YunoHost behind a reverse proxy

I’ve looked around and for now I only seem to find configurations for YunoHost as the reverse proxy, but I am using it only for testing and already have my own Nginx RP server up and running.

I use a no-ip domain for my testing and that is the domain I added to YunoHost. I started adding apps (mail server for example) and don’t know how that would translate with the RP…

Nginx conf

server {
    listen       80 default_server;
    server_name carobell.ddns.net;
    include snippets/letsencrypt.conf;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name carobell.ddns.net;

    ssl_certificate /etc/letsencrypt/live/carobell.ddns.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/carobell.ddns.net/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/carobell.ddns.net/chain.pem;
    include snippets/ssl.conf;
    include snippets/letsencrypt.conf;

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }

        location / {
                proxy_pass              http://192.168.2.56/;
#               proxy_set_header      X-Forwarded-For $remote_addr;
#               proxy_set_header      X-Real-IP $remote_addr;
#               proxy_set_header        X-Forwarded-Proto       $scheme;
#               proxy_set_header Host $host;
       }
}

If I leave the configuration as is, I get redirected to the LAN ip address of the YunoHost server. If I comment in the proxy_set_header I end up in a redirection loop.


J’ai regarder un peu partout et pour l’instant je trouve seulement des configurations pour utiliser YunoHost comme reverse proxy (proxy inversé?), mais dans mon cas je l’utilise seulement pour des test et j’ai déjà un Nginx RP en ligne et fonctionnel.

J’utilise un domaine no-ip pour mes test et c’est aussi le domaine que j’ai donné à YunoHost. J’ai commencer à ajouter des app (serveur mail par example) et je ne sais pas comment cela va se traduire avec le RP…

conf Nginx

voir version anglaise ;)

Si je laisse la configuration tel quel, je suis rediriger vers l’adresse ip LAN du serveur YunoHost. Si j’enleve les # je me retrouve dans une loop de redirection.

2 Likes

Uuuuuh … but how does that relates to YunoHost ? YunoHost provides an automatically-managed nginx configuration and you copy-pasted a custom nginx configuration ? I’m not even sure to understand the issue you are trying to fix here ? o.O

I have my own nginx server, I want to add YunoHost behind it (the 192.168.2.56 address it the LAN ip of YunoHost). if I leave YunoHost as is it won’t work since port 80 and 443 are already sent from my router to the Nginx Server,

Hmokay

On one of my servers I used something like this :

location / {
        proxy_pass         https://192.168.x.y;
        proxy_redirect     off;
        proxy_read_timeout 60s;
        
        proxy_set_header          Host            the.desination.domain.tld;
        proxy_set_header          X-Real-IP       $remote_addr;
        proxy_set_header          X-Forwarded-For $proxy_add_x_forwarded_for;

        client_max_body_size 50M;
}
2 Likes

It works!

Took a while I was missing the https in proxy_pass and the domain name in proxy_set_header Host took care of the lan redirection~

Can anyone add some clarification to this? I am installing YunoHost right now, mostly for running Synapse. I already have a bunch of servers running behind my nginx reverse proxy and I don’t want to change that.

It seems like this post covers that, but I really don’t understand the answer. Which server does that config go into, yuno host, or the external RP server? what needs to be changed to match my setup, just the IP?

I don’t mean to sound ignorant, Im just a little lost on how to do this.

1 Like

Hi!
I’m answering a bit late but in case someone stumbles over this:

  • this config goes in the external reverseproxy server, no need to touch yunohost nginx config
  • you need to change the.desination.domain.tld by your domain and 192.168.x.y by the internal IP.
    Then with the server block it looks like this:

server {

   listen         443;
   listen    [::]:443;
   server_name    the.desination.domain.tld;

   location / {
        proxy_pass         https://192.168.x.y;
        proxy_redirect     off;
        proxy_read_timeout 60s;

        proxy_set_header          Host           the.desination.domain.tld;
        proxy_set_header          X-Real-IP       $remote_addr;
        proxy_set_header          X-Forwarded-For $proxy_add_x_forwarded_for;

        client_max_body_size 50M;
   }

   access_log /var/log/nginx/yunohost_access.log;
   error_log /var/log/nginx/yunohost_error.log error;

}

You’ll probably need to do the same for the 80 port (for let’s encrypt).

1 Like

I’m wondering about this : maybe technically it works, but I’m suspecting that from the point of view of Yunohost, all requests appears to come from the local IP of the host (192.168.x.y or 10.x.y.z tpically). Therefore, combined with the fact that fail2ban is running, an attacker could trigger some sort of denial of service by constantly brute-forcing the portal or webadmin, which would result in Yunohost blocking all traffic on port 80/443 from the host …

One way around this is either to disable fail2ban (which sounds spooky but anyway may not be so useful in a reverse proxy context - it kinda depends on the exact proxying topology for SSH etc.) - or there’s also the real_ip_header that may got to be tweaked in the Yunohost (not 100% sure about this) :thinking:

1 Like

I have a yunohost server installed at home behind my router.
The yunohost server is connected to internet but not exposed to outside.

All of my installed application are declared behind a .local domain.

I have another server in the same network with caddy reverse proxy and would like to expose a specific app (vaultwarden in this case but any other app eventually) from my yunohost server.

 _______             ________            ________________           __________
|       |           |        |          |                |         |          |
| WAN   |   --->    | router |   --->   | reverse-proxy  | --->    | yunohost |
|______ |           |________|          |________________|         |__________|

The router is correctly configured with open ports 80 & 443 pointing to my reverse proxy server.
I had this setup for years before just it wasnt a yunohost server but a ‘standard’ debian server…

So I am running into issues since it seems like yunohost only expose app via a domain (.local in my case) with self signed certificates.

This is my caddy configuration inspired from my previous setup and trying to adapt it now

mysuperdomain.com {
         reverse_proxy /notifications/hub/negociate https://vault.local
         reverse_proxy https://vault.local {
                 header_up X-Real-IP {remote_host}
                 transport http {
                         tls
                         tls_insecure_skip_verify
                 }
         }
}

I have try with different setup but no luck.

If anyone have hints or can help… :pray:

ok

I found out my way out…
on my reverse-proxy I edited /etc/host with correct IP to mysuperdomain.com
on yunohost I configured the domain mysuperdomain.com leaving it with default self-signed certificate

I have adapted the caddy configuration to reflect those changes that way

mysuperdomain.com {
         reverse_proxy https://mysuperdomain.com {
                 header_up X-Real-IP {remote_host}
                 transport http {
                         tls
                         tls_insecure_skip_verify
                 }
         }
}

it is quite dirty, I am open to anyone with better solution to propose

This looks like what I need but where exactly do I put this? In a proxy.conf file in the conf.d folder of the domain? In the conf.d file? Where does one put this nginx configuration, what server does it go on?