Jump to content

System:Components: Difference between revisions

From jb-vpn.uk Wiki
Added configuration guide: Key Components
 
Updated documentation from markdown files
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Key Components =
This document describes the key components of the jb-vpn.uk infrastructure.


This document describes the key components of the reverse proxy system.
== Caddy (edge reverse proxy) ==


== Nginx Reverse Proxy ==
'''Purpose''': Entry point for public HTTPS traffic on the VPS. Terminates TLS, routes by hostname, and proxies to local Docker services or to the NAS over OpenVPN.


'''Purpose''': Acts as the entry point for all web traffic, handling SSL termination and request forwarding.
'''Configuration''': <code>/etc/caddy/Caddyfile</code>


'''Configuration Locations''':
'''Key features''':
'' '''Available Configs''': <code>/etc/nginx/sites-available/</code>
* Automatic Let's Encrypt certificates and renewal
'' '''Enabled Configs''': <code>/etc/nginx/sites-enabled/</code> (symlinks to sites-available)


'''Key Features''':
* HTTP HTTPS redirects
'' SSL/TLS termination
'' HTTP to HTTPS redirects
'' Proxy header forwarding
'' WebSocket support
'' Request routing based on hostname


=== Proxy Headers ===
* Host-based routing (<code>wiki.jb-vpn.uk</code>, <code>dsm.jb-vpn.uk</code>, etc.)


Nginx forwards important headers to maintain client information:
* Proxy headers (<code>Host</code>, <code>X-Real-IP</code>, <code>X-Forwarded-For</code>, <code>X-Forwarded-Proto</code>)


'' '''Host''': Preserves the original host header
* WebSocket upgrade headers where needed
'' '''X-Real-IP''': Client's real IP address
'' '''X-Forwarded-For''': Forwarded for chain (for multi-proxy scenarios)
'' '''X-Forwarded-Proto''': Original protocol (http/https)
'' '''Upgrade & Connection''': For WebSocket support


== SSL/TLS Certificates ==
'''Management''':


'''Provider''': Let's Encrypt (free SSL certificates)
<pre class="lang-bash">
caddy validate --config /etc/caddy/Caddyfile
systemctl reload caddy
systemctl status caddy
journalctl -u caddy -n 50
</pre>


'''Management''': Certbot (automatic renewal every 90 days)
== VPS-hosted services (Docker) ==


'''Certificate Storage''': <code>/etc/letsencrypt/live/[domain]/</code> '''Features''':
{| class="wikitable"
'' Automatic renewal via cron/systemd timer
|-
'' Wildcard or single-domain certificates
| Service || Hostname || Local upstream
'' HTTPS enforcement (HTTP redirects to HTTPS)
|-
| WebApp (prod) || <code>app.jb-vpn.uk</code> || <code>127.0.0.1:8008</code>
|-
| WebApp (beta) || <code>app-beta.josh.me.uk</code> || <code>127.0.0.1:8009</code>
|-
| phpMyAdmin || <code>app-db.josh.me.uk</code> || <code>127.0.0.1:8080</code>
|-
| Main wiki || <code>wiki.jb-vpn.uk</code> || <code>127.0.0.1:8010</code>
|-
| Werbs wiki || <code>werbs-wiki.jb-vpn.uk</code> || <code>127.0.0.1:8011</code>
|-
| Static site || <code>vps.jb-vpn.uk</code> || <code>/var/www/html</code>
|}


== OpenVPN Tunnel ==
MediaWiki stack path: <code>/var/www/wiki.jb/</code>


'''Purpose''': Creates a secure, encrypted tunnel between the VPS and Synology NAS.
== OpenVPN tunnel ==


'''Network Details''':
'''Purpose''': Encrypted access from the VPS to the NAS for DSM, Plex, and SSH port forwarding.
'' VPN Server: VPS (10.8.0.1)
'' VPN Client: Synology NAS (10.8.0.2)
'' Network Range: 10.8.0.0/24


'''Security''':
'''Network''':
'' Encrypted traffic between VPS and NAS
* VPN server (VPS): <code>10.8.0.1</code> on <code>tun0</code>
'' NAS not directly exposed to internet
'' Internal services accessible only via VPN


== Firewall and Routing ==
* NAS client: <code>10.8.0.2</code>


'''iptables Rules''':
* Subnet: <code>10.8.0.0/24</code>
'' '''NAT Rules''': Port forwarding for direct TCP connections
'' '''MASQUERADE''': Enables VPN clients to access internet through VPS
'' '''FORWARD Rules''': Controls traffic between VPN and internal networks


== Related Documentation ==
Caddy reaches NAS services at <code>10.8.0.2</code> (e.g. DSM <code>:5001</code>, Plex <code>:32400</code>) only when the VPN tunnel is up.
 
