Join the community today
Become a Member

Domains Letsencrypt Installing without leaking IP from Host --> More in the Thread

Discussion in 'Install & Upgrades or Pre-Install Questions' started by hazehs, Jul 18, 2020.

  1. hazehs

    hazehs New Member

    19
    1
    3
    Jul 18, 2020
    Ratings:
    +5
    Local Time:
    8:49 AM
    NGINX 1.18
    MariaDB 10.4
    Hello Guys,

    i got a xenforo forum and now want to switch to centminmod, because i got a better server.

    The "Problem" is, my Domain is pointing with the a record to a external reverseproxy, and the reverseproxy is pointing to my ip.
    I got my domain at cloudflare without proxy.
    So i need my SSL Lets Encrypt Certificate via DNS 01 Challenge.
    Is this in centminmod possible? Or is it possible just to install certbot with the cloudflare addon?

    I got also n external MailServer (MailCow) and a external imageproxy. So at this point im safe.

    Also there should be no "catchall" server block in nginx, so only my domain is the servername.

    I hope you understand my problem, im not a native speaker. My english is not that good.
    Sorry for that


    Regards!
     
  2. pdinh97qng

    pdinh97qng Member

    90
    10
    8
    Jan 24, 2016
    Ratings:
    +27
    Local Time:
    1:49 AM
  3. hazehs

    hazehs New Member

    19
    1
    3
    Jul 18, 2020
    Ratings:
    +5
    Local Time:
    8:49 AM
    NGINX 1.18
    MariaDB 10.4
    Thanks for your response.

    I know that this is working BUT then my Reverse Proxy Provider is not working correctly.

    Domain pointing on ReverseProxys IP and the ReverseProxy is pointing to my IP.
     
  4. Rake-GH

    Rake-GH Active Member

    138
    67
    28
    Jul 29, 2019
    USA
    Ratings:
    +104
    Local Time:
    4:49 AM
    default
    default
    Sorry, it's hard for me to understand your question but I don't see any reason why you can't use HTTP-01 Challenge
     
  5. eva2000

    eva2000 Administrator Staff Member

    44,780
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    6:49 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    you mean you have setup like

    visitor > reverse proxy > xenforo forum on cloudflare dns only (without cf proxy protection)

    really all you need for xenforo forum is to
    1. put it behind cloudflare full cf proxy orange cloud so cloudflare proxy SSL certificate/HTTPS and
    2. then configure xenforo forum with appropriate forward proxy for link unfurl/image proxying to prevent real IP leakage via XF 2.x's $config['http']['proxy'] config option as per Config.php options - XenForo 2 Manual and
    3. then setup Xenforo to sent emails via Amazon SES smtp mail server which removes and hides your real server IP from email source headers Amazon AWS - Amazon AWS SES SMTP Transactional Email Info
    You can do all these steps and after all setup, just change your server real IP address with your web host so any previous public record of your real server IP is changed
     
  6. hazehs

    hazehs New Member

    19
    1
    3
    Jul 18, 2020
    Ratings:
    +5
    Local Time:
    8:49 AM
    NGINX 1.18
    MariaDB 10.4

    Hello,

    thank you for your answer. I got many problems with the orange cloud any my reverse proxy host.
    I dont know why. A ProxyServer (TinyProxy) and Mailcow are already running on another Server.
    So this is not the problem. I think only getting the SSL Cert with DNS 01. I dont watched long time ago for this on centminmod.
    I will study some Centminmod... xD
     
  7. eva2000

    eva2000 Administrator Staff Member

    44,780
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    6:49 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    what Cloudflare SSL mode are you using Flexible SSL or Full SSL ? If you use Full SSL, then your reverse proxy needs HTTPS and SSL cert to communicate with Cloudflare orange cloud proxied connections.

    But as I said, you don't need a reverse proxy in between Cloudflare and Centmin Mod Nginx origin. What I outlined at Domains - Letsencrypt - Installing without leaking IP from Host --> More in the Thread is enough.
     
  8. hazehs

    hazehs New Member

    19
    1
    3
    Jul 18, 2020
    Ratings:
    +5
    Local Time:
    8:49 AM
    NGINX 1.18
    MariaDB 10.4
    And this is what i mean:
    [​IMG]


    The point is i got a reverseproxy from blazingfast.io, my domain is pointing to there ip and there host is pointing on my ip.

    the default page is working. can see php infos and so on. just certificate is failing. this is why i need dns verification.
    is it possible to install certbot?
     
  9. hazehs

    hazehs New Member

    19
    1
    3
    Jul 18, 2020
    Ratings:
    +5
    Local Time:
    8:49 AM
    NGINX 1.18
    MariaDB 10.4
    So i need to do with DNS API. I dont use the proxy from cloudflare. Just got my nameserver there
     
  10. eva2000

    eva2000 Administrator Staff Member

    44,780
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    6:49 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    That error message isn't a letsencrypt end message, it's a Centmin Mod DNS check and is only an advisory as it can't detect all configurations like your reverse proxy in between Cloudflare and origin Centmin Mod Nginx. So all you do is answer yes to continue with the vhost creation with letsencrypt. Just make sure the reported DNS IP for your domain is pointing your proxy IP and that is the IP being reported by error message. If you know that is correct, answer yes to continue. As long as your reverse proxy will allow letsencrypt to validate against yourdomain.com/.well-known/* generated file on the origin side, you should validate properly for letsencrypt.

    You can test that first by testing domain at Let's Debug