Jump to content

System:Components: Difference between revisions

From jb-vpn.uk Wiki
← Older edit
Minor update - configuration guide: Key Components (6 sections)
Updated documentation from markdown files
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
= Key Components =
This document describes the key components of the jb-vpn.uk infrastructure.


This document describes the key components of the reverse proxy system.
== Caddy (edge reverse proxy) ==


== Nginx Reverse Proxy ==
'''Purpose''': Entry point for public HTTPS traffic on the VPS. Terminates TLS, routes by hostname, and proxies to local Docker services or to the NAS over OpenVPN.


'''Purpose''': Acts as the entry point for all web traffic, handling SSL termination and request forwarding.
'''Configuration''': <code>/etc/caddy/Caddyfile</code>


'''Configuration Locations''':
'''Key features''':
* '''Available Configs''': <code>/etc/nginx/sites-available/</code>
* Automatic Let's Encrypt certificates and renewal


* '''Enabled Configs''': <code>/etc/nginx/sites-enabled/</code> (symlinks to sites-available)
* HTTP → HTTPS redirects


'''Key Features''':
* Host-based routing (<code>wiki.jb-vpn.uk</code>, <code>dsm.jb-vpn.uk</code>, etc.)
* SSL/TLS termination


* HTTP to HTTPS redirects
* Proxy headers (<code>Host</code>, <code>X-Real-IP</code>, <code>X-Forwarded-For</code>, <code>X-Forwarded-Proto</code>)


* Proxy header forwarding
* WebSocket upgrade headers where needed


* WebSocket support
'''Management''':


* Request routing based on hostname
<pre class="lang-bash">
caddy validate --config /etc/caddy/Caddyfile
systemctl reload caddy
systemctl status caddy
journalctl -u caddy -n 50
</pre>


=== Proxy Headers ===
== VPS-hosted services (Docker) ==


Nginx forwards important headers to maintain client information:
{| class="wikitable"
|-
| Service || Hostname || Local upstream
|-
| WebApp (prod) || <code>app.jb-vpn.uk</code> || <code>127.0.0.1:8008</code>
|-
| WebApp (beta) || <code>app-beta.josh.me.uk</code> || <code>127.0.0.1:8009</code>
|-
| phpMyAdmin || <code>app-db.josh.me.uk</code> || <code>127.0.0.1:8080</code>
|-
| Main wiki || <code>wiki.jb-vpn.uk</code> || <code>127.0.0.1:8010</code>
|-
| Werbs wiki || <code>werbs-wiki.jb-vpn.uk</code> || <code>127.0.0.1:8011</code>
|-
| Static site || <code>vps.jb-vpn.uk</code> || <code>/var/www/html</code>
|}


* '''Host''': Preserves the original host header
MediaWiki stack path: <code>/var/www/wiki.jb/</code>


* '''X-Real-IP''': Client's real IP address
== OpenVPN tunnel ==


* '''X-Forwarded-For''': Forwarded for chain (for multi-proxy scenarios)
'''Purpose''': Encrypted access from the VPS to the NAS for DSM, Plex, and SSH port forwarding.


* '''X-Forwarded-Proto''': Original protocol (http/https)
'''Network''':
* VPN server (VPS): <code>10.8.0.1</code> on <code>tun0</code>


* '''Upgrade & Connection''': For WebSocket support
* NAS client: <code>10.8.0.2</code>


== SSL/TLS Certificates ==
* Subnet: <code>10.8.0.0/24</code>


'''Provider''': Let's Encrypt (free SSL certificates)
Caddy reaches NAS services at <code>10.8.0.2</code> (e.g. DSM <code>:5001</code>, Plex <code>:32400</code>) only when the VPN tunnel is up.


