fofanov.dmitry/configure_nginx_manager
1
0
Fork 0
Code Actions Releases Activity

Добавлено подробное руководство по тестированию SSL-сертификатов и скрипты автоматизации.
Some checks failed
Sync from Gitea / sync (push) Has been cancelled
Details

Browse Source 
- Добавлено подробное руководство по тестированию SSL-сертификатов с использованием самоподписанных сертификатов.
- Добавлены инструкции по созданию тестовых сертификатов с помощью Makefile, Python и Bash-скриптов.
- Добавлены сравнение методов и подробные инструкции по настройке, проверке и использованию в Nginx.
- Задокументированы этапы перехода от тестовых сертификатов к рабочим.
- Создано руководство по получению сертификатов Let's Encrypt с DNS-запросом для провайдера reg.ru.
- Разработано подробное руководство по настройке использования глобального SSL-сертификата в Nginx Proxy Manager.
- Предоставлены инструкции по созданию и обновлению wildcard-сертификатов в Nginx Proxy Manager.
- Добавлены скрипты автоматизации для создания и обновления SSL-сертификатов с помощью API reg.ru.
- Реализованы Git-хуки для Gitea для синхронизации изменений с GitHub после отправки.
- Улучшено логирование и обработка ошибок в Git-хуках для улучшения мониторинга и устранения неполадок.
This commit is contained in:
Dmitriy Fofanov
2025-10-27 22:18:32 +03:00
parent be00fb7193
commit 2f89d9e169
18 changed files with 3234 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
docs/Add_Lets_Encrypt_Certificate_for_regru_Provider_EN.md Normal file
View File

@@ -0,0 +1,56 @@
# Guide to Creating Let's Encrypt Certificate with DNS Challenge for reg.ru Provider in Nginx Proxy Manager
---
## Prerequisites
- Access to Nginx Proxy Manager (NPM)
- Access to reg.ru account with DNS management permissions
- API key for DNS management in reg.ru (if automatic integration is available)
- Need to obtain certificate for `*.dfv24.com` (wildcard certificate)
---
## Step 1. Getting API Key for reg.ru
1. Log in to reg.ru control panel
2. Navigate to API management section (if supported)
3. Create or find API key with DNS records editing permissions
4. Save API key and secret (Client ID and API Token)
---
## Step 2. Configuring Nginx Proxy Manager to Use DNS Challenge reg.ru
1. In NPM admin panel, go to **SSL Certificates → Add SSL Certificate**
2. Select **Let's Encrypt** -> **DNS Challenge**
3. In **Provider** field, select `reg_ru` or `custom` (if provider not available, script will be needed)
4. Fill in API fields with required parameters:
- Client ID
- API Token
5. In **Domain Names** field, specify:
`*.dfv24.com` (for wildcard certificate)
and main domain `dfv24.com`
6. Enable other options (Terms of Service, Email)
7. Click **Save** to request certificate
8. NPM will automatically add DNS TXT records for domain ownership verification through reg.ru API
---
## Step 3. Verification and Automatic Renewal
- After successful certificate creation, NPM will automatically renew it through DNS Challenge.
- For successful renewal, it's important that API key remains valid and NPM has access to DNS management.
---
## If NPM Doesn't Have Ready Integration with reg.ru
- Use external script to update DNS TXT records in reg.ru, configured in NPM through **Custom DNS Provider**.
- Configure curl requests to reg.ru API for adding/removing TXT records.
---
# Summary
For Let's Encrypt wildcard certificates with reg.ru, DNS Challenge must be used with provider's API for automatic DNS record management.
In Nginx Proxy Manager, configure DNS Challenge considering reg.ru specifics for seamless certificate obtaining and renewal.