== WebApp internal Nginx ==
 
The WebApp Docker stack uses its own '''Nginx''' container for PHP/Laravel routing on <code>127.0.0.1:8008</code> / <code>8009</code>. That is separate from the public edge proxy (Caddy).
 
== Firewall and routing ==
 
'''iptables''' on the VPS:
* NAT / port forwards (e.g. SSH <code>22222</code> → <code>10.8.0.2:22</code>)
 
* MASQUERADE for VPN clients
 
* FORWARD rules between <code>tun0</code> and internal targets
 
== Related documentation ==
 
* [Network Architecture Network Architecture] — topology and ports
 
* [Security Security] — security layers
 
* [[Services:Current Services]] — per-hostname inventory


'' [Network Architecture](network-architecture.md) - Network topology
'' [Security Architecture](security.md) - Security features
* [OpenVPN Server](index.md) - VPN configuration


[[Category:Documentation]]
[[Category:Documentation]]
[[Category:Documentation/System]]
[[Category:Documentation/System]]

Latest revision as of 14:04, 16 May 2026

This document describes the key components of the jb-vpn.uk infrastructure.

Caddy (edge reverse proxy)

[edit]

Purpose: Entry point for public HTTPS traffic on the VPS. Terminates TLS, routes by hostname, and proxies to local Docker services or to the NAS over OpenVPN.

Configuration: /etc/caddy/Caddyfile

Key features:

  • Automatic Let's Encrypt certificates and renewal
  • HTTP → HTTPS redirects
  • Host-based routing (wiki.jb-vpn.uk, dsm.jb-vpn.uk, etc.)
  • Proxy headers (Host, X-Real-IP, X-Forwarded-For, X-Forwarded-Proto)
  • WebSocket upgrade headers where needed

Management: 

caddy validate --config /etc/caddy/Caddyfile
systemctl reload caddy
systemctl status caddy
journalctl -u caddy -n 50

VPS-hosted services (Docker)

[edit]
Service Hostname Local upstream
WebApp (prod) app.jb-vpn.uk 127.0.0.1:8008
WebApp (beta) app-beta.josh.me.uk 127.0.0.1:8009
phpMyAdmin app-db.josh.me.uk 127.0.0.1:8080
Main wiki wiki.jb-vpn.uk 127.0.0.1:8010
Werbs wiki werbs-wiki.jb-vpn.uk 127.0.0.1:8011
Static site vps.jb-vpn.uk /var/www/html

MediaWiki stack path: /var/www/wiki.jb/

OpenVPN tunnel

[edit]

Purpose: Encrypted access from the VPS to the NAS for DSM, Plex, and SSH port forwarding.

Network:

  • VPN server (VPS): 10.8.0.1 on tun0
  • NAS client: 10.8.0.2
  • Subnet: 10.8.0.0/24

Caddy reaches NAS services at 10.8.0.2 (e.g. DSM :5001, Plex :32400) only when the VPN tunnel is up.

WebApp internal Nginx

[edit]

The WebApp Docker stack uses its own Nginx container for PHP/Laravel routing on 127.0.0.1:8008 / 8009. That is separate from the public edge proxy (Caddy).

Firewall and routing

[edit]

iptables on the VPS:

  • NAT / port forwards (e.g. SSH 2222210.8.0.2:22)
  • MASQUERADE for VPN clients
  • FORWARD rules between tun0 and internal targets
[edit]
  • [Network Architecture Network Architecture] — topology and ports
  • [Security Security] — security layers
Retrieved from "https://wiki.jb-vpn.uk/index.php?title=System:Components&oldid=250"