'''Management''': Certbot (automatic renewal every 90 days)
== WebApp internal Nginx ==


'''Certificate Storage''': <code>/etc/letsencrypt/live/[domain]/</code> '''Features''':
The WebApp Docker stack uses its own '''Nginx''' container for PHP/Laravel routing on <code>127.0.0.1:8008</code> / <code>8009</code>. That is separate from the public edge proxy (Caddy).
* Automatic renewal via cron/systemd timer


* Wildcard or single-domain certificates
== Firewall and routing ==


* HTTPS enforcement (HTTP redirects to HTTPS)
'''iptables''' on the VPS:
* NAT / port forwards (e.g. SSH <code>22222</code> → <code>10.8.0.2:22</code>)


== OpenVPN Tunnel ==
* MASQUERADE for VPN clients


'''Purpose''': Creates a secure, encrypted tunnel between the VPS and Synology NAS.
* FORWARD rules between <code>tun0</code> and internal targets


'''Network Details''':
== Related documentation ==
* VPN Server: VPS (10.8.0.1)


* VPN Client: Synology NAS (10.8.0.2)
* [Network Architecture Network Architecture] — topology and ports


* Network Range: 10.8.0.0/24
* [Security Security] — security layers


'''Security''':
* [[Services:Current Services]] — per-hostname inventory
* Encrypted traffic between VPS and NAS


* NAS not directly exposed to internet
* Internal services accessible only via VPN
== Firewall and Routing ==
'''iptables Rules''':
* '''NAT Rules''': Port forwarding for direct TCP connections
* '''MASQUERADE''': Enables VPN clients to access internet through VPS
* '''FORWARD Rules''': Controls traffic between VPN and internal networks
== Related Documentation ==
* [Network Architecture](network-architecture.md) - Network topology
* [Security Architecture](security.md) - Security features
* [OpenVPN Server](index.md) - VPN configuration


[[Category:Documentation]]
[[Category:Documentation]]
[[Category:Documentation/System]]
[[Category:Documentation/System]]

Latest revision as of 14:04, 16 May 2026

This document describes the key components of the jb-vpn.uk infrastructure.

Caddy (edge reverse proxy)

[edit]

Purpose: Entry point for public HTTPS traffic on the VPS. Terminates TLS, routes by hostname, and proxies to local Docker services or to the NAS over OpenVPN.

Configuration: /etc/caddy/Caddyfile

Key features:

  • Automatic Let's Encrypt certificates and renewal
  • HTTP → HTTPS redirects
  • Host-based routing (wiki.jb-vpn.uk, dsm.jb-vpn.uk, etc.)
  • Proxy headers (Host, X-Real-IP, X-Forwarded-For, X-Forwarded-Proto)
  • WebSocket upgrade headers where needed

Management: 

caddy validate --config /etc/caddy/Caddyfile
systemctl reload caddy
systemctl status caddy
journalctl -u caddy -n 50

VPS-hosted services (Docker)

[edit]
Service Hostname Local upstream
WebApp (prod) app.jb-vpn.uk 127.0.0.1:8008
WebApp (beta) app-beta.josh.me.uk 127.0.0.1:8009
phpMyAdmin app-db.josh.me.uk 127.0.0.1:8080
Main wiki wiki.jb-vpn.uk 127.0.0.1:8010
Werbs wiki werbs-wiki.jb-vpn.uk 127.0.0.1:8011
Static site vps.jb-vpn.uk /var/www/html

MediaWiki stack path: /var/www/wiki.jb/

OpenVPN tunnel

[edit]

Purpose: Encrypted access from the VPS to the NAS for DSM, Plex, and SSH port forwarding.

Network:

  • VPN server (VPS): 10.8.0.1 on tun0
  • NAS client: 10.8.0.2
  • Subnet: 10.8.0.0/24

Caddy reaches NAS services at 10.8.0.2 (e.g. DSM :5001, Plex :32400) only when the VPN tunnel is up.

WebApp internal Nginx

[edit]

The WebApp Docker stack uses its own Nginx container for PHP/Laravel routing on 127.0.0.1:8008 / 8009. That is separate from the public edge proxy (Caddy).

Firewall and routing

[edit]

iptables on the VPS:

  • NAT / port forwards (e.g. SSH 2222210.8.0.2:22)
  • MASQUERADE for VPN clients
  • FORWARD rules between tun0 and internal targets
[edit]
  • [Network Architecture Network Architecture] — topology and ports
  • [Security Security] — security layers
Retrieved from "https://wiki.jb-vpn.uk/index.php?title=System:Components&oldid=250"