Notes on setting up a reverse proxy with Home Server (Devuan + Apache) + WireGuard + VPS (FreeBSD + NGINX)
Drawing with just a mouse.
----
I wanted to host my own site from my home server, but I was a bit scared of my IP address being exposed.
Also, I couldn't directly access it from my home, from within the LAN, or from the domain, and I concluded that this was impossible because my home router doesn't have NAT functionality.
Accessing from home via IP address and from outside via domain is inconvenient. I thought setting up a VPN via IP might solve this, offering two benefits, so I tried it.
As a complete amateur, it was tough, but using a reverse proxy seems to distribute server load and speed up processing, which resulted in a very satisfying outcome.
Then, Suwako updated her article!
[Digital Autonomy] How to host from a home server using WireGuard
I've done SSH connections before, and there's information about WireGuard on the Arch Wiki, so I managed it without much trouble. However, I'm recording the parts I got stuck on and the changes I made for backup in case I move to another VPS.
For more details, please refer to Suwako's page.
It's almost identical to Suwako's, so I will comply with any deletion requests from her.
This is for my own notes in the current environment. I'm keeping it on the web for my personal reference, especially since I might forget about nginx.
VPS Side Settings
Firewall settings
/etc/pf.conf
set skip on lo
exsrv1 = Global IP address assigned to the VPS machine
insrv1 = 192.168.10.101 #Private IP on VPS for WireGuard?
#insrv2 = 192.168.10.102 #Private IP on VPS for WireGuard? Add if there are other things to connect
block return
pass
#WireGuard uses port 51820/UDP, so open it
pass in on wg0
pass in inet proto udp from any to any port 51820
# For SSHWireGuard SSH connection
pass in on wg0 proto tcp from 192.168.10.0/24 to any port 22
block in on egress proto tcp from any to any port 22
/etc/wireguard/wg0.conf
[Interface]
Address = 192.168.10.1/24
PrivateKey = Enter the one issued by wg genkey on the VPS
ListenPort = 51820
[Peer]
PublicKey = Enter the one issued by wg genkey on the home server
PreSharedKey = Same as above
AllowedIPs = 192.168.10.101/32
PersistentKeepalive = 25
*/nginx.conf
It's probably a mess, but it works, so it's fine!
worker_processes 1;
events {
worker_connections 4096;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
keepalive_timeout 300;
proxy_buffering on;
proxy_buffer_size 8k;
proxy_buffers 100 8k;
proxy_cache_path /var/cache/nginx/cache/zone1 levels=1:2 keys_zone=zone1:64m inactive=7d max_size=2048m;
proxy_cache_path /var/cache/nginx/cache/zone2 levels=1:2 keys_zone=zone2:64m inactive=7d max_size=2048m;
proxy_cache_path /var/cache/nginx/cache/zone3 levels=1:2 keys_zone=zone3:64m inactive=7d max_size=2048m;
proxy_cache_path /var/cache/nginx/cache/zone4 levels=1:2 keys_zone=zone4:64m inactive=7d max_size=2048m;
proxy_temp_path /var/cache/nginx/temp;
server {
listen 80;
server_name #domain name;
client_max_body_size 10240M;
location / {
proxy_pass http://192.168.10.101/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Cache static content only
if ($uri ~* "\.(jpg|jpeg|png|webp|gif|mp4|css|js|ico|woff2)$") {
set $do_not_cache 0;
}
proxy_no_cache $do_not_cache;
proxy_cache_bypass $do_not_cache;
proxy_cache zone1;
proxy_cache_key $scheme$proxy_host$uri$is_args$args;
proxy_cache_valid 200 201 6h;
proxy_cache_valid 302 3h;
proxy_cache_valid 301 1d;
proxy_cache_valid 404 5m;
proxy_cache_lock on;
proxy_buffering on;
}
}
server {
listen 443 ssl;
server_name ドメイン名;
client_max_body_size 10240M;
ssl_certificate # SSL certificate;
ssl_certificate_key #Same as above
location / {
proxy_pass http://192.168.10.101;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Cache static content only
if ($uri ~* "\.(jpg|jpeg|png|webp|gif|mp4|css|js|ico|woff2)$") {
set $do_not_cache 0;
}
proxy_no_cache $do_not_cache;
proxy_cache_bypass $do_not_cache;
proxy_cache zone2;
