How to have two Yunohosts servers at home?

Hello.

I have a second Yunohost server to test applications (a Raspberry PI - fair enough for testing) before installing them on the main Yunohost server (a Banana Pi - much performant).

Right now, the test Yunohost server is in my local network, with a local domain (declared in the hosts file of my PC). It works fine at home.

Is it possible to have this second Yunohost server accessible from the web? For that, I can create a subdomain at my registrar. I can also open a port on my box (French Freebox), say port 444 and forward it on the second Yunohost server on port 443. And re-install Yunohost with a domain set to subdomain.domain.fr:444? Would this work? What other settings to do?

Hi xof,

That’s the real problem of self-hosting and IPv4 shortage. Your ISP gave you only one IPv4 reacheable from Internet. Unfortunately you couldn’t get many servers using the same ports because of uncity issues. We hope IPv6, which will resolved that problem, will coming soon.

Moul

Hello,

If your two different yunohosts instances are intended to hosts different applications, you should run them on two different machine. To do so, you must install first a webserver (apache, nginx, hiawatha…) on one of these (or on a third) machine in order to act as a reverse proxy, which redirect web requests to the right yunohost machine following the given subdomain for example. I do so to access my yunohost box, which is in fact a LXC container running alongside other containers for different service accessible through one IP.

1 Like

Thanks for the idea of the reverse proxy. I have 2 Yunohost servers. The main server is on (e.g) https://domain.com and I want the second server to be on https://dev.domain.com. Is it possible to configure nginx on the main server to forward the requests for https://dev.domain.com to the second server ? … Of course, I defined the CNAME on my DNS zone.

Following this http://blog.olivier-raulin.fr/2013/08/28/mise-en-place-dun-reverse-proxy-nginx/
I created a file /etc/nginx/sites-available/reverse with the following:

ssl_certificate /etc/ssl/domain.com.crt;
ssl_certificate_key /etc/ssl/domain.com.key;
server {
    listen 443;
    ssl on;

    server_name dev.domain.com;
    location / {
            proxy_pass https://192.168.1.10:443/;
    }
}

And… and… it does not work! Any advice? Do I really need a third machine for the reverse proxy?

1 Like

Please ensure that you enabled the configuration you created by adding a symbolic link in /etc/nginx/sites-enabled.

ln -s /etc/nginx/sites-available/reverse /etc/nginx/sites-enabled/reverse

Further I would tweak the configuration you are using to be a bit more predictable.

  1. Move the ssl_certificate into the server block to ensure it is only used by that specific server and not all servers on your box
  2. Overwrite the host header to whatever domain you configured on your 2nd Yunohost server, so it is independent of what domain you are actually using to connect.

This would look something like:

server {
    ssl_certificate /etc/ssl/domain.com.crt;
    ssl_certificate_key /etc/ssl/domain.com.key;

    listen 443;
    ssl on;

    server_name dev.domain.com;
    location / {
            proxy_set_header Host dev.domain.com;
            proxy_pass https://192.168.1.10:443/;
    }
}

Dankjewel buurman. I tried it, with no success. Nevermind, I will stay with my “prod” server accessible on the web and my “dev” server on my home lan. That is fair enough: it prevents me from spending to much time on my “dev” and is more secure. Thanks anyway and welcome to the “Yunohost world”.
Xof.

Anybody had success in doing this? I want a similar solution for two server hosted on the same network one of which is YunoHost.

My second device is a phone. It gets proxied through the YunoHost to the internet.

Solution:

  1. Register a domain and install a Lets-Encrypt certificate for the domain on the YnoHost server:

     yunohost domain add proxy.domain.tld 
     yunohost domain cert-install proxy.domain.tld
    
  2. Go to the /etc/nginx/conf.d/proxy.domain.tld.d and create a file proxy.conf. Add the following code with your own second server ip:

     location /  {
      proxy_pass https://192.168.0.100;  #ip address of the other server(needs to be static)
      proxy_set_header Host $host;
      
      #Force https
      if ($scheme = http) {
         rewrite ^ https://$server_name$request_uri? permanent;
          }
    
      proxy_buffering off;
      tcp_nodelay on;
    
     }
    
  3. Restart the nginx:

    service nginx restart

Note:- You will have to login to the YunoHost page to get the access to the proxy page. If you need to bypass it, add the proxy.domain.tld to the skipped_urls under /etc/ssowat/conf.json.persistent .

"skipped_urls": [
  "proxy.domain.tld"
]

I have the same problem :frowning:

I have no idea what to do.

Can you explain your problem in detail?

I have two servers, one for personal (Server A), one for Duniter (Server B).
They both use port 443 and Duniter uses a reverse proxy.

Right now, I have ruined a couple of my configuration files.
I just recalled that port 80 is still needed if I can recall correctly for certificates, unless I’m wrong that is.
Deleting those parts for Server B was not smart and I just realized it after deleting it on Server A.

So perhaps it’s best to set straight again what I’ve wronged at the moment:

domain.tld.conf (of Server A)

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name domain.tld;

    ssl_certificate /etc/yunohost/certs/domain.tld/crt.pem;
    ssl_certificate_key /etc/yunohost/certs/domain.tld/key.pem;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;

    ssl_prefer_server_ciphers on;

    # Ciphers with intermediate compatibility
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=intermediate
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-S$

    # Ciphers with modern compatibility
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1t&hsts=yes&profile=modern
    # Uncomment the following to use modern ciphers, but remove compatibility with some old clients (android < 5.0, Internet Explorer < 10, ...)
    #ssl_protocols TLSv1.2;
    #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-$

    # Uncomment the following directive after DH generation
    # > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
    #ssl_dhparam /etc/ssl/private/dh2048.pem;

    add_header Strict-Transport-Security "max-age=31536000;";

    access_by_lua_file /usr/share/ssowat/access.lua;

    include conf.d/domain.tld.d/*.conf;

    include conf.d/yunohost_admin.conf.inc;
    include conf.d/yunohost_api.conf.inc;

    access_log /var/log/nginx/domain.tld-access.log;
    error_log /var/log/nginx/domain.tld-error.log;
}

[Update]

I fixed that part, now I need to get back at how to solve the actual issue.
How do I get two Yunohost server to work, when the second one already uses a reverse proxy?

I think you will have to add port here in the first server.
So something like this:
proxy_pass https://192.168.0.100:port;

Redirecting my problem to here.

I’m also interested in doing this.

I have my main server with the essentials on it: blog, nextcloud, pihole, and xmpp. I want to run another yunohost on my network with other things that aren’t so essential, and to test things out: mastodon, pixelfed…

I tried with nginx too but messed it up. Frankly nginx is a bit confusing and scary for me :grimacing:

If anyone figures out, please make a tutorial…

Lots of moving parts to make it work it seems: and settings, nginx, port forwarding?

1 Like