Set Up SecureBlue Desktop as a Reverse Proxy

Table of Contents hide
1 Problem
2 Solution
3 Requirements
3.1 Operating System and Software
3.2 Network Structure
4 Installation
4.1 Enable SSH
4.2 Add Firewall Rules for SSH
4.3 Create Certbot Helper Alias
4.4 Configure Firewall Rules For Nginx
4.5 Create Certificates
4.6 Run Nginx At Boot
5 Functionality Testing

Problem

I ran across SecureBlue not too long ago and was interested in using it for the long run. To start, I wanted to try and set it up as a reverse proxy. This task would allow me to become familiar and document the entire setup process.

Because I am a GUI enjoyer, I opted to use SecureBlue desktop as my server software. I have deployed SecureBlue using Ignition/Butane, but was not too interested in using pure CLI for servers. I already use Debian desktop as my main server operating system, so I do not see an issue with SecureBlue desktop as the replacement candidate.

The main problem is that SecureBlue desktop is locked down and does not allow inbound SSH connections by default. I had to do some digging to allow SSH Server to run and accept connections. SecureBlue also mostly runs additional services via user-based homebrew, so I had to adjust to nginx and certbot quirks with that layout.

Solution

Configure SecureBlue to allow SSH Server connections, create firewall rules to allow ssh, http, and https traffic, and configure nginx and certbot from brew formulas.

Requirements

Operating System and Software

We will be using SecureBlue desktop. This guide assumes the operating system is installed and running.

SSHd is installed by default.

nginx and certbot need to be installed from brew

				
					brew install nginx
brew install certbot

Note the nginx install path. It should follow something like

				
					/home/linuxbrew/.linuxbrew/etc/nginx

Network Structure

This project assumes the host is in a DMZ and will forward traffic between WAN and an internal zone. This results in a highly-isolated network configuration which should only allow port 80/443 traffic from WAN in to the host. The host will then only be able to reach the internal zone via the specific host and port. The network firewall will be configured to only allow SSH connections from the management subnet to the host.

While I can spend time messing with SecureBlue’s firewall zones, we’ll leave it default at FedoraWorkstation. I also won’t spend time detailing the firewall IP whitelisting for ssh, but will be a focus later on.

Installation

Enable SSH

To enable SSH, we need to unmask and allow the SSHd service to run

				
					systemctl unmask sshd
systemctl enable sshd

SSHd by default does not have server keys generated at install. Running the service now would result in SSHd failing to start. Run as root and create server keys. We’ll try to avoid root as much as possible. I’ll include an exit command after root is no longer needed.

				
					run0
ssh-keygen -A
exit
systemctl start sshd

Add Firewall Rules for SSH

The firewall will need to be edited to allow traffic to the SSH service. The first firewall command will identify the current firewall zone being used. The second command will target that zone for the service rule. Finally, the firewall will be reloaded to load the new rule.

				
					run0
firewall-cmd --list-all
firewall-cmd --permanent --zone=FedoraWorkstation --add-service=ssh
firewall-cmd --reload

SSH should now be running and available locally. 

Create Certbot Helper Alias

The Brew installation of certbot attempts to access the root directory /etc, /var/lib, and /var/log which it does not have access to. Since we’re using it with the Brew installation of nginx, we can create a helper alias to point certbot towards the nginx install’s /etc, /var/lib, and /var/log directories.

				
					echo alias cerbotbrew=\"certbot --config-dir /home/linuxbrew/.linuxbrew/etc/certbot --work-dir /home/linuxbrew/.linuxbrew/var/lib/ --logs-dir /home/linuxbrew/.linuxbrew/var/log/\" >> ~/.bashrc
source .bashrc

Running this will still produce an “nginx not found” error, but at least gets the program itself working within the expected directories. Next we will point it to the webserver root /home/linuxbrew/.linuxbrew/etc/nginx

				
					echo alias certbotnginx=\"certbot --config-dir /home/linuxbrew/.linuxbrew/etc/certbot --work-dir /home/linuxbrew/.linuxbrew/var/lib/ --logs-dir /home/linuxbrew/.linuxbrew/var/log/ --nginx-server-root /home/linuxbrew/.linuxbrew/etc/nginx\" >> .bashrc
source .bashrc

Running certbotnginx should now point to all the correct directories.

Configure Firewall Rules For Nginx

Create rules to allow port forwarding http and https traffic to its 8080 and 8443 variants. This will allow nginx to continue running without root privileges.

				
					firewall-cmd --permanent --zone=FedoraWorkstation --add-forward-port=port=80:proto=tcp:toport=8080
firewall-cmd --permanent --zone=FedoraWorkstation --add-forward-port=port=443:proto=tcp:toport=8443
firewall-cmd --reload

I set up the sites-available folder within etc/nginx to allow me to create configuration files without immediately importing them to etc/nginx/servers.

				
					mkdir /home/linuxbrew/.linuxbrew/etc/nginx/sites-available

Create Certificates

Instructions for individual setup will deviate from here. I create my certificates from Cloudflare, so my commands will be more specific to my environment at this point.

With cloudflare, the certbotbrew command is as follows:

				
					certbotbrew certonly --dns-cloudflare --dns-cloudflare-credentials /home/linuxbrew/.linuxbrew/etc/nginx/certbot/cloudflare-credentials.conf --dns-cloudflare-propagation-seconds 30 -d ephemeralintel.com -d www.ephemeralintel.com

The certificates are then pointed to manually via the server configuration files within nginx.

Run Nginx At Boot

				
					certbotbrew certonly --dns-cloudflare --dns-cloudflare-credentials /home/linuxbrew/.linuxbrew/etc/nginx/certbot/cloudflare-credentials.conf --dns-cloudflare-propagation-seconds 30 -d ephemeralintel.com -d www.ephemeralintel.com

Create and edit the file below. Replace all text in [brackets].

I will not be going over configuring nginx or the services it points to. I will only focus on setting up the operating system side of the service.

Once nginx is configured properly, the final step is to run and allow the service to run at boot.

Note:

There are better ways to enable separation of duties and further segment out the operating system. For now, we’ll focus on getting nginx up and running. Proper user separation can be done at a later date.

We’ll need to start the service, then allow the user to be accessed at boot.

				
					brew services start nginx
run0
loginctl enable-linger admin
exit

This should allow the service set up under the admin account to run. As stated before, better separation of duties can be created, but is not addressed at this time.

Finally, we need to check nginx status. If confirmed running, the last step is to reboot the system and ensure that the service runs at boot without any login.

				
					systemctl restart postfix

Functionality Testing

Point your DNS records or modify /etc/hosts on another machine. Navigate to the hostname for the host running nginx. If successful, the webpages should load as expected.

Contributors

Edward Anguiano

Estimated Execution Time: 1 hour

Difficulty: Intermediate

  • Basic firewall-cmd knowledge
  • Basic homebrew knowledge
  • Basic certbot knowledge
  • Intermediate nginx knowledge

Target System: SecureBlue

  • Project constructed using SecureBlue
  • Project HAS been reproduced