• Lets Encrypt and NPM

    From poindexter FORTRAN@1:103/705 to All on Thu May 16 00:30:49 2024
    I have Letsyncrypt running on my BBS, with several subdomains off of realitycheckbbs.org. I've got other systems using Lets Encrypt.

    I used to have to change my router NAT entries to point 80 to each system that I manually renewed the certificate on.

    I set up Nginx Proxy Manager and have it proxying for my internal hosts. It can register certs for my internal hosts.

    Instead of running SSL natively on Synchronet, would anything break by just running http internally and using NPM to manage certificates and then pass on HTTPS traffic to HTTP internally?
    ---
    þ Synchronet þ .: realitycheckbbs.org :: scientia potentia est :.
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From fusion@1:103/705 to poindexter FORTRAN on Thu May 16 19:48:00 2024
    On 16 May 2024, poindexter FORTRAN said the following...

    Instead of running SSL natively on Synchronet, would anything break by just running http internally and using NPM to manage certificates and
    then pass on HTTPS traffic to HTTP internally?

    i have mine set up like this.. perhaps it will be useful:

    server {
    listen 443 ssl;

    ssl_certificate /etc/ssl/certificate_for_allofthem.crt
    ssl_certificate_key <yadda>

    # boilerplate stuff
    root /var/www/example;
    index index.html index.htm;

    server_name example.cfbbs.net;

    # magic
    location /.well-known/ {
    alias /var/www/steal/verification/example/.well-known/;
    }

    # pass everything else
    location / {
    proxy_pass http://local_machine:3000; # or whatever
    <other stuff for proxy_pass>
    }
    }

    then i do all the certificate updates from the one machine that runs the nginx proxy with a crontab entry

    --- Mystic BBS v1.12 A47 2021/12/25 (Windows/32)
    # Origin: cold fusion - cfbbs.net - grand rapids, mi
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From Digital Man@1:103/705 to poindexter FORTRAN on Fri May 17 16:13:32 2024
    Re: Lets Encrypt and NPM
    By: poindexter FORTRAN to All on Thu May 16 2024 12:30 am

    I have Letsyncrypt running on my BBS, with several subdomains off of realitycheckbbs.org. I've got other systems using Lets Encrypt.

    I used to have to change my router NAT entries to point 80 to each system that I manually renewed the certificate on.

    I set up Nginx Proxy Manager and have it proxying for my internal hosts. It can register certs for my internal hosts.

    Instead of running SSL natively on Synchronet, would anything break by just running http internally and using NPM to manage certificates and then pass on HTTPS traffic to HTTP internally?

    Yeah, it's been done before (e.g. using nginx as a reverse proxy from https->http).
    --
    digital man (rob)

    Steven Wright quote #12:
    OK, so what's the speed of dark?
    Norco, CA WX: 68.6øF, 66.0% humidity, 7 mph WNW wind, 0.00 inches rain/24hrs --- SBBSecho 3.20-Linux
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From echicken@1:103/705 to poindexter FORTRAN on Tue May 21 02:26:41 2024
    Re: Lets Encrypt and NPM
    By: poindexter FORTRAN to All on Thu May 16 2024 00:30:49

    I set up Nginx Proxy Manager and have it proxying for my internal hosts. It can register certs for my internal hosts.

    Instead of running SSL natively on Synchronet, would anything break by just running http internally and using NPM to manage certificates and then pass on HTTPS traffic to HTTP internally?

    I don't use Nginx Proxy Manager, but I do use nginx in this configuration and have done on and off for 10+ years. As long as you're not paranoid about someone capturing the traffic between proxy and upstream, it's fine.

    Websockets (ie. for ftelnet) will break, but that's fixable. My current solution is a separate upstream that points at my plain websocket server (port 1123), and a server{} block that listens on eg. port 1124 and does SSL reverse proxying to that upstream. webv4 has a 'wssp' setting that forces the WSS port (eg. to 1124) for this exact scenario.

    This is where NPM might get in your way. I chatted with someone who was using NPM and couldn't make it do the needful re: websockets. I suspect it was sacrificing this level of configurability in favour of user-friendliness. I didn't dig deep into that because I don't use NPM and don't want to.

    IMHO nginx configs are quite easy to manage by hand on a small scale like you'd typically find in BBS-land. I suspect you'd be doing yourself a favour by just taking NPM out of the mix and using nginx on its own. I can share my settings with you if you like.

    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    ---
    þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From poindexter FORTRAN@1:103/705 to echicken on Tue May 21 06:47:00 2024
    echicken wrote to poindexter FORTRAN <=-

    IMHO nginx configs are quite easy to manage by hand on a small scale
    like you'd typically find in BBS-land. I suspect you'd be doing
    yourself a favour by just taking NPM out of the mix and using nginx on
    its own. I can share my settings with you if you like.

    Thanks for the offer, I'd love to see your setup. I use nginx at work
    both as a web server and proxy, so I know my way around nginx pretty
    well. I'm mostly using NPM because I liked the front-end and it came in
    a container :)



    --- MultiMail/Win v0.52
    þ Synchronet þ .: realitycheckbbs.org :: scientia potentia est :.
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
  • From echicken@1:103/705 to poindexter FORTRAN on Tue May 21 13:26:34 2024
    Re: Re: Lets Encrypt and NPM
    By: poindexter FORTRAN to echicken on Tue May 21 2024 06:47:00

    Thanks for the offer, I'd love to see your setup. I use nginx at work both as a web server and proxy, so I know my way around nginx pretty well. I'm

    Pretty straightforward, covering the BBS webserver and websocket service:

    https://gist.github.com/echicken/1458e692913f0b549f215a7cc78c3785

    mostly using NPM because I liked the front-end and it came in a container :)

    I'm running nginx and certbot (among others) in docker containers:

    https://gist.github.com/echicken/5e7484c7220da6889ed2287c94dceb5c

    mostly to make things easier when migrating my BBS to a new host, which happens every so often.

    echicken
    electronic chicken bbs - bbs.electronicchicken.com
    ---
    þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
    * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)