Network Setup Questions

I need some help of figuring out how to re-arrange or deal with my current home network setup as things grow and expand.
Until recently I had an older AMD machine with a 3 drive Raid 5 setup in my house to serve up some basic websites, a minecraft server (for the kids), MythTV, and to act as a repository for my media.
A few months ago I was gifted an i3 computer with 12 GB of ram that I had hoped to migrate all my server based things to. I setup ESXi and installed some Virtual machines, but the i3 and the MB do not support VT-d which means my Raid array and mythtv need to stay housed in the old AMD box.
I also, for some reason setup MQTT on my old server and since it’s working, I have some devices already pointed at that broker, and I’m lazy, I’m hesitant to move it.

So with the background out of the way, I would like to setup Let’s encrypt on my VM (in docker), setup SSL for my FQDN which has elements spanning multiple machines. If I proceed with this, how can I encompass MQTT and Apache on the AMD machine with the cert from lets encrypt?
Do I want to use a Let’s Encrypt cert for MQTT (which I use with Zanzitto on our mobile devices). Should I setup a second MQTT broker for the inside the network elements, and bridge that second Broker with the first that only does Zanzitto and other outside the network elements?

Reverse Proxy from main server to all other server. NGINX is good for this.

You may have cert reside on main server and nginx can validate ssl before passing to backend servers. You can have separate cert for each backend or a single cert with all.

Well this might end up being a moot question, I woke up this morning to my AMD machine not responding.
Hard reboot and it appears something is very wrong, no idea what yet but I’m thinking I’m going to need a new server…

Could you elaborate. I want to do this but I can’t find anything that helps.

Currently I’m running nginx on one system but want to proxy to my other services and honestly I’m tired of messing with it.

Nginx is webserver. Point all incoming WAN request(port 80 and 443 usually) to nginx and it will route it according to it’s configuration.

Generate a ssl cert for your domain and store on server(/srv/nginx/mycert for example)

After install nginx you would have created nginx config file that will define your webpages or servers/applications (like Hass)

Within this nginx config file you must set ssl parameters.
It is here that you will tell nginx where cert is located
Something like below

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     /srv/nginx/mycert/example.com.crt;
    ssl_certificate_key /srv/nginx/mycert/example.com.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    
}

You can use same location for all certs and servers defined, only requirement is the calling domain is on the cert…so if you generate cert for domain.com and sub.domain.com and request cert with both they would be on the single cert.

If domain.com is on cert1 and sub.domain.com on cert2 you must make sure you point to correct one in nginx

Reverse proxy is defined under the the “server” as a “location” and instead of pointing to a file on the server it will point to another server or another port on same server

In nginx config, a “server” is pretty much your domain or sub domains. A “location” would be where(as defined in nginx config) traffic going to that domain will go, be it a webpage or server within the LAN.

Below is from the forum and look like proper config for reverse proxy

	location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
		proxy_set_header Host $host;
		proxy_redirect http:// https://;
		proxy_http_version 1.1;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_buffering               off;
		proxy_ssl_verify              off;
#		include /config/nginx/proxy.conf;
		proxy_pass http://hostip:8123;
	}
}

Yeah, I’ve tried that and all I can get is the banner to show up on the HA page. Nothing else will load.

You must do two things

Set nginx so it pass it of device requesting, you be able to see LAN.vs want ip nginx access log

In HA you must properly setup http component. I will edit this later with detail

In HA you must set “use_x_forwarded_for” and “trusted_proxies”

This allows ha to parse the IP header and whitelist your nginx server(trusted proxies) so it is not treated as spoofing. Without these I believe HA webpages don’t load

So again, set nginx to send correct IP(nginx config) then set ha to look for that IP (http component) and also trust the source(http component)

Tried all that and still the same…

Thanks for the help. I’m going to leave it as is and just roll with it.