Subj : Lets Encrypt and NPM
To   : poindexter FORTRAN
From : echicken
Date : Tue May 21 2024 02:26:41

  Re: Lets Encrypt and NPM
  By: poindexter FORTRAN to All on Thu May 16 2024 00:30:49

 PF> I set up Nginx Proxy Manager and have it proxying for my internal hosts.
 PF> It can register certs for my internal hosts.

 PF> Instead of running SSL natively on Synchronet, would anything break by
 PF> just running http internally and using NPM to manage certificates and then
 PF> pass on HTTPS traffic to HTTP internally?

I don't use Nginx Proxy Manager, but I do use nginx in this configuration and have done on and off for 10+ years. As long as you're not paranoid about someone capturing the traffic between proxy and upstream, it's fine.

Websockets (ie. for ftelnet) will break, but that's fixable. My current solution is a separate upstream that points at my plain websocket server (port 1123), and a server{} block that listens on eg. port 1124 and does SSL reverse proxying to that upstream. webv4 has a 'wssp' setting that forces the WSS port (eg. to 1124) for this exact scenario.

This is where NPM might get in your way. I chatted with someone who was using NPM and couldn't make it do the needful re: websockets. I suspect it was sacrificing this level of configurability in favour of user-friendliness. I didn't dig deep into that because I don't use NPM and don't want to.

IMHO nginx configs are quite easy to manage by hand on a small scale like you'd typically find in BBS-land. I suspect you'd be doing yourself a favour by just taking NPM out of the mix and using nginx on its own. I can share my settings with you if you like.

echicken    
electronic chicken bbs - bbs.electronicchicken.com
---
 þ Synchronet þ electronic chicken bbs - bbs.electronicchicken.com
 * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

.