I need some help of figuring out how to re-arrange or deal with my current home network setup as things grow and expand.
Until recently I had an older AMD machine with a 3 drive Raid 5 setup in my house to serve up some basic websites, a minecraft server (for the kids), MythTV, and to act as a repository for my media.
A few months ago I was gifted an i3 computer with 12 GB of ram that I had hoped to migrate all my server based things to. I setup ESXi and installed some Virtual machines, but the i3 and the MB do not support VT-d which means my Raid array and mythtv need to stay housed in the old AMD box.
I also, for some reason setup MQTT on my old server and since it’s working, I have some devices already pointed at that broker, and I’m lazy, I’m hesitant to move it.
So with the background out of the way, I would like to setup Let’s encrypt on my VM (in docker), setup SSL for my FQDN which has elements spanning multiple machines. If I proceed with this, how can I encompass MQTT and Apache on the AMD machine with the cert from lets encrypt?
Do I want to use a Let’s Encrypt cert for MQTT (which I use with Zanzitto on our mobile devices). Should I setup a second MQTT broker for the inside the network elements, and bridge that second Broker with the first that only does Zanzitto and other outside the network elements?
Reverse Proxy from main server to all other server. NGINX is good for this.
You may have cert reside on main server and nginx can validate ssl before passing to backend servers. You can have separate cert for each backend or a single cert with all.
Well this might end up being a moot question, I woke up this morning to my AMD machine not responding.
Hard reboot and it appears something is very wrong, no idea what yet but I’m thinking I’m going to need a new server…
You can use same location for all certs and servers defined, only requirement is the calling domain is on the cert…so if you generate cert for domain.com and sub.domain.com and request cert with both they would be on the single cert.
If domain.com is on cert1 and sub.domain.com on cert2 you must make sure you point to correct one in nginx
Reverse proxy is defined under the the “server” as a “location” and instead of pointing to a file on the server it will point to another server or another port on same server
In nginx config, a “server” is pretty much your domain or sub domains. A “location” would be where(as defined in nginx config) traffic going to that domain will go, be it a webpage or server within the LAN.
Below is from the forum and look like proper config for reverse proxy
In HA you must set “use_x_forwarded_for” and “trusted_proxies”
This allows ha to parse the IP header and whitelist your nginx server(trusted proxies) so it is not treated as spoofing. Without these I believe HA webpages don’t load
So again, set nginx to send correct IP(nginx config) then set ha to look for that IP (http component) and also trust the source(http component)