[SOLVED] Letsencrypt certificates when using a reverse proxy

A

andres-asm

New Member
Aug 29, 2024
5
0
1
Hi

I'm currently evaluating pmg.
How would I perform a certificate request when my proxmox mail gateway is behind an NGINX reverse proxy?

I have PMG on server A, nginx on server B, I can actually access the web UI through NGINX just fine, and I have valid certificates on that box. I can request and renew the certificates as required.

But what I cannot do is order certificates for SMTP, as I understand when a certificate is requested a web server is spung on server A... so should I forward port 80 to that server temporarily? or maybe I can proxy that request too to the PMG server?
 
Solved it like this:


NGINX: 
upstream proxmox {
    server 192.168.200.105:8006 fail_timeout=5s max_fails=3;
}
upstream proxmox-acme {
    server 192.168.200.105 fail_timeout=5s max_fails=3;
}

# redirects
server {
    listen *:80;
    server_name pmg.domain;

    root /var/www/letsencrypt;

    location /.well-known {
    proxy_pass http://proxmox-acme$request_uri?;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

# proxmox
server {
    listen *:443 ssl;
    server_name pmg.domain;
    
    root /srv/dummy; 
    index index.html index.htm index.php;

    client_max_body_size 512M;

    ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/domain/privkey.pem; # managed by Certbot
    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /srv/domain/dhparm.pem;
    ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED';
    ssl_session_timeout 10m;
    ssl_session_cache shared:DUMMY-CACHE:2m;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_ecdh_curve secp384r1;

    add_header Strict-Transport-Security
    'max-age=31536000; includeSubDomains; preload'
    always;

    location / {
        proxy_pass https://proxmox;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
 
You must log in or register to reply here.
Top Bottom