nginx configuration question (10k sat bounty) \ stacker news ~bitcoin

nginx configuration question (10k sat bounty)

110 sats \ 6 comments \ @orangesurf 4 Mar 2023 bitcoin

I have a guide that explains how to serve BTCPayServer running on umbrel at a domain using a Tailscale reverse proxy.

It works but I am not a networking expert. Are there any recommended security settings for ssl in nginx beyond the below configuration.

The most helpful response (as determined by me) will get 10k sat. Additional helpful responses may also get some sats.

server {
  listen 80;
  server_name {btcpayserver.my.domain};

  # Let's Encrypt verification requests
  location ^~ /.well-known/acme-challenge/ {
    allow all;
    root /var/lib/letsencrypt/;
    default_type "text/plain";
    try_files $uri =404;
  }

  # Redirect everything else to https
  location / {
    return 301 https://$server_name$request_uri;
  }
}
server {
    listen 443 ssl http2;
    
    ssl on;
    
    # Replace {btcpayserver.my.domain} with your domain
    server_name {btcpayserver.mydomain.com};
    ssl_certificate /etc/letsencrypt/live/{btcpayserver.mydomain.com}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/{btcpayserver.mydomain.com}/privkey.pem;
    
    # Disable SSL and old TLS versions
    ssl_protocols TLSv1.2 TLSv1.3;
  
    # Use Diffie-Hellman (DH) key exchange parameters
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
  
    # Proxy requests to BTCPayServer on Umbrel
    location / {
      # URL of BTCPay Server 
      proxy_pass {umbrel-tailscale-ip:port};
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Upgrade $http_upgrade;
    }
}

view all related items

10 sats \ 5 replies \ @DarthCoin 4 Mar 2023

Did you looked into this guide? Is specific for umbrel and btcpay

https://jorijn.com/installing-nginx-reverse-proxy-with-ssl-certificate-umbrel-btcpayserver/

1 sat \ 4 replies \ @orangesurf OP 4 Mar 2023

Thank you. That guide is great, but is for running the nginx server on the umbrel directly.

I am running the nginx server on a VPS which is using tailscale to connect to the umbrel remotely.

I am not clear on the security tradeoff this has and whether I need to adjust the nginx configuration as a result.

10k sats \ 3 replies \ @DarthCoin 4 Mar 2023

OK in this case, take a look at the guides from @hakuna. He wrote especially for Lnbits but are the same for BTCpay, you just have to change the app port. He wrote various ones, depending on specific case using VPS. Are very good. https://github.com/TrezorHannes

I am sure could help you find a solution. Good luck!

I am upvoting your post to get more visibility. Is a very interesting project and I would like also to know the final solution.

100 sats \ 1 reply \ @orangesurf OP 5 Mar 2023

I had a useful response on nostr from https://stacker.news/sethforprivacy note1j3hzfu2h72f363x6r6apzgsvz7wt3fdun5ch9kazd4leguzng3lsqu9u4q

Use this generator as your base (update nginx/SSL versions appropriately if you run into issues) and add in your custom well-known block in the first server block and your proxy_pass location block in the SSL server block: https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&ocsp=false&guideline=5.6

Tipped you both 10k sats.

0 sats \ 0 replies \ @DarthCoin 5 Mar 2023

Oh man, no need to tip me, I did nothing, just point you in the right direction. Thanks anyways.

0 sats \ 0 replies \ @orangesurf OP 4 Mar 2023

Thank you

The nginx setting used 1, 2 settings are similar to what I am using, although it is not immediately obvious what the impact of the differences are. I'll read the nginx docs