Open rcv11x opened 10 months ago
Please, me too, can help?
On Debian i used nginx to run as reverse proxy.
After nginx installation i replaced the nginx-config (copied somewhere from the web):
server {
listen 80;
server_name wireguard-server.fritz.box;
rewrite ^/(.*)$ https://$host$request_uri? permanent;
}
server {
listen 443;
server_name wireguard-server.fritz.box;
ssl on;
ssl_certificate /etc/ssl/private/wireguard-server.crt;
ssl_certificate_key /etc/ssl/private/wireguard-server.key;
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/ssl/private/dh2048.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
location / {
proxy_pass http://127.0.0.1:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
Maybe it is not the best configuration but "works for me".
You have to adapt the lines beginning with "server_name" to match your host name.
I used self signed certificates. I created them (here: valid for 20 years) this way:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/wireguard-server.key -out /etc/ssl/private/wireguard-server.crt
openssl dhparam -out /etc/ssl/private/dh2048.pem 2048
If wireguard-ui is running on the same host as the nginx-server you can change the start to: wireguard-ui -bind-address 127.0.0.1:5000
The http-port (80) is also served but immediately redirected to https.
This is how i did it.
A similar result is possible using Caddy.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Good, I do not know if this is the right place to write it, but I have the question of how I can do to access the web is https instead of http, I do not plan to expose the web opening ports just want https to access local