Debian GNU/Linux 12 (bookworm)
FreedomBox version 25.4.1(Pioneer)
I’ve read some threads on fbx and reverse proxies.
I’m trying to work out a configuration for fbx when it’s behind an upstream reverse proxy (nginx). I would like to keep fbx config as vanilla as possible but I would like:
-
for fbx services to be accessed as
<domain-name>/<some-extra-pathword>/plinth/<fbx-svc>and<domain-name>/<some-extra-pathword>/_cockpit/<fbx-cfg>. The purpose of<some-extra-pathword>is to keep fbx from being as easily scripted by hackers. I know obscurity isn’t security, but having these services access url changed from a known default might avoid “interest”. -
to simplify TLS management. The upstream proxy will service multiple virtual hosts, including a domain name that will have services running on both the fbx and other servers. I’m a LE\certbot noob, but it looks like the certs acquired from LE are on a “per domain” basis. I’m unsure of the best way to handle the situation where two different servers are running (https) services for the same domain name.
I think the upstream-reverse-proxy (nginx) can handle TLS termination, or [SNI?] pass-through. But what’s gonna happen when certbot is run on two different servers for the same domain name, either for “first-issuance” certs or later for “renewal” certs? If LE\certbot can handle this type of config, then I’m happy to let fbx get it’s certs as designed, but I’m thinking certbot might not be that sophisticated, and I’ll need to acquire certs on one server, and then manually copy them to the other server? Ouch.
- for the default “/” url path (or any non-fbx urls) to route to the other server, not
<fbx>/plinth.
this is probably best configured\managed at the reverse-proxy?
TIA
rickbol