Jump to content

System:Components: Difference between revisions

From jb-vpn.uk Wiki
Newer edit →
Added configuration guide: Key Components
 
Minor update - configuration guide: Key Components (6 sections)
Line 8: Line 8:


'''Configuration Locations''':
'''Configuration Locations''':
'' '''Available Configs''': <code>/etc/nginx/sites-available/</code>
* '''Available Configs''': <code>/etc/nginx/sites-available/</code>
'' '''Enabled Configs''': <code>/etc/nginx/sites-enabled/</code> (symlinks to sites-available)
 
* '''Enabled Configs''': <code>/etc/nginx/sites-enabled/</code> (symlinks to sites-available)


'''Key Features''':
'''Key Features''':
'' SSL/TLS termination
* SSL/TLS termination
'' HTTP to HTTPS redirects
 
'' Proxy header forwarding
* HTTP to HTTPS redirects
'' WebSocket support
 
'' Request routing based on hostname
* Proxy header forwarding
 
* WebSocket support
 
* Request routing based on hostname


=== Proxy Headers ===
=== Proxy Headers ===
Line 22: Line 27:
Nginx forwards important headers to maintain client information:
Nginx forwards important headers to maintain client information:


'' '''Host''': Preserves the original host header
* '''Host''': Preserves the original host header
'' '''X-Real-IP''': Client's real IP address
 
'' '''X-Forwarded-For''': Forwarded for chain (for multi-proxy scenarios)
* '''X-Real-IP''': Client's real IP address
'' '''X-Forwarded-Proto''': Original protocol (http/https)
 
'' '''Upgrade & Connection''': For WebSocket support
* '''X-Forwarded-For''': Forwarded for chain (for multi-proxy scenarios)
 
* '''X-Forwarded-Proto''': Original protocol (http/https)
 
* '''Upgrade & Connection''': For WebSocket support


== SSL/TLS Certificates ==
== SSL/TLS Certificates ==
Line 35: Line 44:


'''Certificate Storage''': <code>/etc/letsencrypt/live/[domain]/</code> '''Features''':
'''Certificate Storage''': <code>/etc/letsencrypt/live/[domain]/</code> '''Features''':
'' Automatic renewal via cron/systemd timer
* Automatic renewal via cron/systemd timer
'' Wildcard or single-domain certificates
 
'' HTTPS enforcement (HTTP redirects to HTTPS)
* Wildcard or single-domain certificates
 
* HTTPS enforcement (HTTP redirects to HTTPS)


== OpenVPN Tunnel ==
== OpenVPN Tunnel ==
Line 44: Line 55:


'''Network Details''':
'''Network Details''':
'' VPN Server: VPS (10.8.0.1)
* VPN Server: VPS (10.8.0.1)
'' VPN Client: Synology NAS (10.8.0.2)
 
'' Network Range: 10.8.0.0/24
* VPN Client: Synology NAS (10.8.0.2)
 
* Network Range: 10.8.0.0/24


'''Security''':
'''Security''':
'' Encrypted traffic between VPS and NAS
* Encrypted traffic between VPS and NAS
'' NAS not directly exposed to internet
 
'' Internal services accessible only via VPN
* NAS not directly exposed to internet
 
* Internal services accessible only via VPN


== Firewall and Routing ==
== Firewall and Routing ==


'''iptables Rules''':
'''iptables Rules''':
'' '''NAT Rules''': Port forwarding for direct TCP connections
* '''NAT Rules''': Port forwarding for direct TCP connections
'' '''MASQUERADE''': Enables VPN clients to access internet through VPS
 
'' '''FORWARD Rules''': Controls traffic between VPN and internal networks
* '''MASQUERADE''': Enables VPN clients to access internet through VPS
 
* '''FORWARD Rules''': Controls traffic between VPN and internal networks


== Related Documentation ==
== Related Documentation ==


'' [Network Architecture](network-architecture.md) - Network topology
* [Network Architecture](network-architecture.md) - Network topology
'' [Security Architecture](security.md) - Security features
 
* [Security Architecture](security.md) - Security features
 
* [OpenVPN Server](index.md) - VPN configuration
* [OpenVPN Server](index.md) - VPN configuration


[[Category:Documentation]]
[[Category:Documentation]]
[[Category:Documentation/System]]
[[Category:Documentation/System]]

Revision as of 13:28, 1 January 2026

Key Components

This document describes the key components of the reverse proxy system.

Nginx Reverse Proxy

Purpose: Acts as the entry point for all web traffic, handling SSL termination and request forwarding.

Configuration Locations:

  • Available Configs: /etc/nginx/sites-available/
  • Enabled Configs: /etc/nginx/sites-enabled/ (symlinks to sites-available)

Key Features:

  • SSL/TLS termination
  • HTTP to HTTPS redirects
  • Proxy header forwarding
  • WebSocket support
  • Request routing based on hostname

Proxy Headers

Nginx forwards important headers to maintain client information:

  • Host: Preserves the original host header
  • X-Real-IP: Client's real IP address
  • X-Forwarded-For: Forwarded for chain (for multi-proxy scenarios)
  • X-Forwarded-Proto: Original protocol (http/https)
  • Upgrade & Connection: For WebSocket support

SSL/TLS Certificates

Provider: Let's Encrypt (free SSL certificates)

Management: Certbot (automatic renewal every 90 days)

Certificate Storage: /etc/letsencrypt/live/[domain]/ Features:

  • Automatic renewal via cron/systemd timer
  • Wildcard or single-domain certificates
  • HTTPS enforcement (HTTP redirects to HTTPS)

OpenVPN Tunnel

Purpose: Creates a secure, encrypted tunnel between the VPS and Synology NAS.

Network Details:

  • VPN Server: VPS (10.8.0.1)
  • VPN Client: Synology NAS (10.8.0.2)
  • Network Range: 10.8.0.0/24

Security:

  • Encrypted traffic between VPS and NAS
  • NAS not directly exposed to internet
  • Internal services accessible only via VPN

Firewall and Routing

iptables Rules:

  • NAT Rules: Port forwarding for direct TCP connections
  • MASQUERADE: Enables VPN clients to access internet through VPS
  • FORWARD Rules: Controls traffic between VPN and internal networks
  • [Network Architecture](network-architecture.md) - Network topology
  • [Security Architecture](security.md) - Security features
  • [OpenVPN Server](index.md) - VPN configuration
Retrieved from "https://wiki.jb-vpn.uk/index.php?title=System:Components&oldid=190"