Versions Compared

Old Version 60

changes.mady.by.user Charles Wernicke

Saved on

compared with

New Version 61

changes.mady.by.user Charles Wernicke

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Panel
bgColor#E3FCEF

AUTOMATED INSTRUCTIONS: batm-manage install-reverse-proxy

The CAS CLI tool batm-manage includes an automated script to install NGINX and Let’s Encrypt:

...

Expose HTTP and HTTPS in UFW

Both of the following approaches (AUTOMATED or MANUAL) require you to open ports 80 and 443 in UFW for HTTP and HTTPS access. This must be done before proceeding.

This command opens both at the same time:

Code Block
sudo ufw allow "Nginx Full"

...

Panel
bgColor#E3FCEF

AUTOMATED INSTRUCTIONS: batm-manage install-reverse-proxy

...

The CAS CLI tool batm-manage includes an automated script to install NGINX and Let’s Encrypt:

Code Block
sudo /batm/batm-manage install-reverse-proxy

  • This tool will configure your REST API proxy to the standard, well-known port 443.

  • Port 443 is the standard TLS/SSL port exposed used by secure (HTTPS) websites.

Note

Prerequisites before using install-reverse-proxy:

  1. Open port 80 (HTTP) in UFW to enable the Let’s Encrypt certbot domain-control-check, andopen .

    1. See: Configuring Server Firewalls

  2. Open port 443 in UFW to expose/enable HTTPS.

    1. See: Configuring Server Firewalls

  3. You must own and control a valid DNS domain,

    1. for example, agent86.yourcasdomain.com must resolve (to your CAS public IP).

    2. See below: Create an “A” record

    3. The script will fail if you cannot supply a valid DNS domain. If the script fails for this reason, then:

      1. add the domain (e.g. agent86.yourcasdomain.com) to your DNS records, and

      2. run sudo certbot --nginx to try again.

  4. The /batm/config/hostname file must point to that valid domain to be used.

    1. See: https://generalbytes.atlassian.net/wiki/x/CICpz

    2. The script will fail if this file is missing. If the file is missing:

      1. create the file (with the correct contents),

      2. restart CAS, and

      3. run install-reverse-proxy again.

  5. Disable version reporting in NGINX to improve security:

    1. Edit the file: /etc/nginx/nginx.conf

    2. Find the line: # server_tokens off;

    3. Delete the leading hashtag “#" (only the hashtag) to disable version reporting.

    4. Test the configuration and restart NGINX: sudo nginx -t && sudo systemctl reload nginx

...

  • Replace "yourcasdomain.com" with your registered (and active) domain name.

  • The subdomain “agent86” can be replaced with any text - and will be justified in the next steps.RFC 952 compliant text.

  • Modify the example master service bound IP “10.3.2.1" as needed.

    • This example presents a typical case and 10.3.2.1 is usually correct.

    • Port 7743 always remains the same.

  • Press CTRL-X to save the file and exit (leave the filename unchanged).

This server block ADDS another possible port exposure to the world. The default configuration already exposes port 80 (HTTP), and this additional server block adds port 443 (HTTPS) to the list. It isn’t secure yet (that comes next) - when we use Let’s Encrypt to do the heavy lifting.

3. Verify the 3. Verify the NGINX configuration and test it.

...

  • Use your actual CAS IP for the IPv4 address (“12.34.56.78” in the graphic), and

  • use an obscure name (e.g. “agent86”). Your customers will see this name, and it should be unique.

  • Disable any proxy for this entry (e.g. on Cloudflare).

  • in this example, the FQDN would be: agent86.yourcasdomain.com

Note

If you use the a Cloudflare tunnel, do not conflict this DNS entry may conflict with the tunnel name. In that case, see the notes at the bottom of this article:

  • Using a Cloudflare certificate and key

    • choose a different name

    You do not need to use both NGINX and the cloudflared tunnel (they serve the same purpose) anyway.

    ...

    If you already have certificates from a CA, then you should install those certificates as instructed by the provider. This article does not address that topic.

