• 0 Posts
  • 17 Comments
Joined 1 year ago
cake
Cake day: November 21st, 2023

help-circle


  • I’ve sysadmined wordpress for about 7 years professionally, so this stuff is as easy as making cereal to me. But there is a few steps. On a high level:

    - Subdomain must point to your public IP

    - Your public IP probably changes sometimes so you should have a way to automate updating the IP for your home server via the DNS provider’s API

    - Your router must be forwarding port 80 and 443 to your server

    - Your server needs a web server software that can take the request and map it to the right virtual host for your site (and you need to make said virtual host)

    - The wordpress install needs to have used wp-cli or a wp-config.php hack to change the domain of the site that wordpress thinks it is running as

    - You need to secure the domain with letsencrypt, certbot will do this for you

    This is the steps for a traditional web server, but since we usually use docker around these parts, instead of the normal web server software (apache or nginx) the way to use in docker is “letsencrypt nginx proxy companion” which will route an incoming connection to the docker container running wordpress and handle letsencrypt for you.

    There are also a few other ways one might commonly set this all up, and what steps you are missing depends on the way you are hosting wordpress right now.

    If you fill in some of the missing information on what you do or dont have from the steps above, I’ll let you know what’s next. Or you can send me a PM on reddit and I’ll help you out!



  • Your whole life becomes much simpler when you use docker.

    Elevator pitch: Docker containers are preconfigured services which run isolated from the rest of your system and only expose individual directories you map into the container. These directories are the persistence part of the application and survive a restart of the container or the host system. Just backup your scripts and the data directories and you have backed up your entire server.

    I have a few scripts as examples. ‘cd “$(dirname “$0”)”’ changes to the directory the script is stored in, and therefore will create and map data directories from that parent directory.

    Letsencrypt proxy companion will set up a single listener for web and ssl traffic, setup virtual hosts automatically, and setup SSL, all with automations.

    First, you need letsencrypt nginx proxy companion:

    #!/bin/bash
    

    cd “$(dirname “$0”)”

    docker run --detach
    –restart always
    –name nginx-proxy
    –publish 80:80
    –publish 443:443
    –volume $(pwd)/certs:/etc/nginx/certs
    –volume $(pwd)/vhost:/etc/nginx/vhost.d
    –volume $(pwd)/conf:/etc/nginx/conf.d
    –volume $(pwd)/html:/usr/share/nginx/html
    –volume /var/run/docker.sock:/tmp/docker.sock:ro
    –volume $(pwd)/my_proxy.conf:/etc/nginx/conf.d/my_proxy.conf:ro
    –volume $(pwd)/nginx.conf:/etc/nginx/nginx.conf:ro
    –volume $(pwd)/acme:/etc/acme.sh
    jwilder/nginx-proxy

    docker run --detach
    –restart always
    –name nginx-proxy-letsencrypt
    –volumes-from nginx-proxy
    –volume /var/run/docker.sock:/var/run/docker.sock:ro
    –env “DEFAULT_EMAIL=YOUR_EMAIL_ADDRESS_GOES_HERE@MYDOMAIN.COM
    jrcs/letsencrypt-nginx-proxy-companion

    Then for each service, you can start with a docker command as well with a few extra environment variables. Here is one for nextcloud:

    docker run -d \
    

    –name nextcloud
    –hostname cloud.MYDOMAIN.COM
    -v $(pwd)/data:/var/www/html
    -v $(pwd)/php.ini:/usr/local/etc/php/conf.d/zzz-custom.ini
    –env “VIRTUAL_HOST=cloud.MYDOMAIN.COM
    –env “LETSENCRYPT_HOST=cloud.MYDOMAIN.COM
    –env “VIRTUAL_PROTO=http”
    –env “VIRTUAL_PORT=80”
    –env “OVERWRITEHOST=cloud.MYDOMAIN.COM
    –env “OVERWRITEPORT=443”
    –env “OVERWRITEPROTOCOL=https”
    –restart unless-stopped
    nextcloud:25.0.0

