Sample Header Ad - 728x90

lighttpd reverse proxy

0 votes
1 answer
2188 views
debian raspberry-pi reverse-proxy certbot lighttpd
I have two raspberry pi servers running. These were set up with DietPi. The one server is used as a NextCloud server. The other (new) server is running weewx. Both use lighttpd as the webserver. Each operates under a different domain my.domain.com and my.otherdomain.com. My router has a single IP address and I use port forwarding to access both servers. The NextCloud server (my.domain.com) has SSL enabled using dietpi-letsencrypt. I cannot run certbot on my.otherdomain.com because I only have one public IP address. I enabled mod-proxy on my Nextcloud machine (my.domain.com) and it forwards requests to my.otherdomain.com to the weewx machine. I disabled port forwarding on the router to the weewx machine. However, dietpi-letsencrypt cannot generate a SSL certificate for the weewx machine - the challenges fail. I tried to run certbot on both machines. Here is the attempt for my Nextcloud machine (used as my proxy server): 
Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E 
Renewing an existing certificate for my.domain.com and my.otherdomain.com
Performing the following challenges:
http-01 challenge for aws.andrewterhorst.com
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Challenge failed for domain my.otherdomain.com
http-01 challenge for my.otherdomain.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: my.otherdomain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://my.otherdomain.com/.well-known/acme-challenge/p16SmhyufIGQ75fnhWQ4zxf49TCLfnX4SoWRmBqAHBg 

server.feature-flags       += ("server.h2c"     => "enable")
server.feature-flags       += ("server.graceful-shutdown-timeout" => 5)
#server.feature-flags       += ("server.graceful-restart-bg" => "enable")

# strict parsing and normalization of URL for consistency and security
# https://redmine.lighttpd.net/projects/lighttpd/wiki/Server_http-parseoptsDetails 
# (might need to explicitly set "url-path-2f-decode" = "disable"
#  if a specific application is encoding URLs inside url-path)
server.http-parseopts = (
  "header-strict"           => "enable",# default
  "host-strict"             => "enable",# default
  "host-normalize"          => "enable",# default
  "url-normalize-unreserved"=> "enable",# recommended highly
  "url-normalize-required"  => "enable",# recommended
  "url-ctrls-reject"        => "enable",# recommended
  "url-path-2f-decode"      => "enable",# recommended highly (unless breaks app)
 #"url-path-2f-reject"      => "enable",
  "url-path-dotseg-remove"  => "enable",# recommended highly (unless breaks app)
 #"url-path-dotseg-reject"  => "enable",
 #"url-query-20-plus"       => "enable",# consistency in query string
)

index-file.names            = ( "index.php", "index.html" )
url.access-deny             = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

# default listening port for IPv6 falls back to the IPv4 port
include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.conf.pl"
include "/etc/lighttpd/conf-enabled/*.conf"

#server.compat-module-load   = "disable"
server.modules += (
	"mod_dirlisting",
	"mod_staticfile",
)


# proxy settings
$HTTP["host"]=~ "my.otherdomain.com"  {
        proxy.balance = "fair"
        proxy.server =  ("" =>
                                (
                                        ( "host" => "192.168.0.261", "port" => 80 ),
                                        ( "host" => "192.168.0.261", "port" => 443 )
                                ))
                        }
Technically, the proxy settings should be in 10-proxy.conf. I need to run this command: 
lighty-enable-mod proxy
This creates a symbolic link in /etc/lighttpd/conf-enabled to 10-proxy.conf in /etc/lighttpd/conf-available. I read I could simply add proxy settings in lighttpd.conf - it was not necessary to use 10-proxy.conf. The current set-up means incoming traffic to my.otherdomain.com ends up on the second weewx machine. However, certbot needs to communicate out. I am confused about where I should run certbot - from my weewx machine or from my NextCloud machine? I am not a Linux boffin and need some guidance on how to set up lighttpd to do forward and reverse proxies so my weewx machine can be secure. Most of the posts touching on this refer to Apache, nginx, or some specific web application setup. The syntax of the lighttpd conf settings is rather confusing using regex like notation. For example: 
$HTTP['host'] =~ '^(www.example.com)$' {
        url.rewrite-once = ('^/(.*)' => '/vhost/http/%0/$1')
        # In lighttpd we alter the path manually using rewrite rule. %0
        # refers to the hostname and $1 is the path.
        proxy.server = ( '' =>
                ( (
                'host' => '127.0.0.1',
                'port' => 8080
                ) )
        )
}
There is no step by step tutorial in plain simple English for simpletons such as me.
Asked by aterhorst (101 rep)
Sep 11, 2021, 11:26 AM
Last activity: Jul 22, 2025, 01:05 PM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "debian"
More questions tagged "raspberry-pi"
More questions tagged "reverse-proxy"
Footer Ad - 728x90