For the broadband home with public IP users, sometimes we need to be certain web routers inside the network service forwards exposed to the external network (eg NAS remote access) through the port, but HTTP is transmitted in the clear, there is the risk of being monitored; if NAS using the self-signed certificate, then port forwarding, Chrome browser would be considered a risk deny access connection (I use 80.0.3987 version, a command line parameter to start, the system can not add the certificate by trust law); the use of certain self-NAS Let's Encrypt plug with a certificate of application to, and can only serve as a single NAS add HTTPS. This article describes how to install NGINX on the router and deploy SSL, multiple HTTP reverse proxy service within the network.
Claim
A domain name without filing; router has a public IP, router Pandorabox firmware (theoretically based openwrt firmware can); source software has more to date.
As of 2020.03, available Pandorabox software source address http://downloads.pangubox.com:6380/pandorabox
For example, my router is newifiD1, compared with the configuration information
src/gz 18.10_base http://downloads.pangubox.com:6380/pandorabox/18.10/packages/mipsel_1004kc_dsp/base
src/gz 18.10_lafite http://downloads.pangubox.com:6380/pandorabox/18.10/packages/mipsel_1004kc_dsp/lafite
src/gz 18.10_luci http://downloads.pangubox.com:6380/pandorabox/18.10/packages/mipsel_1004kc_dsp/luci
src/gz 18.10_mtkdrv http://downloads.pangubox.com:6380/pandorabox/18.10/packages/mipsel_1004kc_dsp/mtkdrv
src/gz 18.10_newifi http://downloads.pangubox.com:6380/pandorabox/18.10/packages/mipsel_1004kc_dsp/newifi
src/gz 18.10_packages http://downloads.pangubox.com:6380/pandorabox/18.10/packages/mipsel_1004kc_dsp/packages
Installation and acme NGINX
In pandorabox nginx web administration interface or command line installation can opkg install nginx, acme in accordance with official instructions to install, run, but before the need to install several packages: curl wget CA - Certificates OpenSSL - util CA - bundle socat
ca-bundle a bunch of packaged CA root certificate, pandorabox default does not contain any root CA certificate, it is impossible to establish any SSL connection. socat will be used in the acme of some functions, it is best to install.
The installation process there are a few things to note:
1. After you install nginx will report failed to start, the port is occupied, this is normal, because port 80 is already occupied by a router Web management interface (uhttpd service), then we will change the nginx configuration file.
2. Using http authentication attention uhttp default web root directory is / www, and the need to open 80 ports in the firewall, if the operator blocked port 80, verify that the http root directory can not be used, but you can specify a different port using standalone mode verification. Such as the use port 88, 88 to open ports in the firewall, and then verify command:
acme.sh --issue -d example.com --standalone --httpport 88
If you use automatic verification nginx, nginx has been to ensure correct operation, it needs to be configured uhttpd nginx does not conflict with the port, and a firewall is not recommended.
3. Use the dns verification, without making any configuration on the router, it is recommended to use automatic txt record acme add functionality
4. A copy of the certificate may be acme copy command, but do need to be modified as follows
acme.sh --installcert -d example.com \ --key-file /etc/nginx/key.pem \ --fullchain-file /etc/nginx/cert.pem # --Reloadcmd " Service nginx Force-reload " Do not add phrase
Nginx configuration
Certificate has been obtained so far completed, the next in nginx configuration. Suppose two web service address within our network are http://192.168.0.100, http://192.168.0.102/test
user nobody nogroup; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; #default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; client_body_timeout 3600; client_header_timeout 1800; keepalive_timeout 15; send_timeout 3600; gzip on; server { the listen 443 SSL; # inconvenient to use other ports 443 can be replaced server_name example.com; charset utf-8; ssl_certificate cert.pem; # Note that two documents do not write backwards ssl_certificate_key key.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_prefer_server_ciphers on; #access_log logs/host.access.log main; #error_page 404 /404.html; proxy_connect_timeout 180; proxy_send_timeout 180; proxy_read_timeout 180; proxy_set_header Host $host; proxy_set_header X-Forwarder-For $remote_addr; location /servertest { HTTP proxy_pass: // 192.168.0.102/test; proxy_redirect default; #nginx not cache server, all requests are forwarded to the target server for processing proxy_buffering off; } location /server1 { HTTP proxy_pass: // 192.168.0.100; # do configuration, nginx content will be cached speed slightly increase, but may encounter timeout issues } location ~ //.ht { deny all; } #error_page 500 502 503 504 /50x.html; #location = /50x.html { # root html; #} } }
Restart nginx service: /etc/init.d/nginx restart
If no error message is output, the corresponding firewall ports already open, access https://example.com/server1 and https://example.com/servertest (If you need to specify a non-443 port with the port number), the service has been found It runs on top of the ssl. More service simply set more subdirectories forward to.
note
1. theory, can be included on the web host before the nginx configuration, as long as the final two manually copy the generated certificate file to the router / etc / nginx directory can be, but it is in port forwarding required certificate validation link, or use dns verification.
2. Even if the router does not support the installation of nginx, can also be included on a network host installation nginx, then this is set to DMZ or exposed host port mapping mode, the effect is the same, specific steps will not be repeated.
3. SSL router performance overhead is not small, the author of newifiD1 faster than HTTP reduced by half when testing large file downloads, and run full load router, conditions should use high with a router.