Posts made by Alex Sage

Alex Sage

I have had the same problem for months. @JaredBusch suggested spinning up a VC2 instance and then add block storage to it.

FFS. No.

0_1541633232405_93d11829-a74f-4f60-b017-1eba62c1c4cc-image.png

Alex Sage

@wirestyle22 Huh?

Alex Sage

https://github.com/aaronstuder/lxq/blob/master/wildcard.temp

Alex Sage

Got it!

0_1541553753187_d4c1fbf4-50c2-4c75-a912-648ab38aaaab-image.png

.conf coming soon!

Alex Sage

This is what I came up with. Going to make dinner, but I'll be back soon to test it

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name sub.domain.com;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name sub.domain.com;

    location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-NginX-Proxy true;
                proxy_pass http://<IP_ADDRESS>:<PORT>;
                proxy_redirect off;
        }

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;


    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/domain.com/chain.pem;

    resolver 1.1.1.1;

}

Alex Sage

I have been enjoying your podcast! I'll be listening on the ride home tonight!

Alex Sage

 server {
     listen 80 default_server;
     listen [::]:80 default_server;
 
     # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
     return 301 https://$host$request_uri;
 }
 
 server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;

How do I change this to listen for subdomain.domain.com?

Also, where do I add in the location lines?

 location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Host $http_host;
                proxy_set_header X-NginX-Proxy true;
                proxy_pass http://<IP_ADDRESS>:<PORT>;
                proxy_redirect off;
        }

Alex Sage

I'll have to try it again soon, and provide more details.

Alex Sage

@black3dynamite when I tried to merge together my existing .conf with this I kept getting errors. Hoping someone here with more nginx experience can help

Alex Sage

Certificates will be from let's encrypt of course

Alex Sage

I am trying to get a working .conf for a NGINX Reverse Proxy using the Mozilla SSL Configuration Generator, but it keeps getting me issues.

Anyone ever done this before?

Here is the NGINX Modern example:

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /path/to/signed_cert_plus_intermediates;
    ssl_certificate_key /path/to/private_key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;


    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

    resolver <IP DNS resolver>;

    ....
}

https://mozilla.github.io/server-side-tls/ssl-config-generator/

Alex Sage

@gjacobse said in UBNT: UniFi Controller Issue:

@dbeato said in UBNT: UniFi Controller Issue:

@gjacobse said in UBNT: UniFi Controller Issue:

@jmoore said in UBNT: UniFi Controller Issue:

@gjacobse Did you enable the service to make sure it restarts on its own?

In theory yes. but it doesn't seem to be working. And the Fedora commands I find are more than a year old

Wait,you have Unifi on Fedora?

Yes -