proxy_cache_key $mobile$scheme$proxy_host$uri$is_args$args;
proxy_cache_valid 200 201 6h;
proxy_cache_valid 302 3h;
proxy_cache_valid 301 1d;
proxy_cache_valid 404 5m;
proxy_cache_lock on;
proxy_buffering on;
}
}
server {
listen 80;
server_name soulminingrig.com;
client_max_body_size 500M;
location / {
proxy_pass http://192.168.10.101;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Cache static content only
if ($uri ~* "\.(jpg|jpeg|png|webp|gif|mp4|css|js|ico|woff2)$") {
set $do_not_cache 0;
}
proxy_no_cache $do_not_cache;
proxy_cache_bypass $do_not_cache;
proxy_cache zone3;
proxy_cache_key $mobile$scheme$proxy_host$uri$is_args$args;
proxy_cache_valid 200 201 6h;
proxy_cache_valid 302 3h;
proxy_cache_valid 301 1d;
proxy_cache_valid 404 5m;
proxy_cache_lock on;
proxy_buffering on;
}
}
server {
listen 443 ssl;
server_name soulminingrig.com www.soulminingrig.com;
client_max_body_size 500M;
ssl_certificate # SSL certificate;
ssl_certificate_key #Same as above
location / {
proxy_pass http://192.168.10.101; # Please replace with the IP address of the reverse proxy destination
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Cache static content only
if ($uri ~* "\.(jpg|jpeg|png|webp|gif|mp4|css|js|ico|woff2)$") {
set $do_not_cache 0;
}
proxy_no_cache $do_not_cache;
proxy_cache_bypass $do_not_cache;
proxy_cache zone1;
proxy_cache_key $mobile$scheme$proxy_host$uri$is_args$args;
proxy_cache_valid 200 201 6h;
proxy_cache_valid 302 3h;
proxy_cache_valid 301 1d;
proxy_cache_valid 404 5m;
proxy_cache_lock on;
proxy_buffering on;
}
}
}
I'm trying to speed things up by placing a cache on this VPS. I plan to stop if there are any issues.
What really got me was this part:
client_max_body_size 500M;
It took me a while to realize that even if the upload file size was increased on the home server side, it wouldn't work correctly if nginx wasn't also configured, as the default upload file size for nginx is 1MB.
Also, I got an error when I kept the zone settings together, so I created folders with `mkdir` and separated the cache folders for each.
And I also set up SSH connections between nginx and the home server.
Home Server Side Settings (Apache2)
/etc/wireguard/wg0.conf
[Interface]
PrivateKey = #Enter the one issued by wg genkey on the home server
ListenPort = 51820
Address = 192.168.10.101/24 #Private IP for this machine on WireGuard
DNS = 8.8.8.8
[Peer]
PublicKey = #Enter the one issued by wg genkey on the VPS
PreSharedKey = #Enter the PreSharedKey issued by wg genkey on the home server
Endpoint = #Global IP address of the VPS :51820
AllowedIPs = 192.168.10.0/24
PersistentKeepalive = 25
I got stuck with this WireGuard setting once because it wouldn't connect without DNS settings.
I'm temporarily using Google's DNS, but I'll probably change it once I'm back in shape.
And miscellaneous notes
With the above settings, multi-domain didn't work, and even if I registered a second domain, only the first domain was displayed. Changing the port didn't help either, and I was wondering why until I realized I hadn't selected the directory for the new domain in apache2.conf.
<Directory */where the new domain files are/>
# Options Indexes FollowSymLinks
# AllowOverride None
# Require all granted
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
</Directory>
Is it correct to assume that this allowed for separation?
Also, when using a reverse proxy with WordPress by default, I encountered confusion with SSL authentication, where it displayed correctly with HTTP but CSS stopped working with HTTPS connections. I wondered why, and it seemed adding the following to wp-config could solve it.
$_SERVER['HTTPS']='on';
There were other methods, but this was the one that worked best, as others sometimes caused the login screen to suddenly switch to HTTP communication.
It's probably still conflicting.
I should change the port, but I'm tired, so I'll do it later.
It's not organized at all, but I'm leaving it as a memo so I don't forget.