Motivation
When setting up a virtualized environment for a home lab, I encountered the following problems:
- Certificate management is a pain and can become dirty in a matter of seconds.
- I do not want to have client-server communication via unencrypted channels using HTTP.
Preparing your environment
Everything you can find under this post has been developed using the following tools:
- Windows 11
- Docker Desktop
- PyCharm CE
- Diagrams.net
TLS offloading
TLS offloading is a technique where the task of handling encryption at the transport level is centralized to one point of your network (single, HA it does not matter) to relieve the backend server from encryption tasks and setups.
From my point of view, this concept eases the setup for encryption at the transport layer because you just need to set it up in one single point instead of several.
What TLS offloading provides to my scenario is that:
- I just need to set up TLS for the proxy.
- Only one server will expose the desired ports.
Implementation
I will be using docker-compose to build and create my docker images because I will have several services running and it eases my work.
Phase 1. Certificates
I want to use a valid certificate provided by a trusted CA so that I am not in charge of manually creating the certificates and later having to add the CA certificate to each device I work with.
The tool I chose to go with is certbot [1] and Let´s Encrypt [2]. I want a wildcard certificate because I will have several servers in the backend.
I learned that Google Domains [3] does not have an official plugin and certificate renewal was not as easy as it looked at first sight using certbot for wildcard certificates. Taking a look at Google's help I found a community plugin [4] that gives me what I need, a way to automatically renew wildcard certificates.
I just wanted the proxy to include the tasks for certificate renewal, so I ran a docker image (using Debian-slim) to install certbot with the community plugin and create my certificate.
It is important to include the dns_google_domains_credentials.ini file, populated, and under the directory mentioned in the official documentation.
docker run -v '<LOCAL_MOUNT>:/var/lib/letsencrypt' -v '<LOCAL_MOUNT>:/etc/letsencrypt' debian:stable-slimapt update
apt install python3 python3-venv libaugeas0 snapd -y
python3 -m venv /opt/certbot/
/opt/certbot/bin/pip install --upgrade pip
/opt/certbot/bin/pip install certbot certbot-nginx certbot-dns-google-domains
ln -s /opt/certbot/bin/certbot /usr/bin/certbot
certbot certonly \
--authenticator 'dns-google-domains' \
--dns-google-domains-credentials '/var/lib/letsencrypt/dns_google_domains_credentials.ini' \
--server 'https://acme-v02.api.letsencrypt.org/directory' \
--non-interactive \
--dns-google-domains-zone '<YOUR_DOMAIN>' \
-d '<YOUR_WILCARD_NAME' \
--agree-tos \
--email <YOUR_EMAIL>
Phase 2. Proxy
I wanted to combine nginx and certbot, so I created my own docker image that runs those two services.
You can find it here: https://hub.docker.com/r/ddeuterio/proxy_element0
Once I have my image and my certificates, I just need to create my compose.yml file, exposing the ports I want, and mounting the volumes for the certificates. I created my own nginx.conf file with the configuration I needed and mounted it with ro rights.
You can see all examples and code under my repositories:
References
[4] https://github.com/aaomidi/certbot-dns-google-domains
Also published here.