I do not use HTTP challenges for pveproxy, but rather use the self signed cert between haproxy and pveproxy (internally, ugly but is works and there is not much traffic going on either)
But HTTP challenge should work if you forward the correct domain with haproxy on port 80 as well
There are many methods to obtain a LE SSL cert, you can use alternate methods like DNS authentication, for example if your domain is registered on Cloudflare, you can use dns_cf. You just have to generate an API key.
I just use the DNS validation. Go to DC > ACME > Plugins > Check if your DNS provider is available > Add the API Key
The easiest way to do this is to use the cloudfare tunnel, which does not require any redundancy
Thank you all for your answers !
It looks the DNS ACME plugin can manage my provider ! I though it would be more complicated than that, but that will do the trick !
I also like the @Pilzbaum idea. I'm not sure it will be the best idea here, but I'll keep it in mind if I want to make something more fancy.
About cloudflare, that's not in the plan, mostly because in this case it will be not compatible with GPDR when member personal data will be uploaded on the NC.
If you're familiar with nginx, I'd go with that. Very flexible, even for different sources (VMs in your case, supposedly in different networks) and you can always use a pretty nice web gui to get a nice overview if you have a few users that might need to edit entries as well, but aren't that experienced (nginx proxy manager). You just have to make sure that the nginx server have access to the corresponding networks it should reverse proxy.
HAProxy is nice, really nice to be honest, but it have a tendency to get quite complex for new users in comparison to utilizing a tool such as Nginx proxy manager.
I guess it’s not really what you asked but do you need an hypervisor for this? It looks like all the services you listed could run on one Apache (or Nginx) setup.
Resource/network segmentation is a valid use-case I believe. But sure, if it's only a few containers, you have a point - it would be way easier to do it all in one docker host for example.
Yes, for service isolation, I'll not be the one taking care of all the web app administration. I'm not happy with the idea to have a wordpress website sitting next to a nextcloud.
That would be also for separating the services and the administrations rights between the eventual other friendly associations which could be interrested by this too.
I'll probably make LXC instead of VM, but the global idea is the same. Also using Proxmox provides some administration simplicity like snapshots or remote encrypted backups with a nice UI.
Thats a valid point. I've never used Docker, I though it would be better to take the tool I know best.
Yep, I'm building this with Nginx, I would like to test the Crowdsec integration and the new ModSecurity.
I'm also planing to make few ansible playbooks for making this simpler for the others which might get there hands into this.
Ok, I see. It sounds like you're looking for a quite simple solution. I wouldn't add all the hassle of running a full hypervisor in your case. It will make things a lot harder to manage over time, but also the setup time. The whole concept of docker is based on container isolation, a container knows nothing about what else is on the network aside from what you tell it to.
Before committing too hard, I'd definately have a look at docker. It doesn't sound like you need the overhead that comes with Proxmox.