Versions Compared

Old Version 60

changes.mady.by.user Charles Wernicke

Saved on

compared with

New Version Current

changes.mady.by.user Charles Wernicke

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning

We encourage you to consult with an IT professional to minimize security risks.

...

Overview

This API implements SSL/TLS using a self-signed certificate. These types of certificates cannot be authenticated by web browsers - and are therefore unverified and thus: unusable. A proxy server (on the same host) can override that “self-signed” limitation and present the REST API to the Internet with a different, valid certificate that can be seamlessly authenticated by any browser.

Port 7743 exposes the CAS REST API. Exposing that port The REST API is natively exposed by CAS on port 7743. Exposing the REST API to the world (when necessary) in this manner will enable the CAS REST API it to be authenticated as a service originating from a genuine, verified site (origin). Port 7743 is a non-standard port. After a successful installation here, NGINX will certify the REST API content using verifiable credentials on the standard port 443. The REST API can then be validated online, and the “self-signed certificate” restrictions will be disregarded. You’ll be “legit”.

...

...

bgColor#E3FCEF

...

Expose HTTP and HTTPS in UFW

Both of the following approaches (AUTOMATED or MANUAL) require you to open ports 80 and 443 in UFW for HTTP and HTTPS access. This must be done before proceeding.

This command opens both at the same time:

Code Block
sudo ufw allow "Nginx Full"

...

Panel
bgColor#E3FCEF

AUTOMATED INSTALLATION

The CAS CLI tool batm-manage includes an automated script to install NGINX and Let’s Encrypt:

...

.

To start the installation, use:

Code Block
sudo /batm/batm-manage install-reverse-proxy

...

Note

Prerequisites before using install-reverse-proxy:

  1. Open port 80 (HTTP) in UFW to enable the Let’s Encrypt certbot domain-control-check, andopen .

    1. See: Configuring Server Firewalls

  2. Open port 443 in UFW to expose/enable HTTPS.

    1. See: Configuring Server Firewalls

  3. You must own and control a valid DNS domain,

    1. for example, agent86.yourcasdomain.com must resolve (to your CAS public IP).

    2. See below: Create an “A” record

    3. The script will fail if you cannot supply a valid DNS domain. If the script fails for this reason, then:

      1. add the domain (e.g. agent86.yourcasdomain.com) to your DNS records, and

      2. run sudo certbot --nginx to try again.

  4. The /batm/config/hostname file must point to that valid domain to be used.

    1. See: https://generalbytes.atlassian.net/wiki/x/CICpz

    2. The script will fail if this file is missing. If the file is missing:

      1. create the file (with the correct contents),

      2. restart CAS, and

      3. run install-reverse-proxy again.

  5. Disable version reporting in NGINX to improve security:

    1. Edit the file: /etc/nginx/nginx.conf

    2. Find the line: # server_tokens off;

    3. Delete the leading hashtag “#" (only the hashtag) to disable version reporting.

    4. Test the configuration and restart NGINX: sudo nginx -t && sudo systemctl reload nginx

...

Testing

...

Enter one of the following testing URLs into a browser.

Examples (replace “agent86.yourcasdomain.com" with your actual domain):

  • Veriff example: https://agent86.yourcasdomain.com/server/serverapi/apiv1/identity-check/veriffwh/

  • lnurl example: https://agent86.yourcasdomain.com/server/extensions/lnurl/

When properly configured, either URL should connect to their respective REST API

...

without errors.

Example of testing success in Chrome:

...

Panel
bgColor#FFF0B3

MANUAL

INSTRUCTIONS

INSTALLATION:

These instructions are provided for finer control over your installation, modification of the installation, and troubleshooting. The automated instructions are recommended for most situations.

...

  • Replace "yourcasdomain.com" with your registered (and active) domain name.

  • The subdomain “agent86” can be replaced with any text - and will be justified in the next steps.RFC 952 compliant text.

  • Modify the example master service bound IP “10.3.2.1" as needed.

    • This example presents a typical case and 10.3.2.1 is usually correct.

