jasonwitty
6e48c095ab
- Multi-architecture Docker image (ARM64 + AMD64) - Kubernetes manifests for 3-replica deployment - Traefik ingress configuration - NGINX Proxy Manager integration - ConfigMap-based configuration - Automated build and deployment scripts - Session monitoring tools
311 lines
8.4 KiB
Markdown
311 lines
8.4 KiB
Markdown
# NGINX Proxy Manager Configuration for Socktop WebTerm
|
|
|
|
This guide explains how to configure your external NGINX Proxy Manager to route traffic to your k3s Socktop WebTerm deployment.
|
|
|
|
## Overview
|
|
|
|
Since your ISP restricts incoming ports, you're using an external NGINX Proxy Manager to:
|
|
- Terminate SSL/TLS connections
|
|
- Route traffic on port 8080 to your k3s cluster
|
|
- Handle WebSocket upgrades for terminal connections
|
|
|
|
## Architecture
|
|
|
|
```
|
|
Internet (HTTPS:443)
|
|
↓
|
|
External NGINX Proxy Manager
|
|
↓ (SSL Termination)
|
|
k3s Traefik Ingress (HTTP:8080)
|
|
↓
|
|
Socktop WebTerm Service
|
|
↓
|
|
Pods (3 replicas)
|
|
```
|
|
|
|
## Prerequisites
|
|
|
|
- [ ] NGINX Proxy Manager installed and accessible
|
|
- [ ] SSL certificates ready (Let's Encrypt or custom)
|
|
- [ ] k3s cluster deployed with Socktop WebTerm
|
|
- [ ] Know your k3s node IP addresses
|
|
- [ ] DNS records pointing to your external NGINX Proxy Manager
|
|
|
|
## Configuration Steps
|
|
|
|
### Step 1: Get Your k3s Node IP
|
|
|
|
Find the IP address of any k3s node (Traefik runs on all nodes with k3s):
|
|
|
|
```bash
|
|
kubectl get nodes -o wide
|
|
```
|
|
|
|
Note any node's INTERNAL-IP (e.g., `192.168.1.101`).
|
|
|
|
### Step 2: Verify Traefik is Running
|
|
|
|
```bash
|
|
kubectl get svc -n kube-system traefik
|
|
```
|
|
|
|
You should see Traefik listening on port 80.
|
|
|
|
### Step 3: Create Proxy Host for socktop.io
|
|
|
|
In NGINX Proxy Manager web UI:
|
|
|
|
1. **Go to**: Proxy Hosts → Add Proxy Host
|
|
|
|
2. **Details Tab**:
|
|
- **Domain Names**: `socktop.io`
|
|
- **Scheme**: `http` (NOT https - SSL terminates at proxy)
|
|
- **Forward Hostname / IP**: `192.168.1.101` (your k3s node IP)
|
|
- **Forward Port**: `8080`
|
|
- **Cache Assets**: ☐ (unchecked)
|
|
- **Block Common Exploits**: ☑ (checked)
|
|
- **Websockets Support**: ☑ (IMPORTANT - check this!)
|
|
- **Access List**: None (or your preference)
|
|
|
|
3. **SSL Tab**:
|
|
- **SSL Certificate**: Select or create new Let's Encrypt certificate
|
|
- **Force SSL**: ☑ (checked)
|
|
- **HTTP/2 Support**: ☑ (checked)
|
|
- **HSTS Enabled**: ☑ (optional but recommended)
|
|
- **HSTS Subdomains**: ☐ (unless you want this)
|
|
|
|
4. **Advanced Tab** (optional but recommended):
|
|
```nginx
|
|
# Increase timeouts for long-running terminal connections
|
|
proxy_read_timeout 3600s;
|
|
proxy_send_timeout 3600s;
|
|
proxy_connect_timeout 60s;
|
|
|
|
# WebSocket upgrade headers (should be set automatically, but just in case)
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
# Pass through real client IP
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
```
|
|
|
|
5. Click **Save**
|
|
|
|
### Step 4: Create Proxy Host for www.socktop.io
|
|
|
|
Repeat Step 3 with:
|
|
- **Domain Names**: `www.socktop.io`
|
|
- All other settings identical
|
|
|
|
### Step 5: Create Proxy Host for origin.socktop.io
|
|
|
|
Repeat Step 3 with:
|
|
- **Domain Names**: `origin.socktop.io`
|
|
- All other settings identical
|
|
|
|
## Verify Configuration
|
|
|
|
### Test 1: Check HTTP Forward
|
|
|
|
From your local machine:
|
|
|
|
```bash
|
|
curl http://<k3s-node-ip>:8080 -H "Host: socktop.io"
|
|
```
|
|
|
|
Should return the webterm HTML page.
