Use Portainer to Install Nginx Docker as Reverse Proxy and Use CertBot Deploy LetsEncrypt Certificate into Nginx - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Monday, March 1, 2021

Use Portainer to Install Nginx Docker as Reverse Proxy and Use CertBot Deploy LetsEncrypt Certificate into Nginx

Actually, this post is to continue my previous post: Install Ubuntu Desktop Docker Using Portainer and Access it From Browser (VNC/noVNC).

In that post, I deployed a Ubuntu Desktop Docker using Portainer and access it through a web browser. It only works on port 6080 and does not support https. In this post, I am putting a Nginx docker in front of Ubuntu Desktop Docker as a reverse proxy. Also I  deployed CertBot to issue a Let's Encrypt certificate for Ubuntu Desktop Docker's domain name. In this way, I can use my own sub-domain name on port 443, rather than 6080, to access my Ubuntu Desktop docker. Much easy and more professional way. 




    Using Portainer to Install Nginx Docker

    Make sure your domain novnc.51sec.org is pointing to your VPS's public ip.

    Create a new Container in Portainer:

    We are having three containers now managed by Portainer: Nginx, noVNC, and Portainer.



    Use Nginx As Reverse Proxy Server 

    In this lab, Nginx will be configured as reverse proxy to redirect all traffic for novnc.51sec.org on port 80 or 443 to proxied docker, noVNC. 

    apt update && apt install nano
    



    nano /etc/nginx/conf.d/novnc.conf



    nano /etc/nginx/conf.d/novnc.conf
    server {
        listen       80;
        server_name  novnc.51sec.org;
    
    location / {
        proxy_pass       http://172.31.23.170:6080;
        proxy_http_version         1.1;
        proxy_read_timeout 300;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Real-PORT $remote_port;
               }
    }
    
    service nginx restart

    Once nginx service restarted, the configuration will take effect. We will able to access Ubuntu desktop using sub domain name on port 80 ,  http://novnc.51sec.org


    Install Certbot

    Certbot is a free, open source software tool for automatically using Let’s Encrypt certificates on manually-administrated websites to enable HTTPS.

    With Certbot's help, we can easily convert a http site to secure https site using a nonprofit certificate authority provided ssl/tls certificate. 

    Unfortunately the install instruction from Certbot is not working for my Nginx docker. But I can run following two commands to get Certbot installed. 

    • apt install certbot
    • apt install python-certbot-nginx
    Based on your Linux version, you might get an error : Unable to locate package python-certbot-nginx

    root@80b7227d4eed:/etc/nginx/conf.d# apt install python-certbot-nginx
    Reading package lists... Done
    Building dependency tree... Done
    Reading state information... Done
    E: Unable to locate package python-certbot-nginx
    root@80b7227d4eed:/etc/nginx/conf.d# 
    
    In this case , install package apt install python3-certbot-nginx

    python3-certbot-nginx will be the right nginx plug-in for your situation. After this plugin installed, you can start to configure https for your site.

    Certbot issue certs for your domain

    Last step is to run Certbot to apply a SSL/TLS certificate for our Nginx website. It will automatically configure necessary configuration on our Nginx configuration. 

    Here is the command to apply certificate and make changes on configuration file:
    • certbot --nginx

    The novnc.conf configuration file has been changed to :

    root@613085cd0700:/# cat /etc/nginx/conf.d/novnc.conf 
    server {
        server_name  novnc.51sec.org;
    
    location / {
        proxy_pass       http://172.31.23.170:6080;
        proxy_http_version         1.1;
        proxy_read_timeout 300;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Real-PORT $remote_port;
               }
    
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/novnc.51sec.org/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/novnc.51sec.org/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    
    }
    server {
        if ($host = novnc.51sec.org) {
            return 301 https://$host$request_uri;
        } # managed by Certbot
    
    
        listen       80;
        server_name  novnc.51sec.org;
        return 404; # managed by Certbot
    
    
    root@613085cd0700:/# 
    


    After restart nginx service, https://novnc.51sec.org is up and it is using a valid certificate to encrypt the traffic between the client and server. 

    YouTube:





    1 comment: