d-bis/proxmox
4
0
Fork 0
Code Issues 1 Pull Requests 9 Actions Packages Projects Releases Wiki Activity
Files
dc8abb06e2bbd33e30803ca59d284ead8ea970c6
proxmox/docs/04-configuration/NGINX_PROXY_MANAGER_SSL_CONFIGURATION.md
defiQUG fbda1b4beb
Some checks failed
Deploy to Phoenix / deploy (push) Has been cancelled
Details
docs: Ledger Live integration, contract deploy learnings, NEXT_STEPS updates 
- ADD_CHAIN138_TO_LEDGER_LIVE: Ledger form done; public code review repo bis-innovations/LedgerLive; init/push commands
- CONTRACT_DEPLOYMENT_RUNBOOK: Chain 138 gas price 1 gwei, 36-addr check, TransactionMirror workaround
- CONTRACT_*: AddressMapper, MirrorManager deployed 2026-02-12; 36-address on-chain check
- NEXT_STEPS_FOR_YOU: Ledger done; steps completable now (no LAN); run-completable-tasks-from-anywhere
- MASTER_INDEX, OPERATOR_OPTIONAL, SMART_CONTRACTS_INVENTORY_SIMPLE: updates
- LEDGER_BLOCKCHAIN_INTEGRATION_COMPLETE: bis-innovations/LedgerLive reference

