The tutorials I’ve seen for setting up a range of things goes something like this:
You’ve got a server or a box or something and you stick Docker on it for some ungodly reason, and now you’re configuring your shit. You’re trying to get SSL certs going because the lock icon is swag and it raises your e-peen and nerd social credit score. So, here we go:
Slap linuxserver/swag on
configure a billion things to get nginx, letsencrypt, and a website up
Party because you have the lock icon for your main site and proxied things.
But now you have docker floating around and keys inside it and I haven’t figured out how you get those keys out to your local thingies.
According to my friend you just don’t; you let nginx keep the keys, and from your browser to the reverse proxy is SSL just like normal, but internally it’s all HTTP. So then your appliances run unsecured but it doesn’t matter, and from the browser’s perspective it’s happy because it was given a key that somebody else made, instead of you.
That configuration looks like this:
browser -https> nginx -http> service
But I’m not trying to do that, I’m trying to do this:
browser -https> service
This is because nginx isn’t running yet but here I am fucking with SSL keys. This means that everything needs the keys, and it may be a lot of work to get to the same place my friend is since it means OPNsense needs to spread the keys around via Automations. And it needs to do this every single time the keys get updated, which is constantly.
If I go the nginx-for-everything route then that means I have to turn https off for internal services, though my browser won’t care since it hits nginx first. It also means I won’t get a lock–and it won’t matter–if I go to things via the IP address since that’ll bypass nginx.
That might be the way to go. Right now there’s no harm in doing it my way except that it’s a ton of work that, if I’m going to be using nginx to protect WordPress anyway, is kind of silly since I can just use it for the rest.
It’s still good that OPNsense has the keys, even though it’s not publicly exposed. Since I want to run nginx there too, it already can use the keys that ACME on OPNsense pulled.
So the setup probably is to get nginx working and go from there turning off https, letting nginx rewrite requests to its managed proxied things as https (and serving up that tasty lock icon) then pulling the pages via http.
Now, to figure out what to do about DNS, since right now OPNsense is using Unbound to do internal DNS for things…