    And Plex (/dev/dri is quicksync for hardware transcode):

    docker run \
    --device /dev/dri:/dev/dri \
    --restart always \
    -d \
    --name plex \
    --network host \
    -e TZ="America/Chicago" \
    -e PLEX_CLAIM="claim-somerandomcharactershere" \
    -v $(pwd)/config:/config \
    -v /my/media/directory/on/host/system:/media \
    plexinc/pms-docker
    

    Obsidian:

    docker run --rm -d \
    

    –name obsidian
    -v $(pwd)/vaults:/vaults
    -v $(pwd)/config:/config
    –env "VIRTUAL_HOST=obsidian.MYDOMAIN.COM "
    –env "LETSENCRYPT_HOST=obsidian.MYDOMAIN.COM "
    –env “VIRTUAL_PROTO=http”
    –env “VIRTUAL_PORT=8080”
    ghcr.io/sytone/obsidian-remote:latest




  • So I assume you have a web server somewhere which is configured to host virtual hosts in some regard. You need to set up a virtual host which is configured to respond to requests for mydomain.com and reply with a redirect to aa.mydomain.com. The DNS for the domain root must be an A record, so you will have to set the IP address for your web server on the A record for mydomain.com. How exactly this looks and what sticky points you have in setting this up depends on what your web server setup is like - maybe you have this all working, but if not, if this is just an apache or nginx install, then we need to work through setting up the virtual host, or if this is a docker style nginx letsencrypt manager, then thats another set of configuration issues.

    Let me know how far you’ve gotten, or if nowhere at all and you need a recommendation for how to do this, let me know. Let me know a little more about your web server environment that responds to mydomain.com if you have one set up (linux? windows? router with pfsense?)

    The way I do this is my router forwards all http and https traffic to my web server running ubuntu, and docker-letsencrypt-nginx-proxy-companion handles all the virtual hosts. Then if I wanted to create a redirect for a single domain, I would make a docker container that served an nginx server and have it configured with a redirect. But I must acknowledge I’ve been a sysadmin for 10 years and there may be more user friendly turnkey ways to do this, I’m just doing what works for me.







  • There is this thing called the internet, it’s filled with web servers. It’s what cybersecurity is basically all about.

    A web server is more than just a thing that serves up personal web pages. Virtually all system to system communication uses a web servers nowadays, the world runs on APIs.

    I feel like this is like asking why you’d have to know how a stove works if you’re going to be a cook. It’s more than just related, it’s practically the core most fundamental thing you need to know how it works in order to be a cybersecurity pentest person.

    Imho attitude’s like this really turn me off in some people. A friend of mine wanted to learn computer programming and information technology, so I gave him a crash course on docker with the goal of setting up a container to handle vpn bittorrent downloads. Really simple stuff, like copy and pasting a few commands. He asked why even do this if he can just use deluge on his desktop. Like, it’s missing the forest for the trees, you need to know how stuff works to be useful to people that are looking to hire people who know how stuff works.

    The friend of mine was hoping to work with me as a contractor so he could get high paid computer work, but frankly, I don’t need to hire someone who is too lazy to learn even the most basic fundamentals. And in your case, knowing how a web server works is fundamentals. And you can figure out the basics in only a few days.

    The only way you’re going to make it in info tech is to be curious and figure out how stuff works. That is the *only* real skill you need to succeed.



  • Oh dude, yeah ChatGPT knows Linux and docker better than I do and I’ve been doing this sort of thing professionally for 15 years, lol. Whatever you need as far as writing scripts, invoking containers, or generally asking it questions, you can just consider it an expert network administrator and it can write all your scripts and whathaveyou.

    One of the best moments this year was when I realized I never had to figure out how to write an iptables command again lol


  • One thing nobody has mentioned here, I run all my services as a docker container. It makes them very easy to back up, and very easy to segregate. If a service gets compromised, in theory, it’s isolated to what it can access inside the docker container and can’t compromise the host. And if you delete and rebuild the container, any damage done in the container dies with it.

    Running home assistant with docker is as simple as the command:

    sudo docker run -d \

    --name homeassistant \

    --restart=unless-stopped \

    -e TZ=America/Chicago \

    -v $(pwd)/homeassistant:/config \

    --network=host \

    homeassistant/home-assistant

    There is of course, more details to learn and the devils are in the details, but thankfully anything you want to know on how to set up your network in this regard you can just ask chatgpt.