79
docs/Nginx_Manager_SSL_Configuration_EN.md Normal file
View File

@@ -0,0 +1,79 @@
# Detailed Guide to Configuring Nginx Proxy Manager with One Global SSL Certificate for All dfv24.com Domains
## Prerequisites
- [Nginx Proxy Manager](http://192.168.10.14:81/) is installed and running
- Main domain: dfv24.com
- Domain hosting and DNS records are on reg.ru
- Need to use one SSL certificate (e.g., wildcard) for all dfv24.com subdomains
---
## Step 1. Purchasing and Obtaining SSL Wildcard Certificate for dfv24.com
1. On reg.ru or any other Certificate Authority (CA), order wildcard certificate for domain `*.dfv24.com`.
2. Obtain certificate files:
- Main certificate (CRT)
- Intermediate certificates (CA Bundle)
- Private key (KEY)
---
## Step 2. Importing Your SSL Certificate to Nginx Proxy Manager
1. Log in to Nginx Proxy Manager at http://192.168.10.14:81/
2. Go to **SSL Certificates** section → **Add SSL Certificate** button
3. Select **Custom** (custom certificate)
4. Paste into fields:
- **Certificate** — main CRT + CA Bundle (if CA Bundle is separate, concatenate into one file or paste sequentially)
- **Key** — private key content
- Name certificate, e.g., `dfv24_wildcard`
5. Save
---
## Step 3. Configuring Proxy Hosts Using Global Certificate
1. Go to **Proxy Hosts****Add Proxy Host**
2. Fill in fields:
- **Domain Names**: For example, `sub1.dfv24.com` (for first subdomain)
- **Scheme**: http or https, depending on backend
- **Forward Hostname / IP**: IP or DNS address of your internal service
- **Forward Port**: service port (e.g., 80 or 443)
3. Enable **SSL** → Check **Use a shared SSL certificate** (if such option is available) or select previously imported certificate from list
4. Activate: **Block Common Exploits**, **Websockets Support**, set Redirect HTTP to HTTPS if required
5. Save proxy host
6. Repeat for all subdomains, specifying needed domains and selecting same wildcard SSL certificate
---
## Step 4. Configuring DNS Records on reg.ru
1. Log in to domain management panel on reg.ru
2. Create or edit DNS A records:
- `dfv24.com` → IP of your Nginx Proxy Manager (e.g., 192.168.10.14)
- `*.dfv24.com` → same IP or specific subdomains if there are special ones
3. Save changes
4. Wait for DNS update (from few minutes to 24 hours)
---
## Step 5. Testing and Verification
1. In browser, open any subdomain `https://sub1.dfv24.com`
2. Certificate should be valid, issued for wildcard `*.dfv24.com`
3. Check proxy functionality and correct certificate assignment
4. If necessary, check Nginx Proxy Manager logs and fix errors
---
## Additional Information
- If Nginx Proxy Manager doesn't have GUI option to select shared certificate, you can manually configure configs through `/data/nginx/proxy_host` directory and specify SSL certificate for all hosts.
- When updating certificate — re-import it to Nginx Proxy Manager.
- You can use Let's Encrypt for automatic wildcard certificate obtaining using DNS validation (if supported by your DNS provider).
---
# Summary
Use one wildcard certificate for all subdomains, import it as custom certificate in Nginx Proxy Manager, when creating proxy hosts select it in SSL settings. Manage DNS records on reg.ru, directing domain to Nginx Proxy Manager IP.
This allows legitimate use of single certificate for all services with different subdomains under your dfv24.com domain.

