ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Nginx Active-Passive HA

    Scheduled Pinned Locked Moved IT Discussion
    nginxhahigh availability
    31 Posts 6 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • NashBrydgesN
      NashBrydges
      last edited by

      My initial cert request process looks like this:

      certbot certonly -d mydomain.com --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" --preferred-challenges http

      When prompted, I select 1 to spin up a temporary web server for the issuance and challenge. This as I understand it allows me to not have to name webroot folders anywhere. I've already defined the path of the certs because this is easy to figure out based on the command line that will save the certs in the location for the first named domain so when Nginx restarts, certs and domain are all good to go. I have a separate Nginx server that handles nothing but proxy and SSL services. All sites are hosted on their own Fedora, CentOS or Ubuntu servers. I don't use webroot authentication.

      If I setup .well-known path, can this be setup globally for all cert issuances and renewals? I guess I would set this up in my config file for each domain.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller
        last edited by

        Yeah, that's nothing like what my initial looks like.

        1 Reply Last reply Reply Quote 0
        • black3dynamiteB
          black3dynamite
          last edited by black3dynamite

          Using well-known path looks like a better approach.

          https://community.letsencrypt.org/t/auto-renewal-with-nginx-without-downtime/7814/2
          0_1520437868927_pfg1.png

          https://community.letsencrypt.org/t/auto-renewal-with-nginx-without-downtime/7814/4
          0_1520437882156_pfg2.png

          https://github.com/mbrugger/letsencrypt-nginx-docker/blob/master/README.md

          JaredBuschJ dbeatoD 2 Replies Last reply Reply Quote 2
          • JaredBuschJ
            JaredBusch @black3dynamite
            last edited by

            @black3dynamite correct. this is what I need to setup on my system.

            1 Reply Last reply Reply Quote 0
            • dafyreD
              dafyre
              last edited by

              server {
                     listen         80;
                     server_name    my.domain.com;
                     return         301 https://$server_name$request_uri;
              
                      location /.well-known/acme-challenge {
                          root /var/www/letsencrypt;
                       }
              }
              

              Is what an example I have on one of mine.

              NashBrydgesN 1 Reply Last reply Reply Quote 0
              • dafyreD
                dafyre
                last edited by

                Honest question... Why not just rsync /etc/letsencrypt from ServerA to ServerB after the certs are renewed?

                JaredBuschJ 1 Reply Last reply Reply Quote 0
                • JaredBuschJ
                  JaredBusch @dafyre
                  last edited by

                  @dafyre said in Nginx Active-Passive HA:

                  Honest question... Why not just rsync /etc/letsencrypt from ServerA to ServerB after the certs are renewed?

                  There is not discussion about the second server at this point. it is all about the initial renew.

                  1 Reply Last reply Reply Quote 2
                  • NashBrydgesN
                    NashBrydges @dafyre
                    last edited by

                    @dafyre said in Nginx Active-Passive HA:

                        location /.well-known/acme-challenge {
                            root /var/www/letsencrypt;
                         }
                    

                    So I understand it well, these lines are ONLY to tell Let's Encrypt which folders to look to for the challenge/response and has nothing to do with any actual site webroot folders. Am I correct? This is just used so Nginx can act as the web server for those challenges/responses.

                    dafyreD 1 Reply Last reply Reply Quote 0
                    • dbeatoD
                      dbeato @black3dynamite
                      last edited by

                      @black3dynamite said in Nginx Active-Passive HA:

                      Using well-known path looks like a better approach.

                      https://community.letsencrypt.org/t/auto-renewal-with-nginx-without-downtime/7814/2
                      0_1520437868927_pfg1.png

                      https://community.letsencrypt.org/t/auto-renewal-with-nginx-without-downtime/7814/4
                      0_1520437882156_pfg2.png

                      https://github.com/mbrugger/letsencrypt-nginx-docker/blob/master/README.md

                      I just setup that yesterday on my NGINX Proxy.

                      1 Reply Last reply Reply Quote 0
                      • dafyreD
                        dafyre @NashBrydges
                        last edited by dafyre

                        @nashbrydges said in Nginx Active-Passive HA:

                        @dafyre said in Nginx Active-Passive HA:

                            location /.well-known/acme-challenge {
                                root /var/www/letsencrypt;
                             }
                        

                        So I understand it well, these lines are ONLY to tell Let's Encrypt which folders to look to for the challenge/response and has nothing to do with any actual site webroot folders. Am I correct? This is just used so Nginx can act as the web server for those challenges/responses.

                        Right. But any website you want to protect with SSL, you add this into the server {} section for each site... so if you have my.domain.conf, and nextcloud.domain.conf, you'd have to put the code in each of those files in the server {} sections.