    • Port 7743 always remains the same.

  • Press CTRL-X to save the file and exit (leave the filename unchanged).

This server block ADDS another possible port exposure to the world. The default configuration already exposes port 80 (HTTP), and this additional server block adds port 443 (HTTPS) to the list. It isn’t secure yet (that comes next) - when we use Let’s Encrypt to do the heavy lifting.

3. Verify the NGINX configuration and test it.

...

  • Use your actual CAS IP for the IPv4 address (“12.34.56.78” in the graphic), and

  • use an obscure name (e.g. “agent86”). Your customers will see this name, and it should be unique.

  • Disable any proxy for this entry (e.g. on Cloudflare).

  • in this example, the FQDN would be: agent86.yourcasdomain.com

Note

If you use the a Cloudflare tunnel, do not conflict this DNS entry may conflict with the tunnel name. In that case, see the notes at the bottom of this article:

  • Using a Cloudflare certificate and key

    • choose a different name

    You do not need to use both NGINX and the cloudflared tunnel (they serve the same purpose) anyway.

    ...

    Get your Certificate and Key from Let’s Encrypt, allowing it to modify your NGINX configuration to adhere to current SSL/TLS advised standards.

    a) Temporarily disable your firewall:

    Expose port 80 (HTTP) to the world while running certbot. The simplest way to do this:

    Code Block
    sudo ufw disable

    ...

    a) Execute certbot:

    Code Block
    sudo certbot --nginx

    • Enter your email & agree to the terms (if offered).

    • When NGINX is properly configured, the “agent86” subdomain (in this example) will be automatically suggested (and the proper server block thus modified).

    • (warning) If the challenge fails, check your firewall and DNS records.

    ...

    ...

    b) Restart NGINX:

    Code Block
    sudo nginx -t && sudo systemctl restart nginx

    d) Test the automatic renewal:

    Code Block
    sudo certbot renew --dry-run

    ...

    e) Re-enable UFW to secure your server.

    Code Block
    sudo ufw enable

    3. Changing the exposed port.

    If using Veriff, skip this step. Veriff does not support custom ports.

    • Veriff requires the standard HTTPS port 443 to be exposed.

    • Adjust all tests & parameters accordingly, examples:

      • Lightning URL: https://agent86.yourcasdomain.com/extensions/lnurl/

    The certbot routine will automatically set your exposed port to 443. That’s a normal HTTPS port - but it’s predictable. Change the port to a random number between 1024 - 49151 to make your server more difficult to recognize & attack. We’ll use 7443 in this example.

    Modify the port number in the NGINX server block:

    Code Block
    sudo nano /etc/nginx/conf.d/cas-rest-api.conf

    • Change port “443” to port “7443” (or whatever valid port number you prefer):

    ...

    • Press Ctrl+X, then “Y” to exit. Do not change the filename.

    • Remember the port - it’s imPORTant. You’ll use this elsewhere in CAS configuration.

    ...

     nginx

    c) Test the automatic renewal:

    Code Block
    sudo ufwcertbot allow 7443/tcp

    • Replace “7443” with whatever port you’ve chosen.

    ...

    renew --dry-run

    ...

    You're done!

    Test your domain by navigating with your browser toconfiguration as identified above: https://agent86generalbytes.yourcasdomain.com:7443/extensions/lnurl/

    • Replace “agent86.yourcasdomain.com” with your actual domain, and

    • replace “7443” with your chosen port.

    Perfect:

    ...

    Save and remember the URL for use in configuring atlassian.net/wiki/spaces/ESD/pages/2942631937/NGINX+as+a+Proxy+Server#Testing

    • All CAS services that rely upon the REST API may use the same sub+domain.

    ...

    Additional notes:

    Make sure Apache isn't running (it will conflict with the install).

    Note

    Do not assume your an obfuscated subdomain is invisible. Your subdomains may be visible online! The key concept of obfuscation is to increase the hack difficulty and reduce predictability. If you want certainties - you’re out of luck in this business.

    Check your DNS visibility using these tools:

    ...