86
docs/SSL_Certificate_Creation_and_Renewal_EN.md Normal file
View File

@@ -0,0 +1,86 @@
# Guide to Creating Wildcard Certificate *.dfv24.com in Nginx Proxy Manager and Configuring Automatic SSL Renewal
---
## Step 1. Preparation
- Ensure Nginx Proxy Manager (NPM) is installed and accessible at http://192.168.10.14:81/
- You have access to DNS records for dfv24.com domain in reg.ru control panel or another registrar
---
## Step 2. Creating Wildcard SSL Certificate in Nginx Proxy Manager
1. Log in to Nginx Proxy Manager admin panel at http://192.168.10.14:81/
2. Navigate to **SSL Certificates** → click **Add SSL Certificate** button
3. Select **Let's Encrypt**
4. Fill in the fields:
- **Domain Names:**
Enter `*.dfv24.com` — for wildcard certificate
Also recommended to add main domain `dfv24.com` (comma-separated or in new field)
- **Email Address:**
Specify your Email for Let's Encrypt notifications (required)
- **HTTP Challenge:**
Leave HTTP verification if NPM is accessible from internet on ports 80 and 443, or configure DNS Challenge if supported by your DNS
5. Check "Agree to the Let's Encrypt Terms of Service"
6. Click **Save**
- NPM will begin certificate obtaining process with domain verification.
- Upon successful certificate request, you'll see new certificate in the list.
---
## Step 3. Configuring Automatic Renewal
- Nginx Proxy Manager automatically handles Let's Encrypt certificate renewal.
- For this, server must be accessible from internet on ports 80 and 443, and DNS records must correctly point to your server.
- NPM periodically (usually 30 days before expiration) requests certificate renewal.
- When using DNS Challenge, NPM must have DNS provider integration configured (if supported).
---
## Step 4. Using Wildcard Certificate in Proxy Hosts
1. Go to **Proxy Hosts** → Create or edit proxy entry
2. In **Domain Names** field, specify needed subdomain from dfv24.com, for example:
`api.dfv24.com` or `www.dfv24.com`
3. In **SSL** section, select your wildcard certificate `*.dfv24.com` that you obtained in Step 2
4. Enable options:
- Use SSL
- Force SSL
- HSTS (if needed)
5. Save changes.
---
## Step 5. Verification
1. Verify that all subdomains use the same certificate
2. Visit https://api.dfv24.com or other subdomains from browser
3. Ensure certificate is valid, not expired, and issued for *.dfv24.com
4. Check certificate renewal status in SSL Certificates section
---
## Additional Information
- If Let's Encrypt cannot perform HTTP Challenge due to closed port, configure DNS Challenge (may require DNS provider API key)
- For security and notifications, keep Email up to date
- Check Nginx Proxy Manager logs to identify renewal errors
---
# Summary
Nginx Proxy Manager allows easy obtaining and automatic renewal of wildcard SSL certificates for *.dfv24.com domain using Let's Encrypt.
Main requirements — properly configured DNS records and internet access on HTTP/HTTPS ports.
Then use one global certificate for all your subdomains through Proxy Hosts settings.

