🌐 Webhosting with NGINX + certbot
📦 Ports & Domains
| Service | Subdomain | External | Internal |
|---|---|---|---|
| Postgres | 5432 | 5432 | |
| MariaDB | 3306 | 3306 | |
| MkDocs | docs.ligthart.cc | 8010 | 8000 |
| Nextcloud | cloud.ligthart.cc | 8020 | 80 |
| Homepage | homepage.ligthart.cc | 8030 | 3001 |
| Immich | immich.ligthart.cc | 8040 | 2283 / machinelearning 8041 3003 |
| Keycloak | login.ligthart.cc | 8050 | 8443 |
| QBittorrent | qbittorrent.ligthart.cc | 8060 | - |
| Gitea | gitea.ligthart.cc | 8070/222 | 3000/22 |
| Pi-hole | dns.ligthart.cc | 8080 / 53tcp&udp | 80 / 53tcp&udp |
| NGinx Proxy | nginx.ligthart.cc | 8090 | 81 (0.0.0.0:80:80) |
| Termix | termix.ligthart.cc | 8100 | 8080 |
| Jellyfin | jellyfin.ligthart.cc | 8110 | 8096 |
| radarr 8111 7878 | |||
| sonarr 8112 8989 | |||
| prowlarr 8113 9696 | |||
| jellyseer 8114 5055 | |||
| Home Assistant | ha.ligthart.cc | 8123 | 8123 |
| gluetun 8130 8080 | |||
| Vaultwarden 8140 80 | |||
| Proton Mail Bridge SMTP 8150 1025, IMAP 8151 1143 | |||
| Kitchenowl 8160 8080 | |||
| RClone GUI 8170 5572 | |||
| Planka 8180 1337 | |||
| Vikunja 8190 3456 | |||
| MinIO 8200 9000 8201 9001 | |||
| MeTube 8210 8081 | |||
| Monica 8220 80 | |||
| LocalAI 8230 8080 | |||
| wps | |||
| Portainer | portainer.ligthart.cc | 9000 | 9000 |
🌐 Web Server Setup (NGINX)
- Installed NGINX using system packages (APT)
-
Systemd service enabled to run on boot:
bash sudo systemctl enable nginx sudo systemctl start nginxProxy address that VM's will see from host: 192.168.122.1 (currently only applies to HASS) -
NGINX configs located in:
/etc/nginx/sites-available//etc/nginx/sites-enabled/-
/etc/nginx/nginx.conf -
Created configs:
http-redirect: redirects HTTP to HTTPS, and blocks direct IP accessligthart: handles ligthart.cc and www.ligthart.cc with empty 204 / 418 response Applications:cloud: Nextcloud hostingportainer: Portainer hostingimmich:homepage
NameCheap
DynDNS not yet enabled
FritzBox
Port forwarding for :80 and :443 in configuration
hass beschikbaar maken
Poort 8123 forwarden van vribr0 (192.168.122.111) van de HASS QEMU VM naar de eth0 interface van de host Om ufw werkend te houden en de iptables regels te kunnen bewaren, is er een eigen service toegevoegd: /etc/systemd/system/iptables-restore.service Deze kopieert bij het opstarten /etc/iptables/rules.v4
Uitgevoerd
Enable forwarding
sudo sysctl -w net.ipv4.ip_forward=1
DNAT: traffic coming from LAN to host:8123 goes to VM:8123
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp -d 192.168.178.54 --dport 8123 -j DNAT --to-destination 192.168.122.111:8123
Allow forward of that traffic
sudo iptables -A FORWARD -p tcp -d 192.168.122.111 --dport 8123 -j ACCEPT
Masquerade return traffic so replies go back through host
sudo iptables -t nat -A POSTROUTING -p tcp -d 192.168.122.111 --dport 8123 -j MASQUERADE
Extra: make connections from the host itself to 192.168.178.54:8123 go to VM too
sudo iptables -t nat -A OUTPUT -p tcp -d 192.168.178.54 --dport 8123 -j DNAT --to-destination 192.168.122.111:8123
TODO updaten naar nginx proxy manager
🔐 HTTPS Certificates (Let's Encrypt)
-
Used
certbotfor per-subdomain certificates:bash sudo apt install certbot python3-certbot-nginx sudo certbot --nginx -d subdomain.ligthart.cc -
Automatic renewal is handled by systemd timer:
bash sudo systemctl list-timers | grep certbot -
Cert files stored in:
/etc/letsencrypt/live/<subdomain>/
🔒 SSL Hardening
-
Configured strong TLS settings via
/etc/nginx/snippets/ssl-params.conf:nginx ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers '...'; # Strong modern ciphers ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 1h; ssl_dhparam /etc/ssl/certs/dhparam.pem; -
HSTS is enabled
-
Included in server blocks:
nginx include snippets/ssl-params.conf;
🚫 Blocking Direct Access
- Automatic redirect from :80 to :443
- IP-based access blocked with catch-all server block:
nginx server { listen 80 default_server; listen 443 ssl default_server; return 444; }
⚙️ Common Management Commands
Adding a new domain
Create file in /etc/nginx/sites-available/
Only put in the base configuration; - Only one server directive - Only configuration for port 80
Create symlink
sudo ln -s /etc/nginx/sites-available/<subdomain> /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx
Run certbot
sudo certbot --nginx -d <subdomain>.ligthart.cc
Certbot
sudo certbot certificates
sudo certbot renew --dry-run
NGINX
sudo nginx -t
sudo systemctl reload nginx