XO behind proxy or exposed directly?

bnrstnr

I’ve recently switched my home lab back to XS/XO because, well, KVM just wasn’t working out like I wanted it to.

I want to access XO over the web, among other websites in my home lab. Would it be best to setup an NGINX proxy for this or expose XO directly to the web?

There is a guide in the XO documentation on setting up https... but I’m feeling like this is best handled via reverse proxy.
https://xen-orchestra.com/docs/configuration.html#https

Alex Sage

Reserve Proxy - NGINX

DustinB3403

My inclining would be to use HTTPS rather than reverse proxy, but don't take that to mean anything.

To the next point, I would also host this in vultr or some such place and let it live there.

JaredBusch

@dustinb3403 said in XO behind proxy or exposed directly?:

My inclining would be to use HTTPS rather than reverse proxy, but don't take that to mean anything.

That would be stupid as it would negate using any other services on port 443 for his home lab.

A proxy is the better answer because it will allow him to use whatever other services he wants on his lab without having to use random port numbers for everytthing.

JaredBusch

It would also centralize all the SSL certs on the proxy. Everything would terminate there and hit the services behind the proxy over standard ports.

Alex Sage

@jaredbusch said in XO behind proxy or exposed directly?:

It would also centralize all the SSL certs on the proxy. Everything would terminate there and hit the services behind the proxy over standard ports.

@JaredBusch Do you have a guide for this using Let's Encrypt?

JaredBusch

@aaronstuder said in XO behind proxy or exposed directly?:

@jaredbusch said in XO behind proxy or exposed directly?:

It would also centralize all the SSL certs on the proxy. Everything would terminate there and hit the services behind the proxy over standard ports.

@JaredBusch Do you have a guide for this using Let's Encrypt?

https://mangolassi.it/topic/7127/setting-up-letsencrypt-on-a-centos-7-nginx-proxy

JaredBusch

That is really old though... SO meh I need new instructions.. Todayit should all be through certbot.

DustinB3403

@jaredbusch said in XO behind proxy or exposed directly?:

@aaronstuder said in XO behind proxy or exposed directly?:

@jaredbusch said in XO behind proxy or exposed directly?:

It would also centralize all the SSL certs on the proxy. Everything would terminate there and hit the services behind the proxy over standard ports.

@JaredBusch Do you have a guide for this using Let's Encrypt?

https://mangolassi.it/topic/7127/setting-up-letsencrypt-on-a-centos-7-nginx-proxy

Would need to be converted for Debian/Ubuntu but it should work just the same.

scottalanmiller

Another vote for a reverse proxy, in most cases.

JaredBusch

@dustinb3403 said in XO behind proxy or exposed directly?:

@jaredbusch said in XO behind proxy or exposed directly?:

@aaronstuder said in XO behind proxy or exposed directly?:

@jaredbusch said in XO behind proxy or exposed directly?:

It would also centralize all the SSL certs on the proxy. Everything would terminate there and hit the services behind the proxy over standard ports.

@JaredBusch Do you have a guide for this using Let's Encrypt?

https://mangolassi.it/topic/7127/setting-up-letsencrypt-on-a-centos-7-nginx-proxy

Would need to be converted for Debian/Ubuntu but it should work just the same.

Umm what?

The proxy should not be on the same system as XO in a case like this. It should be it's own VM.

dbeato

Reverse proxy is my recommendation as well.

DustinB3403

@jaredbusch said in XO behind proxy or exposed directly?:

@dustinb3403 said in XO behind proxy or exposed directly?:

@jaredbusch said in XO behind proxy or exposed directly?:

@aaronstuder said in XO behind proxy or exposed directly?:

@jaredbusch said in XO behind proxy or exposed directly?:

It would also centralize all the SSL certs on the proxy. Everything would terminate there and hit the services behind the proxy over standard ports.

@JaredBusch Do you have a guide for this using Let's Encrypt?

https://mangolassi.it/topic/7127/setting-up-letsencrypt-on-a-centos-7-nginx-proxy

Would need to be converted for Debian/Ubuntu but it should work just the same.

Umm what?

The proxy should not be on the same system as XO in a case like this. It should be it's own VM.

Sorry completely not thinking about a RP.. only about xo

bnrstnr

Hypothetically, if XO was the only web server I wanted to use, would there be any benefit at all of using a reverse proxy instead of just forwarding 443 directly to XO?

bnrstnr

If using nginx for RP do you still need to setup the web server behind it to run https and force redirects, etc?

JaredBusch

@bnrstnr said in XO behind proxy or exposed directly?:

If using nginx for RP do you still need to setup the web server behind it to run https and force redirects, etc?

No, Nginx is a webserver.

Here is my old ass guide to that too: https://mangolassi.it/topic/6905/setting-up-nginx-on-centos-7-as-a-reverse-proxy

SO many guides to update

dbeato

@bnrstnr said in XO behind proxy or exposed directly?:

nly web server I wanted to use, would there be any benefit at all of using a reverse proxy instead of just forwarding 443 directly to XO?

Still it would help for security purposes.