In a previous guide, I went over setting up NGINX proxy manager on bare metal in an Alpine Linux LXC. Now that it is up and running, we will add configure our SSL Certificates and Proxies. This tutorial will only cover accessing services using https within the home network and will not be exposing our services to the internet.
Getting a Certificate
We will be getting an SSL certificate using a DNS challenge so that we do not have to forward ports on the router. I do not like opening ports on my router unless absolutely necessary.
The first order of business is finding ourselves a DNS provider. There are plenty of them out there and in my case I will be using DuckDNS. I will create a new domain abc.duckdns.org and point it to my server’s IP address 192.168.x.y and not my home’s public IP address.
Next, make a note of your DuckDNS token. You will need this later.
In order to generate a certificate on our installation, we will use certbot However, we first need to install a plugin to allow DNS challenges with certbot. To do this verify that your certbot version is >= 1.18.0 by running certbot --version and then install the plugin with:
pip install certbot_dns_duckdnsIf you are using another DNS provider, you’ll need to find and install the certbot plugin for your provider. Now, we are ready to add the certificate in NGINX proxy manager.
Log into NGINX proxy manager and go to SSL Certificates. Click on add SSL certificate. The great part about DNS challenges is that we can generate wild card certificates for all our services in one go. To do this, let us add the following domains. Note: Replace abc with your subdomain.
abc.duckdns.org
*.abc.duckdns.orgEnter your email address and choose Use a DNS challenge. Select your DNS provider. In this case, I will use DuckDNS.
Fill out your DuckDNS token in the textbox, making sure there are no leading or trailing spaces, then set the propagation time to 120 and accept the terms and conditions. Then, click save. If all goes well your certificate has been set up and will automatically be renewed!
If you see any errors, make sure your dns provider’s plugin is installed into certbot and increase the propagation time.
Setting up hosts
Now that we have our certificate installed, let’s add some hosts. For this example, I will be adding my Overseerr service which normally sits at http://192.168.xx.yy:5055
Go to Hosts > Proxy Hosts and then Add Proxy Host. Enter the domain name you want to use. In my case: movies.abc.duckdns.org . Then, enter the IP address and port of the service. For the options, I normally select websocket support (as most things I run use websockets), but you may have to tweak these to suit your service.
Then, go to the SSL tab and select the SSL certificate we just generated (usually at the very bottom). Once this is done, select Force SSL and HTTP/2 Support. Then, press save. You should see your new host in the table.
To test your new host, simply visit the domain you assigned it. No need to add a port number or specify http ! In this case when I go to movies.abc.duckdns.org I see this
This means that everything is working as normal!
Credit
This video was quite useful, and contains a bit more information about how such DNS challenges work.
Disclaimer:
This is not a guide for setup in production or business environments. Please do your own research first for public or production environment setup.
I am not an IT professional. I am not tech support. I am a college student with a server. You are ultimately responsible for any commands you run on your system.
If you have any questions, leave a comment. Enjoy!