Date : 2026-03-21
Auteur : Daniel Caron
Version OS : Ubuntu 24.04 LTS Minimal
Rôle : Reverse proxy DMZ — Nginx + Certbot + Cloudflare Tunnel
VLAN : 70 (DMZ)
IP : 10.21.70.10
FQDN : whvu1010.home.carontech.net
whvu1010 est le point d'entrée de tout le trafic externe vers les services CaronTech. Il opère dans la zone DMZ et assure :
whvu1515 (proxy interne, zone Serveurs)cloudflared)Internet → Cloudflare Tunnel → whvu1010:443 (Let's Encrypt) → whvu1515:443 (PKI interne)
whvu1010| Type | Nom | Valeur |
|---|---|---|
| A | whvu1010.home.carontech.net |
10.21.70.10 |
sudo apt update && sudo apt upgrade -y
sudo apt install -y nginx
sudo systemctl enable nginx
sudo systemctl start nginx
Ce vhost attrape toutes les requêtes HTTPS sans server_name correspondant et ferme la connexion sans réponse (444). Empêche Nginx de répondre avec le premier vhost par défaut.
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
-keyout /etc/ssl/private/dummy.key \
-out /etc/ssl/certs/dummy.crt \
-subj "/CN=dummy"
sudo nano /etc/nginx/sites-available/000-default-ssl
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _;
ssl_certificate /etc/ssl/certs/dummy.crt;
ssl_certificate_key /etc/ssl/private/dummy.key;
return 444;
}
sudo ln -s /etc/nginx/sites-available/000-default-ssl /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx
sudo apt install -y certbot python3-certbot-nginx python3-certbot-dns-cloudflare
mkdir -p /home/ubuntuadmin/.secrets
nano /home/ubuntuadmin/.secrets/cloudflare.ini
Contenu :
dns_cloudflare_api_token = <token-api-cloudflare>
chmod 600 /home/ubuntuadmin/.secrets/cloudflare.ini
Note : Le token API Cloudflare doit avoir la permission
Zone:DNS:Editsur la zonecarontech.net.
Utiliser systématiquement DNS-01 (pas HTTP-01) car Cloudflare Tunnel intercepte le port 80.
sudo certbot certonly --dns-cloudflare \
--dns-cloudflare-credentials /home/ubuntuadmin/.secrets/cloudflare.ini \
-d <domaine.carontech.net> \
--agree-tos --no-eff-email --email [email protected]
| Domaine | Chemin | Expiry |
|---|---|---|
photos.carontech.net |
/etc/letsencrypt/live/photos.carontech.net/ |
2026-05-24 |
wiki.carontech.net |
/etc/letsencrypt/live/wiki.carontech.net/ |
2026-06-19 |
Renouvellement automatique configuré par Certbot via systemd timer.
Pour que Nginx fasse confiance au certificat PKI interne de whvu1515 lors du proxy_pass en HTTPS :
# Depuis station admin Windows — copier le cert CA intermédiaire
scp -i C:\Users\danie\.ssh\id_ed25519_vmadmin [email protected]:/opt/pki/intermediate-ca/certs/intermediate-ca.crt C:\pki-temp\
scp -i C:\Users\danie\.ssh\id_ed25519_vmadmin C:\pki-temp\intermediate-ca.crt [email protected]:/tmp/
# Sur whvu1010
sudo cp /tmp/intermediate-ca.crt /usr/local/share/ca-certificates/carontech-intermediate-ca.crt
sudo update-ca-certificates
Résultat attendu : 1 added
sudo nano /etc/nginx/sites-available/photos.carontech.net
# Force HTTP → HTTPS
server {
if ($host = photos.carontech.net) {
return 301 https://$host$request_uri;
}
listen 80;
server_name photos.carontech.net;
return 301 https://$host$request_uri;
}
# Serve Immich via HTTPS
server {
listen 443 ssl;
server_name photos.carontech.net;
client_max_body_size 1G;
ssl_certificate /etc/letsencrypt/live/photos.carontech.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/photos.carontech.net/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass https://whvu1515.home.carontech.net:443;
proxy_set_header Host photos.carontech.net;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
sudo ln -s /etc/nginx/sites-available/photos.carontech.net /etc/nginx/sites-enabled/
sudo nano /etc/nginx/sites-available/wiki.carontech.net
# Force HTTP → HTTPS
server {
listen 80;
server_name wiki.carontech.net;
location /.well-known/acme-challenge/ {
root /var/www/html;
}
location / {
return 301 https://$host$request_uri;
}
}
# Serve Wiki.JS via HTTPS
server {
listen 443 ssl;
server_name wiki.carontech.net;
client_max_body_size 100M;
ssl_certificate /etc/letsencrypt/live/wiki.carontech.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wiki.carontech.net/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location / {
proxy_pass https://whvu1515.home.carontech.net:443;
proxy_set_header Host wiki.carontech.net;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
sudo ln -s /etc/nginx/sites-available/wiki.carontech.net /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx
Le tunnel est géré via le dashboard Cloudflare (remotely managed) — pas de fichier config.yml local.
# Ajout du dépôt Cloudflare
curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null
echo "deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/cloudflared $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/cloudflared.list
sudo apt update && sudo apt install -y cloudflared
sudo cloudflared service install <token-du-tunnel>
sudo systemctl enable cloudflared
sudo systemctl start cloudflared
Note : Le token est disponible dans Cloudflare Zero Trust → Networks → Tunnels → ton tunnel → Configure.
| Subdomain | Domaine | Type | URL |
|---|---|---|---|
photos |
carontech.net |
HTTPS | https://photos.carontech.net |
wiki |
carontech.net |
HTTPS | https://wiki.carontech.net |
| Source | Destination | Port | Action |
|---|---|---|---|
| Internet (via Cloudflare) | whvu1010 (VLAN 70) | 443 | Allow |
| whvu1010 (VLAN 70) | whvu1515 (VLAN 60) | 443 | Allow |
# Statut Nginx
sudo systemctl status nginx
# Statut Cloudflare Tunnel
sudo systemctl status cloudflared
# Certificats actifs
sudo certbot certificates
# Test proxy vers whvu1515
curl -v https://whvu1515.home.carontech.net -H "Host: wiki.carontech.net"
curl -v https://whvu1515.home.carontech.net -H "Host: photos.carontech.net"
Voir runbook : Ajout d'un service sur le proxy