Categories
Network Sophos Web

Set up Sophos UTM WAF with Let's Encrypt

This is a requested one, so will only sum up the important bits. The integrated web application firewall is very powerful. It allows you to host several web applications behind one IP. Both http and https are available. With the latter you can ise the built in LE integration. Try out this fast how-to to get started.

If you plan to use Let’s Encrypt, start by going to Certificate Management, Advanced, and tick Allow.

Allow Let’s Encrypt certificates

Next, create a certificate under Certificates.

Add Certificate
Name: Name of your certificate.
Method: Let's Encrypt
Interface: Where the certificate servers should connect to (WAN).
Domains: This can be one or several domains, the certificate can be used on multiple virtual webservers.

Go to Web Application Firewall, Real Webservers, and create a new server.

New Real Webserver
Name: Can be anything you want.
Host: Where your actual web server is.
Type: If the traffic is encrypted or not. It can safely be HTTP here, we will encrypt later.
Port: Port of your web service on the specified host.
Advanced: Leave default.

Save.

Go to Virtual Webserver and create new.

New Virtual Webserver
Name: Can be anything you want.
Interface: Where the traffic comes from (WAN).
Type: How you want the traffic to hit your WAF. Encrypted and redirect will redirect http to https.
Port: What you want to expose from the Internet.
Certificate: Your created certificate.
Domains: Check only the domains your want to associate with this web server.
Real Webserver: The real web server created earlier.
Firewall profile: Advanced features for a later time.
Theme: If you use Firewall profiles.
Advanced: Pass host header may be required by some web servers.

Save.

At this point you can enable the servers and be able to access your web application using the domain(s) used.

Categories
Network Software Web Windows

Update FreeDNS with PowerShell and Task Scheduler

After my long loved Raspberry Pi died I needed a new way to update a dynamic DNS. I recently discovered the Invoke-WebRequest cmdlet that lets you send an HTTP(S) request and parse pretty much whatever you get in return. My use for this is to keep a site-to-site VPN to my lab up and running.

# Change Path to desired log location and Uri to your Direct or Token URL from FreeDNS
$LogPath = "C:\Scripts\Update-FreeDNS.log"
$Uri = "http://sync.afraid.org/u/your_token/"

# No need to change this
Add-Content -Path $LogPath -Value "$(Get-Date) $(Invoke-WebRequest -Uri $Uri)"

Your log file will look something like this

11/13/2019 18:00:03 No IP change detected for your.dyn.dns with IP 28.100.14.108, skipping update
11/13/2019 19:00:03 No IP change detected for your.dyn.dns with IP 28.100.14.108, skipping update
11/13/2019 20:00:03 No IP change detected for your.dyn.dns with IP 28.100.14.108, skipping update

Save these files to somewhere that makes sense, for example C:\Scripts.

  • Open Task Scheduler select Task Scheduler Library to the left and click Create Task to the right
  • Name your task “Update-FreeDNS” or something else explaining
  • You have to check “Run whether user is logged on or not” so if you do not want your credentials to be saved, create a new user and change to that
  • On the trigger tab you can create a schedule that suits your needs. I use every hour, but this is totally up to you
  • Under actions click New and paste the following
Program/scripts: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Add arguments: "C:\Scripts\Update-FreeDNS.ps1"
  • At this point you are finished with the necessities, but feel free to click around to see if you need any more options
  • OK out and you will be asked for your password
  • Run the task on demand and see the result in the log file

As always, ask if anything is unclear.

Categories
Software Ubuntu Web

Install Nginx Proxy Manager (npm)

As my self struggled to solve this, I shall help others.

Nginx Proxy Manager is a genius and powerful GUI to manage Nginx. It helps you create Proxy servers, redirects and certificates and control these options very smoothly.

I started with a plain install of Ubuntu Server 18.04 LTS and selected Docker under the install. The following code will help you get all the software up to speed and clean up afterwords.

sudo -s
apt update
apt upgrade
reboot
sudo -s
apt autoremove

Then it is time for NPM.

sudo -s
mkdir npm
cd npm

At this point I know you can to do clone/pull from Git, but I was eager to run this tool with the knowledge I had in the fastest possible way. With that, I used the example files and got going.

touch config.json
touch docker-compose.yml

Your npm-folder should look like this.

root@docker:~/npm# ls
config.json docker-compose.yml

Edit these settings to you liking (or don’t) and paste them in accordingly.

config.json

{
  "database": {
    "engine": "mysql",
    "host": "db",
    "name": "npm",
    "user": "npm",
    "password": "npm",
    "port": 3306
  }
}

docker-compose.yml

version: "3"
services:
  app:
    image: jc21/nginx-proxy-manager:latest
    restart: always
    ports:
      - 80:80
      - 81:81
      - 443:443
    volumes:
      - ./config.json:/app/config/production.json
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
    depends_on:
      - db
    environment:
    # if you want pretty colors in your docker logs:
    - FORCE_COLOR=1
  db:
    image: mariadb:latest
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: "npm"
      MYSQL_DATABASE: "npm"
      MYSQL_USER: "npm"
      MYSQL_PASSWORD: "npm"
    volumes:
      - ./data/mysql:/var/lib/mysql

While still in the directory run docker-compose to download and build the container.

docker-compose up -d

After a minute or two you should have a fully working manager for Nginx. Find your login at http://ip.or.name:81.

Default admin is
un: admin@example.com
pw: changeme

Please go read more at the developers site – https://github.com/jc21/nginx-proxy-manager – all credit goes to him.