|
|
|
|
### Test 2: Check HTTPS via Proxy
|
|
|
|
```bash
|
|
curl -I https://socktop.io
|
|
```
|
|
|
|
Should return `200 OK` with SSL certificate.
|
|
|
|
### Test 3: Check WebSocket Support
|
|
|
|
In your browser's developer console (F12), check the Network tab when connecting to the terminal. You should see:
|
|
- WebSocket connection established
|
|
- Status: `101 Switching Protocols`
|
|
|
|
## Troubleshooting
|
|
|
|
### 502 Bad Gateway
|
|
|
|
**Cause**: NGINX Proxy Manager can't reach k3s
|
|
|
|
**Fix**:
|
|
- Verify k3s node IP is correct
|
|
- Check port 8080 is accessible: `curl http://<node-ip>:8080`
|
|
- Ensure firewall allows traffic from proxy to k3s
|
|
- Check Traefik is running: `kubectl get pods -n kube-system | grep traefik`
|
|
|
|
### SSL Certificate Error
|
|
|
|
**Cause**: SSL certificate not properly configured
|
|
|
|
**Fix**:
|
|
- Verify DNS points to NGINX Proxy Manager IP
|
|
- Wait for Let's Encrypt validation (can take a few minutes)
|
|
- Check NGINX Proxy Manager logs for certificate errors
|
|
|
|
### WebSocket Connection Fails
|
|
|
|
**Cause**: WebSocket support not enabled or timeouts too short
|
|
|
|
**Fix**:
|
|
- Enable "Websockets Support" checkbox in proxy host
|
|
- Add custom nginx configuration with longer timeouts (see Step 3, Advanced tab)
|
|
- Check browser console for specific WebSocket errors
|
|
|
|
### Terminal Disconnects After 60 Seconds
|
|
|
|
**Cause**: Default proxy timeouts are too short
|
|
|
|
**Fix**: Add to Advanced tab in proxy host:
|
|
```nginx
|
|
proxy_read_timeout 3600s;
|
|
proxy_send_timeout 3600s;
|
|
```
|
|
|
|
### Can Access HTTP but not HTTPS
|
|
|
|
**Cause**: DNS records still point to old IP or wrong IP
|
|
|
|
**Fix**:
|
|
- Verify DNS with: `nslookup socktop.io`
|
|
- Should return your external NGINX Proxy Manager IP
|
|
- Wait for DNS propagation (up to 24 hours, usually minutes)
|
|
|
|
## Load Balancing (Optional)
|
|
|
|
If you want to load balance across multiple k3s nodes:
|
|
|
|
### Option 1: Use Multiple Upstream Servers in Advanced Config
|
|
|
|
```nginx
|
|
# Add to Advanced tab
|
|
upstream k3s_backend {
|
|
server 192.168.1.101:8080;
|
|
server 192.168.1.102:8080;
|
|
server 192.168.1.104:8080;
|
|
}
|
|
|
|
# Then change proxy_pass to use upstream
|
|
proxy_pass http://k3s_backend;
|
|
```
|
|
|
|
### Option 2: Use k3s LoadBalancer Service
|
|
|
|
Change the Service type in `04-service.yaml` to `LoadBalancer` and use the assigned external IP.