    Example Certificate Authority: https://www.digicert.com/tls-ssl/compare-certificates

    For this example we’ll install certbot from Let’s Encrypt to do the work for us.

    1. Install the certbot SNAP:

    Code Block
    sudo snap install --classic certbot

    Add the binary to your path:

    Code Block
    sudo ln -s /snap/bin/certbot /usr/bin/certbot

    2. Install SSL/TLS

    Get your Certificate and Key from Let’s Encrypt, allowing it to modify your NGINX configuration to adhere to current SSL/TLS advised standards.

    a) Temporarily disable your firewall:

    Expose port 80 (HTTP) to the world while running certbot. The simplest way to do this:

    Code Block
    sudo ufw disable

    b) Execute certbot:

    Code Block
    sudo certbot --nginx

    • Enter your email & agree to the terms (if offered).

    • When NGINX is properly configured, the “agent86” subdomain (in this example) will be automatically suggested (and the proper server block thus modified).

    • (warning) If the challenge fails, check your firewall and DNS records.

    ...

    c) Restart NGINX:

    Code Block
    sudo nginx -t && sudo systemctl restart nginx

    d) Test the automatic renewal:

    Code Block
    sudo certbot renew --dry-run

    ...

    e) Re-enable UFW to secure your server.

    Code Block
    sudo ufw enable

    3. Changing the exposed port.

    If using Veriff, skip this step. Veriff does not support custom ports.

    • Veriff requires the standard HTTPS port 443 to be exposed.

    • Adjust all tests & parameters accordingly, examples:

      • Lightning URL: https://agent86.yourcasdomain.com/extensions/lnurl/

    The certbot routine will automatically set your exposed port to 443. That’s a normal HTTPS port - but it’s predictable. Change the port to a random number between 1024 - 49151 to make your server more difficult to recognize & attack. We’ll use 7443 in this example.

    Modify the port number in the NGINX server block:

    Code Block
    sudo nano /etc/nginx/conf.d/cas-rest-api.conf

    • Change port “443” to port “7443” (or whatever valid port number you prefer):

    ...

    • Press Ctrl+X, then “Y” to exit. Do not change the filename.

    • Remember the port - it’s imPORTant. You’ll use this elsewhere in CAS configuration.

    4. Expose the chosen port in UFW.

    Code Block
    sudo ufw allow 7443/tcp

    • Replace “7443” with whatever port you’ve chosen.

    ...

    .

    Example Certificate Authority: https://www.digicert.com/tls-ssl/compare-certificates

    For this example we’ll install certbot from Let’s Encrypt to do the work for us.

    1. Install the certbot SNAP:

    Code Block
    sudo snap install --classic certbot

    Add the binary to your path:

    Code Block
    sudo ln -s /snap/bin/certbot /usr/bin/certbot

    2. Install SSL/TLS

    Get your Certificate and Key from Let’s Encrypt, allowing it to modify your NGINX configuration to adhere to current SSL/TLS advised standards.

    a) Execute certbot:

    Code Block
    sudo certbot --nginx

    • Enter your email & agree to the terms (if offered).

    • When NGINX is properly configured, the “agent86” subdomain (in this example) will be automatically suggested (and the proper server block thus modified).

    • (warning) If the challenge fails, check your firewall and DNS records.

    ...

    b) Restart NGINX:

    Code Block
    sudo nginx -t && sudo systemctl restart nginx

    c) Test the automatic renewal:

    Code Block
    sudo certbot renew --dry-run

    ...

    You're done!

    Test your domain by navigating with your browser to: https://agent86.yourcasdomain.com:7443/extensions/lnurl/

    ...

    Make sure Apache isn't running (it will conflict with the install).

    Note

    Do not assume your an obfuscated subdomain is invisible. Your subdomains may be visible online! The key concept of obfuscation is to increase the hack difficulty and reduce predictability. If you want certainties - you’re out of luck in this business.

    Check your DNS visibility using these tools:

    ...