                        Edit: here's the full config for that site:

                        server {
                               listen         80;
                               server_name    my.domain.com
                               return         301 https://$server_name$request_uri;
                        
                                location /.well-known/acme-challenge {
                                    root /var/www/letsencrypt;
                                 }
                        }
                        
                        server {
                         listen 443 ssl;
                        
                         server_name my.domain.com
                        
                         client_max_body_size 10G;
                         fastcgi_buffers 64 4K;
                         proxy_send_timeout     7200;
                         send_timeout   7200;
                        
                         add_header Strict-Transport-Security "max-age=15552000; includeSubdomains;" always;
                         ssl on;
                         ssl_certificate /etc/nginx/certs/my.domain.com/fullchain.pem;
                         ssl_certificate_key /etc/nginx/certs/my.domain.com/privkey.pem;
                         ssl_protocols  TLSv1.1 TLSv1.2;
                         ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
                        
                         location / {
                          proxy_pass http://my.ip.addr.ess;
                          proxy_set_header Host $host;
                          proxy_set_header X-Real-IP $remote_addr;
                          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                          proxy_set_header X-Forwarded-Proto $scheme;
                        
                        }
                        
                         location /.well-known/acme-challenge {
                            root /var/www/letsencrypt;
                         }
                        
                        }
                        
                        NashBrydgesN 1 Reply Last reply Reply Quote 1
                        • NashBrydgesN
                          NashBrydges @dafyre
                          last edited by

                          @dafyre Awesome! Thanks for clarifying that. I don't have any expiring certs for the next 40 days so I'll keep a look out to see how this works.

                          1 Reply Last reply Reply Quote 0
                          • NashBrydgesN
                            NashBrydges
                            last edited by

                            Assuming this is going to work as planned, back to the original question...setting up Nginx HA and certs management. Which approach is best/recommended?

                            1. Let each Nginx server manage its own certs and renewals?
                            2. Only have one manage certs and renewals and copy certs to second node?
                            3. Use Let's Encrypt --duplicate option (here)?
                            4. None of the above?
                            dafyreD 1 Reply Last reply Reply Quote 0
                            • dafyreD
                              dafyre @NashBrydges
                              last edited by

                              @nashbrydges said in Nginx Active-Passive HA:

                              Assuming this is going to work as planned, back to the original question...setting up Nginx HA and certs management. Which approach is best/recommended?

                              1. Let each Nginx server manage its own certs and renewals?
                              2. Only have one manage certs and renewals and copy certs to second node?
                              3. Use Let's Encrypt --duplicate option (here)?
                              4. None of the above?

                              I see no reason approach #2 won't work. The private keys are under /etc/letsencrypt with the actual certs themselves too.

                              Just use rsync with the appropriate switches to preserve permissions and such.

                              JaredBuschJ 1 Reply Last reply Reply Quote 0
                              • dbeatoD
                                dbeato
                                last edited by

                                I have this for my well-known on my Nginx Proxy
                                0_1520451668608_DeepinScreenshot_select-area_20180307144017.png

                                1 Reply Last reply Reply Quote 0
                                • JaredBuschJ
                                  JaredBusch @dafyre
                                  last edited by

                                  @dafyre said in Nginx Active-Passive HA:

                                  @nashbrydges said in Nginx Active-Passive HA:

                                  Assuming this is going to work as planned, back to the original question...setting up Nginx HA and certs management. Which approach is best/recommended?

                                  1. Let each Nginx server manage its own certs and renewals?
                                  2. Only have one manage certs and renewals and copy certs to second node?
                                  3. Use Let's Encrypt --duplicate option (here)?
                                  4. None of the above?

                                  I see no reason approach #2 won't work. The private keys are under /etc/letsencrypt with the actual certs themselves too.

                                  Just use rsync with the appropriate switches to preserve permissions and such.

                                  I would definitely do #2.

                                  1 Reply Last reply Reply Quote 0
                                  • JaredBuschJ
                                    JaredBusch
                                    last edited by

                                    @NashBrydges side question. If you setup the .well-known to work correctly, why do you then need the HA? because nginx will never be down except for the momentary reload after the certs are updated.

                                    NashBrydgesN 1 Reply Last reply Reply Quote 1
                                    • NashBrydgesN
                                      NashBrydges @JaredBusch
                                      last edited by

                                      @jaredbusch said in Nginx Active-Passive HA:

                                      @NashBrydges side question. If you setup the .well-known to work correctly, why do you then need the HA? because nginx will never be down except for the momentary reload after the certs are updated.

                                      That certainly addresses the biggest concern about a long downtime during the renewall process for a high number of certs and probably addresses most concerns with this client. He's already running Veeam replication to a second box so his RTO and RPO are relatively short and within his business tolerance.

                                      Having said that, it's a great learning opportunity for me to set this up in my lab, if for no other reason than to try it and see how it works.

                                      JaredBuschJ 1 Reply Last reply Reply Quote 0
                                      • JaredBuschJ
                                        JaredBusch @NashBrydges
                                        last edited by

                                        @nashbrydges said in Nginx Active-Passive HA:

                                        @jaredbusch said in Nginx Active-Passive HA:

                                        @NashBrydges side question. If you setup the .well-known to work correctly, why do you then need the HA? because nginx will never be down except for the momentary reload after the certs are updated.

                                        That certainly addresses the biggest concern about a long downtime during the renewall process for a high number of certs and probably addresses most concerns with this client. He's already running Veeam replication to a second box so his RTO and RPO are relatively short and within his business tolerance.

                                        Having said that, it's a great learning opportunity for me to set this up in my lab, if for no other reason than to try it and see how it works.

                                        Certainly no reason not to do it for a lab. and for a proxy with as much as it sounds like you have in production, it will still be a likely good solution.

                                        1 Reply Last reply Reply Quote 2
                                        • 1
                                        • 2
                                        • 1 / 2
                                        • First post
                                          Last post