250
docs/SSL_SCRIPTS_README_EN.md Normal file
View File

@@ -0,0 +1,250 @@
# SSL Certificate Automation Scripts
**Author:** Фофанов Дмитрий
## 📖 Overview
This project contains scripts for automating the creation and renewal of Let's Encrypt SSL certificates using DNS-01 Challenge via the reg.ru API.
## 🎯 Quick Start
### Linux (Bash)
```bash
# 1. Install dependencies
sudo apt-get install certbot jq
# 2. Configure credentials
nano ~/.regru_credentials
# Add:
# export REGRU_USERNAME="your_login"
# export REGRU_PASSWORD="your_password"
# 3. Set permissions
chmod 600 ~/.regru_credentials
# 4. Run the script
./letsencrypt_regru.sh \
-d "*.dfv24.com" \
-e "dfofanov@dfv24.com"
```
### Linux (Python)
```bash
# 1. Install dependencies
pip install requests dnspython certbot
# 2. Configure
cp config.example.yml config.yml
nano config.yml
# 3. Run
python letsencrypt_regru.py
# 4. Setup auto-renewal (cron)
crontab -e
# Add:
# 0 3 * * 1 /usr/bin/python3 /path/to/letsencrypt_regru.py
```
### Windows (PowerShell)
```powershell
# 1. Run as Administrator
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
# 2. Configure credentials
$env:REGRU_USERNAME = "your_login"
$env:REGRU_PASSWORD = "your_password"
# 3. Run
.\letsencrypt_regru.ps1 `
-Domain "*.dfv24.com" `
-Email "dfofanov@dfv24.com"
# 4. Setup auto-renewal (Task Scheduler)
# Import-Module .\ScheduledTask.psm1
# Create-CertRenewalTask
```
## ⚙️ Configuration
### Bash Script (`letsencrypt_regru.sh`)
```bash
#!/bin/bash
# Required parameters
DOMAIN="*.dfv24.com" # Your domain
EMAIL="dfofanov@dfv24.com" # Contact email
REGRU_USERNAME="your_login" # reg.ru login
REGRU_PASSWORD="your_password" # reg.ru password
# Optional parameters
DNS_PROPAGATION_WAIT=60 # Wait time for DNS propagation (seconds)
LOG_FILE="/var/log/letsencrypt_regru.log"
WEBSERVER="nginx" # nginx or apache2
```
### Python Script (`letsencrypt_regru.py`)
Create `config.yml`:
```yaml
# reg.ru credentials
regru:
username: "your_login"
password: "your_password"
# Certificate settings
certificate:
domain: "*.dfv24.com"
email: "dfofanov@dfv24.com"
dns_propagation_wait: 60
# Logging
logging:
file: "/var/log/letsencrypt_regru.log"
level: "INFO"
# Web server
webserver:
type: "nginx" # nginx, apache2, or null
reload_command: "systemctl reload nginx"
```
### PowerShell Script (`letsencrypt_regru.ps1`)
```powershell
# Configuration
$Config = @{
Domain = "*.dfv24.com"
Email = "dfofanov@dfv24.com"
RegRuUsername = $env:REGRU_USERNAME
RegRuPassword = $env:REGRU_PASSWORD
DnsPropagationWait = 60
LogFile = ".\letsencrypt_regru.log"
}
```
## 📋 Requirements
### Bash Script
- **certbot** - Let's Encrypt client
- **jq** - JSON processor
- **curl** - HTTP requests
- **dig** (optional) - DNS queries
### Python Script
- **Python 3.6+**
- **requests** - HTTP library
- **dnspython** - DNS operations
- **certbot** - Let's Encrypt client
- **PyYAML** - YAML configuration
### PowerShell Script
- **PowerShell 5.1+** or **PowerShell Core 7+**
- **certbot** (via Chocolatey or manual installation)
## 🔄 Automatic Renewal
### Linux (cron)
```bash
# Edit crontab
crontab -e
# Add (runs every Monday at 3 AM):
0 3 * * 1 /path/to/letsencrypt_regru.sh >> /var/log/cert_renewal.log 2>&1
# Or for Python:
0 3 * * 1 /usr/bin/python3 /path/to/letsencrypt_regru.py
```
### Windows (Task Scheduler)
```powershell
# Create scheduled task
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" `
-Argument "-File C:\path\to\letsencrypt_regru.ps1"
$Trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At 3am
Register-ScheduledTask -TaskName "SSL Certificate Renewal" `
-Action $Action -Trigger $Trigger -RunLevel Highest
```
## ✨ Features
✅ Automatic DNS validation via reg.ru API
✅ Certificate expiration check
✅ Automatic renewal before expiration
✅ Web server reload after renewal
✅ Detailed logging of all operations
## 🔧 Using with Nginx Proxy Manager
After obtaining the certificate:
1. Log in to NPM: http://192.168.10.14:81/
2. SSL Certificates → Add SSL Certificate → Custom
3. Paste the content:
- Certificate Key: `/etc/letsencrypt/live/domain.com/privkey.pem`
- Certificate: `/etc/letsencrypt/live/domain.com/fullchain.pem`
## 📝 Logs
- Bash: `/var/log/letsencrypt_regru.log`
- Python: `/var/log/letsencrypt_regru.log`
- PowerShell: `.\letsencrypt_regru.log`
- Certbot: `/var/log/letsencrypt/letsencrypt.log`
## 🆘 Troubleshooting
### API Authentication Error
- Check your reg.ru credentials
- Ensure the domain is under your control
### DNS Record Not Propagating
- Increase `dns_propagation_wait` to 120 seconds
- Check DNS: `nslookup -type=TXT _acme-challenge.domain.com`
### Certbot Not Found
```bash
# Ubuntu/Debian
sudo apt-get install certbot
# Or via snap
sudo snap install --classic certbot
```
## 📚 Documentation
Detailed documentation in [USAGE.md](USAGE.md)
## 🔐 Security
- Keep credentials secure
- Use `chmod 600` for configuration files
- Regularly update passwords
## ⚠️ Important
- Let's Encrypt certificates are valid for 90 days
- Automatic renewal setup is recommended
- Wildcard certificates require DNS validation
## 📞 Support
- [reg.ru API Documentation](https://www.reg.ru/support/api)
- [Let's Encrypt Documentation](https://letsencrypt.org/docs/)
- [Certbot Documentation](https://certbot.eff.org/docs/)
## 📄 License
Scripts are provided "as is" for free use.
---
**Happy Automation! 🔒**