Hello.
I am planning to move some of my windows VM functions to use as docker containers.
I currently have setup a larger test environment in a VM cluster, all with windows VMs for seperate functions. One windows IIS reverse proxy with certifytheweb, one ftp server and several Webservers all as IIS, and some VMs which must remain as is on Windows VMs. This is a bit oversized and i plan to move as much on a quite strong Qnap with Quadcore and 32Gb of ram as docker containers. My plan ist to use swag with certbot, fail2ban and the geo blocking funktions and move ftp server, webservers like wordpress and others onto this qnap as containers.
Main question: Is there a preferred way to export the certbot certs and make them available for the windows machines? There is no AD on this test network. Mainly the Windows machines simply need the certs copied as crt and key into subdirs and the service restarted, which can be done with windows scheduled tasks.
The idea i have at the moment as newbie is to setup syncthing for distribution and on the qnap an rsync cronjob to grab all the certs once a week. This might work.
But is there a better way? Does swag have any configurable export functions, other than the ones for the linked containers?
Thanks,
Peter
I don’t know IIS but why would you need https in the IIS configuration? If swag is running you can configure proxy configs for your webservers (and others) to point directly to your VMs? which then run through Https…
For example /config/nginx/proxy_confs/webserver1.subdomain.conf
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name <subdomainNameForWebserver.* (or domainname)>;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /login;
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app <here ip of your webserver-VM in your network>;
set $upstream_port <here port of service of the webserver-VM>;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
(where you would have to change the parts in the <…>.)
Thanks for your explanation.
Maybe i explained it a bit wrong. The servers which must remain Windows are not pure IIS websites running on port 80/443.
Those are for example anitivirus endpoint management suites or complex software deployment suites which cover many ports that are directly routed. That software wants to see the certificate actively installed inside their software.
Thanks, Peter