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-12 15:46:57 -08:00

255 lines
7.1 KiB
Markdown
Raw Blame History

# Nginx Proxy Manager SSL Configuration Guide
**Last Updated:** 2026-01-31
**Document Version:** 1.0
**Status:** Active Documentation
---
**Date**: 2026-01-09
**Status**: Configuration Script Created
**NPM URL**: `http://192.168.11.26:81`
---
## Overview
This guide provides instructions for configuring SSL certificates for all 19 domains in Nginx Proxy Manager using Let's Encrypt.
---
## Prerequisites
1. **Nginx Proxy Manager Access**
- URL: `http://192.168.11.26:81`
- Admin credentials required
2. **DNS Configuration**
- All domains must resolve to `76.53.10.36`
- DNS propagation complete (verified ✅)
3. **Port Forwarding**
- HTTP (80) and HTTPS (443) forwarded to `192.168.11.26`
- UDM Pro port forwarding configured ✅
4. **Environment Variables**
- `NPM_URL`: Nginx Proxy Manager URL (default: `http://192.168.11.26:81`)
- `NPM_EMAIL`: Admin email for Let's Encrypt
- `NPM_PASSWORD`: Admin password
---
## Automated Configuration
### Option 1: Browser Automation Script
A Playwright script is available to automate the configuration:
```bash
cd /home/intlc/projects/proxmox
NPM_EMAIL=your-email@example.com NPM_PASSWORD=your-password \
node scripts/nginx-proxy-manager/configure-ssl-all-domains.js
```
**Environment Variables:**
```bash
export NPM_URL="http://192.168.11.26:81"
export NPM_EMAIL="admin@example.com"
export NPM_PASSWORD="your-password"
export HEADLESS="false" # Set to "true" for headless mode
export PAUSE_MODE="true" # Set to "true" to pause at each step
```
---
## Manual Configuration Steps
If automation is not available, follow these manual steps:
### Step 1: Access Nginx Proxy Manager
1. Open browser: `http://192.168.11.26:81`
2. Log in with admin credentials
### Step 2: Configure Proxy Host for Each Domain
For each domain, follow these steps:
1. **Navigate to Proxy Hosts**
- Click **Proxy Hosts** in the left menu
- Click **Add Proxy Host**
2. **Details Tab**
- **Domain Names**: Enter the domain (e.g., `explorer.d-bis.org`)
- **Scheme**: Select `http` or `https` based on target service
- **Forward Hostname/IP**: Enter target IP (e.g., `192.168.11.140`)
- **Forward Port**: Enter target port (e.g., `80` or `443`)
- **Cache Assets**: Enable if desired
- **Block Common Exploits**: Enable ✅
- **Websockets Support**: Enable for WebSocket domains ✅
3. **SSL Tab**
- Click **SSL** tab
- Click **Request a new SSL Certificate**
- **Email Address for Let's Encrypt**: Enter your email
- **I Agree to the Let's Encrypt Terms of Service**: Check ✅
- **Force SSL**: Enable ✅ (redirects HTTP to HTTPS)
- **HTTP/2 Support**: Enable ✅
- **HSTS Enabled**: Enable ✅
- **HSTS Subdomains**: Enable if needed
4. **Save**
- Click **Save**
- Wait for certificate to be issued (may take 1-2 minutes)
---
## Domain Configuration Reference
### sankofa.nexus Zone (5 domains)
| Domain | Target | Port | SSL |
|--------|--------|------|-----|
| `sankofa.nexus` | `192.168.11.140` | 80 | Let's Encrypt |
| `www.sankofa.nexus` | `192.168.11.140` | 80 | Let's Encrypt |
| `phoenix.sankofa.nexus` | `192.168.11.140` | 80 | Let's Encrypt |
| `www.phoenix.sankofa.nexus` | `192.168.11.140` | 80 | Let's Encrypt |
| `the-order.sankofa.nexus` | `192.168.11.140` | 80 | Let's Encrypt |
### d-bis.org Zone (9 domains)
| Domain | Target | Port | SSL | Notes |
|--------|--------|------|-----|-------|
| `explorer.d-bis.org` | `192.168.11.140` | 80 | Let's Encrypt | Blockscout |
| `rpc-http-pub.d-bis.org` | `192.168.11.252` | 443 | Let's Encrypt | WebSocket ✅ |
| `rpc-ws-pub.d-bis.org` | `192.168.11.252` | 443 | Let's Encrypt | WebSocket ✅ |
| `rpc-http-prv.d-bis.org` | `192.168.11.251` | 443 | Let's Encrypt | WebSocket ✅ |
| `rpc-ws-prv.d-bis.org` | `192.168.11.251` | 443 | Let's Encrypt | WebSocket ✅ |
| `dbis-admin.d-bis.org` | `192.168.11.130` | 80 | Let's Encrypt | |
| `dbis-api.d-bis.org` | `192.168.11.155` | 3000 | Let's Encrypt | |
| `dbis-api-2.d-bis.org` | `192.168.11.156` | 3000 | Let's Encrypt | |
| `secure.d-bis.org` | `192.168.11.130` | 80 | Let's Encrypt | |
### mim4u.org Zone (4 domains)
| Domain | Target | Port | SSL |
|--------|--------|------|-----|
| `mim4u.org` | `192.168.11.19` | 80 | Let's Encrypt |
| `www.mim4u.org` | `192.168.11.19` | 80 | Let's Encrypt |
| `secure.mim4u.org` | `192.168.11.19` | 80 | Let's Encrypt |
| `training.mim4u.org` | `192.168.11.19` | 80 | Let's Encrypt |
### defi-oracle.io Zone (1 domain)
| Domain | Target | Port | SSL |
|--------|--------|------|-----|
| `rpc.public-0138.defi-oracle.io` | `192.168.11.252` | 443 | Let's Encrypt |
---
## Verification
### Test SSL Certificate
After configuration, test each domain:
```bash
# Test HTTPS connectivity
curl -I https://explorer.d-bis.org
# Check SSL certificate
openssl s_client -connect explorer.d-bis.org:443 -servername explorer.d-bis.org < /dev/null 2>/dev/null | openssl x509 -noout -dates
```
### Expected Results
- ✅ HTTPS connection successful
- ✅ Certificate issued by Let's Encrypt
- ✅ HTTP redirects to HTTPS (301)
- ✅ Certificate valid for domain
---
## Troubleshooting
### Certificate Request Fails
**Issue**: Let's Encrypt certificate request fails
**Possible Causes:**
1. DNS not propagated (domain doesn't resolve to `76.53.10.36`)
2. Port 80 not accessible (required for HTTP-01 challenge)
3. Domain already has certificate from different source
4. Rate limiting (too many requests)
**Solutions:**
1. Verify DNS: `dig +short domain.com`
2. Test HTTP: `curl -I http://domain.com`
3. Wait 1 hour if rate limited
4. Check NPM logs for specific error
### Port 443 Not Working
**Issue**: HTTPS connection fails after certificate configuration
**Possible Causes:**
1. Port forwarding rule not active
2. Firewall blocking port 443
3. Nginx not listening on port 443
**Solutions:**
1. Verify UDM Pro port forwarding: `76.53.10.36:443 → 192.168.11.26:443`
2. Check firewall rules on UDM Pro
3. Verify Nginx is listening: `netstat -tlnp | grep 443`
### Certificate Not Auto-Renewing
**Issue**: Let's Encrypt certificates expire
**Solution:**
- Nginx Proxy Manager automatically renews certificates
- Check renewal status in SSL Certificates tab
- Manual renewal: Click "Renew" button for certificate
---
## Automation Script Usage
### Basic Usage
```bash
node scripts/nginx-proxy-manager/configure-ssl-all-domains.js
```
### With Environment Variables
```bash
NPM_EMAIL=admin@example.com \
NPM_PASSWORD=your-password \
HEADLESS=false \
PAUSE_MODE=true \
node scripts/nginx-proxy-manager/configure-ssl-all-domains.js
```
### Headless Mode (No Browser UI)
```bash
HEADLESS=true \
NPM_EMAIL=admin@example.com \
NPM_PASSWORD=your-password \
node scripts/nginx-proxy-manager/configure-ssl-all-domains.js
```
---
## Related Documentation
- **[NGINX_PUBLIC_IP_CONFIGURATION.md](./NGINX_PUBLIC_IP_CONFIGURATION.md)** - Public IP configuration
- **[CENTRAL_NGINX_ROUTING_SETUP.md](../05-network/CENTRAL_NGINX_ROUTING_SETUP.md)** - Central Nginx routing
- **[NGINX_PUBLIC_IP_VERIFICATION_REPORT.md](./NGINX_PUBLIC_IP_VERIFICATION_REPORT.md)** - Verification report
---
**Last Updated**: 2026-01-09
**Status**: Configuration script ready
Reference in New Issue View Git Blame Copy Permalink