How to connect a second server (encrypted) to the Internet?

Hi Guys, I am struggling with an issue to connect a second server to the internet of course protected with LetsEncrypt. In the attached schedule below you find my situation drawn out:
Internet Situation Drawing
At my webhoster I have a domain pointing with the A-Record to my NextCloud server. The server is running Apache2. This works fine with an A+ rating.

Also I have a Raspberry PI4 b running Domoticz. I have set this open to the internet but then, as this was not encrypted, miscreants discovered the passwords of both the protection of Domoticz as well as the Tuya interface that I am controlling from Domoticz. I bit stupid of me, sure!

Now I have created a second domain with I intent to use for the Domoticz server. I have seen that it must be possible to use a tric that is called reverse proxy. This requires a second configuration file possibly in de NextCloud server. This seems to make it possible to route the second domain that I set up through prot 8080 to ge to the Domoticz server. Then it could be possible to install LetsEncrypt on the Domoticz server to protect it.

I am worried about the safety of the NextCloud server as you can understand. Are there other options and if not, how to make this work? Thanks for your hints and tips.

Hi @NextCees ,

Aussuming that site1 and site2 have the same external Ip Adress you need an addional Server with reverse Proxy. I call it reverseProxyServer.

So you Port forward to the reverseProxyServer, there you have the lets encrypt Certifcate for both site1 and site2. From There you proxy to the server1 and server2 probably with private certificate.
That is my setup at least.

EDIT:
As @devnull mentioned in following post: Yes, you must have CNAME Record in the DNS Configuration otherwise it wont work.

1 Like

@NextCees @florom
Yes you must set up a reverse proxy to manage two 80/443-ports behind one 80/443-ports.

Also you can or must perhaps use instead of an A-record a CNAME. Search DNS configurations for CNAME.

You have probable already apche2 or ngnix on both server 1 and server 2.
I would:

  1. Configure Router port forwarding to Server 1 only
  2. Update configuration of e.g. apche2 on Server 1 with new virtualHost:
<VirtualHost X.X.X.100:443>

    ServerName www.site1.st1

    # YOUR REGULAR NEXTCLOUD OR OTHER CONFIG

</VirtualHost>

<VirtualHost X.X.X.100:443>

    ServerName www.site2.st2

    ProxyRequests Off
    AllowEncodedSlashes NoDecode

    ProxyPreserveHost On

    # Proxy all other requests to /
    ProxyPass "/" http://X.X.X.110:80/ retry=0 timeout=5
    ProxyPassReverse "/" http://X.X.X.110:80/

    # Add TLS
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/www.site2.st2/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.site2.st2/privkey.pem

</VirtualHost>

  1. Reload apache2 and test access via Server 1 to Server 2.

as other pointed out the solution would be so called reverse proxy which is the first entity accepting all the requests from the internet and routing them to respective back-end system. may be you find the drawing in this post useful

until relevant for you just take two Nextcloud instances into account and ignore coturn, collabora and pihole

Everyone has their own opinion on this but I feel the safest and most flexible approach is to use an NGINX reverse proxy virtual machine to direct traffic to individual VMs. I’ve been using this server architecture for many years and once you are comfortable with NGINX it is very efficient.

Personally I have one static IP for all of my domains and subdomains and use an NGINX reverse proxy to feed traffic to three large Nextcloud VMs (LAMP), two CRM VMs (LAMP) and a handful of Wordpress website VMs. The original setup is somewhat complicated but the trade off is greater security, load balancing and VM isolation.

Hi @mainland , @NextCees ,

I use an open-source firewall with reverse proxy functionality on physical hardware to that (https://www.ipfire.org/) It is also the entry-point in my network.

I would not recommand using a virtual machine as entry point into the network. After all there is a lot of malware outside and once there is an entry point it gets probed immediatly. I agree that for reverse proxy nginx does (imho) the best job.

Many thanks for all your thoughts about this subject. My provider has offered me dual stack IPV6. This opens new possibilities to handle this issue. I will be able to give my Domoticz Raspberry an separate gate to the internet without interfering with the NextCloud server.

My current router has proven to be insecure. I have ordered a replacement with firewall and all to use IPV6 hopefully secure. it will take a while before I comment further on this issue. Many thanks again.

Note that still many internent connections, especially from mobile providers, only offer IPv4. This means that your server cannot be reached from such a connection, if it is connected to the internet via IPv6 only.

That’s a valid comment! Did not think about that. Will check this because my use is to see what happens at home through my mobile. Use will be personal.