|
|
|
|
## Security Best Practices
|
|
|
|
1. **Enable Force SSL**: Always redirect HTTP to HTTPS
|
|
2. **Enable HSTS**: Tells browsers to always use HTTPS
|
|
3. **Enable Block Common Exploits**: Provides basic protection
|
|
4. **Add Access List**: Restrict by IP if possible
|
|
5. **Use Strong SSL**: Enable HTTP/2, disable old TLS versions
|
|
6. **Keep Timeouts Reasonable**: 3600s (1 hour) for terminal sessions
|
|
|
|
## Example Complete Advanced Configuration
|
|
|
|
For best results, use this in the Advanced tab:
|
|
|
|
```nginx
|
|
# Timeouts for long-running connections
|
|
proxy_read_timeout 3600s;
|
|
proxy_send_timeout 3600s;
|
|
proxy_connect_timeout 60s;
|
|
keepalive_timeout 3600s;
|
|
|
|
# WebSocket support
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
# Pass through client information
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
|
|
|
# Buffering (disable for WebSockets)
|
|
proxy_buffering off;
|
|
|
|
# Security headers
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
```
|
|
|
|
## Testing Checklist
|
|
|
|
After configuration, verify:
|
|
|
|
- [ ] Can access https://socktop.io and see login/terminal page
|
|
- [ ] Can access https://www.socktop.io (same result)
|
|
- [ ] Can access https://origin.socktop.io (same result)
|
|
- [ ] SSL certificate shows as valid (no browser warnings)
|
|
- [ ] Terminal connections work and stay connected
|
|
- [ ] WebSocket shows as connected in browser dev tools
|
|
- [ ] Can switch between different profiles
|
|
- [ ] Terminal sessions survive page refresh (with session affinity)
|
|
|
|
## Monitoring
|
|
|
|
### Check NGINX Proxy Manager Logs
|
|
|
|
In NGINX Proxy Manager UI:
|
|
- Go to proxy host → Click on host → View logs
|
|
|
|
### Check k3s Side
|
|
|
|
```bash
|
|
# Check ingress
|
|
kubectl get ingress socktop-webterm
|
|
|
|
# Check service endpoints
|
|
kubectl get endpoints socktop-webterm
|
|
|
|
# Check pod logs
|
|
kubectl logs -l app=socktop-webterm -f
|
|
```
|
|
|
|
## Common Traffic Flow Issues
|
|
|
|
| Symptom | Likely Cause | Check |
|
|
|---------|--------------|-------|
|
|
| 404 Not Found | Traefik routing issue | `kubectl describe ingress socktop-webterm` |
|
|
| 502 Bad Gateway | Can't reach k3s | Firewall, k3s node IP, port 8080 |
|
|
| 503 Service Unavailable | Pods not ready | `kubectl get pods -l app=socktop-webterm` |
|
|
| SSL Error | Certificate issue | NGINX Proxy Manager SSL tab |
|
|
| WebSocket fails | WS not enabled | Enable WebSocket support checkbox |
|
|
|
|
## Summary
|
|
|
|
Your complete setup should be:
|
|
|
|
1. **DNS**: socktop.io → Your external IP (NGINX Proxy Manager)
|
|
2. **NGINX Proxy Manager**:
|
|
- Listens on 443 (HTTPS)
|
|
- Terminates SSL
|
|
- Forwards to k3s-node:8080 (HTTP)
|
|
- WebSocket support enabled
|
|
3. **k3s Traefik**:
|
|
- Receives HTTP on port 8080
|
|
- Routes to socktop-webterm service
|
|
4. **Service**:
|
|
- Routes to healthy pods
|
|
- Session affinity enabled
|
|
5. **Pods**:
|
|
- 3 replicas running webterm
|
|
- Host network for Pi access
|
|
|
|
All working? You should now have a secure, load-balanced terminal interface! 🎉 |