Yeah, I don’t know what i’m doing.
I am all new into this, and before i post this, I PROMISE I have searched the web for 3 days to find a solution. The thing is that I had almost no knowledge in linux/ubuntu/debian, but I just jumped right into it.
Here is my setup:
I have one PI (A) running debian, I installed let’s encrypt on this, with a duckdns to my home IP address and i works fine and everything. My router is forwarded from port 448 (https) to the this service on this PI(A).
Then I have another PI (B) running debian, and a webserver and several domains.
This is what is want:
I don’t want to use the duckdns domain any more, I have my own domain that i want to use.
I want to host https sites the PI(B) running webserver, and I want the service running on the PI(A) to be https as well.
I used a tutorial guide to setup let’s encrypt on the PI (A), so I kind of know what it’s all about, but I have no idea where to start on solving this problem.
Let me know if you need any additional information.
I apologize for my English and my lack of know-how, hope someone understands my situation and can help.
How are you expecting to distinguish between the two sites once they are both set up? How will you indicate that you want to access one of the Pis as opposed to the other one?
Hi! So, this is not a particularly straighforward question, and the answer depends heavily on what web server you’re using. The problem is, unless you have a very smart router (you probably don’t, they cost a lot), it’s going to have no way of knowing which host to forward traffic to based on URL. (There’s also the issue of the TLS handshake but we won’t worry about that quite yet.) So, what you’re basically going to have to do is pick one of the two Pi’s to be the outward-facing web server - probably the beefier of the two on memory, although it’s not really a big deal. This one will be configured as a “reverse proxy” for the other.
Example time! Let’s say you make A the outward-facing one serving apples.com and B the proxied server serving blueberries.com. You will need to forward 443 (not 448 - HTTPS is 443) to A. A will then need to have a certificate with bothapples.com and blueberries.com on the same cert. In your web server config, you’ll have apples.com set up like normal, and blueberries.com set to proxy requests to B.
I do this exact same thing with nginx, the directive you would use for A forwarding to B is proxy_pass https://blueberries.com/ inside the server block for blueberries.com on A’s config.
as @jared.m pointed out what if you have two different domains a.com and b.com resolving to the same public IP (which you seem to do) then you need to use a layer 7 proxy to control the traffic
There are several ways of solving this
The easiest way is to use a third raspberry pi as a dedicated load balancer. at $35 a pop it’s not a biggie
A) Router HTTP/HTTPS --> RPI3 - SITE A -> RPI1
- SITE B -> RPI2
Because RPI3 is the “Front Facing Server” you can configure SSL on this server only as the backend connections (to RPI1 and RPI2)
You can also have end to end encryption and install certificates on both of these as well
B) With Two Raspberry PI
Router --> RPI1 --> SITE B -> RPI2
RPI1 will need to write a reverse proxy
C) What software to use for Layer 7 proxying
As @jared.m suggested NGINX is a good proposal however recently I have started using Caddy web server for these kinds of problems.
Hi @jared.m, schoen
Thanks for taking the time to answer my questions.
@ahaw021 Your A solution might actually be something I think I would be able to setup with my level of experience. Or at least I think I understand it.
But guys, what if I just moved my home automation-service from PI(A) to PI(B) and only run on one machine (all though I would rather not). How do I move the certificates to PI(B) or delete it, and how do i change the domain that I wanted to change? If I just delete the files and the certificate expires, can I just start over like I did the first time with a new domain?
About removing from PI(A) can you help me, like with what commands I a have to run?
