[SOLVED] Letsencrypt certificates when using a reverse proxy

A

andres-asm

New Member
Aug 29, 2024
3
0
1
Hi

I'm currently evaluating pmg.
How would I perform a certificate request when my proxmox mail gateway is behind an NGINX reverse proxy?

I have PMG on server A, nginx on server B, I can actually access the web UI through NGINX just fine, and I have valid certificates on that box. I can request and renew the certificates as required.

But what I cannot do is order certificates for SMTP, as I understand when a certificate is requested a web server is spung on server A... so should I forward port 80 to that server temporarily? or maybe I can proxy that request too to the PMG server?
 
Solved it like this:


NGINX: 
upstream proxmox {
    server 192.168.200.105:8006 fail_timeout=5s max_fails=3;
}
upstream proxmox-acme {
    server 192.168.200.105 fail_timeout=5s max_fails=3;
}

# redirects
server {
    listen *:80;
    server_name pmg.domain;

    root /var/www/letsencrypt;

    location /.well-known {
    proxy_pass http://proxmox-acme$request_uri?;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

# proxmox
server {
    listen *:443 ssl;
    server_name pmg.domain;
    
    root /srv/dummy; 
    index index.html index.htm index.php;

    client_max_body_size 512M;

    ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/domain/privkey.pem; # managed by Certbot
    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /srv/domain/dhparm.pem;
    ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED';
    ssl_session_timeout 10m;
    ssl_session_cache shared:DUMMY-CACHE:2m;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_ecdh_curve secp384r1;

    add_header Strict-Transport-Security
    'max-age=31536000; includeSubDomains; preload'
    always;

    location / {
        proxy_pass https://proxmox;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back