this post was submitted on 12 Jan 2025
13 points (100.0% liked)

Free and Open Source Software

18081 readers
12 users here now

If it's free and open source and it's also software, it can be discussed here. Subcommunity of Technology.


This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago
MODERATORS
 

At the moment I am currently using Cloudflare as a way to provide SSL to my self-hosted site. The site sits behind a residential connection that blocks incoming data on commonly used ports including 80 and 443. It's a perfectly fine and reasonable solution which does what I want. But I'm looking to try something different.

What I would like to try is using Let's Encrypt on a non standard port. I understand there are plenty of good reasons not do this, mainly that some places such as workplaces may block higher number ports for security reasons. That's fair but I am still interested in learning how to encrypt uncommon ports with Let's Encrypt.

Currently I am using Nginx Proxy Manager to handle Let's Encrypt certificates. It's able to complete the DNS Challenge required to prove I own the domain name and handles automated certificate renewals as well. Currently I have NPM acting as a reverse proxy guiding outside connections from Cloudflare on port 5050 to port 80 on NPM. Then the connection gets sent out locally to port 81 which is the admin web page for NPM (I'm just using it as a page to test if the connection is secured).

Whenever I enable Let's Encrypt SSL and try to connect to my site, the connection times out and nothing happens. I'm not sure if Let's Encrypt is expecting to reach ports 80/443 or if there is something wrong with my reverse proxy settings that breaks the encryption along the way. Most discussions just assume ports 80/443 are open which is fair since that's the most common situation. The few sites discussing the use of uncommon ports are either many years dated or people talking about success without sharing any details. I'm sort of at the end of what I can search at this point.

What I'm hoping to learn out of all this is how encryption and reverse proxies work together because those two things have been a struggle for me to understand as a whole throughout this whole learning process. I would appreciate it a lot of anyone had any resources or experiences to share about this.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] khalil 2 points 1 week ago (1 children)

Just did a quick test, the certs do not bind to the port, only the domain/fqdn. So in short your reverse proxy/application is doing something wrong. Do you have the cert files? Can you test them inside a ubuntu:24.04 docker with the script bellow? (you'll need to copy two cert files). That does TLS and is the application all in one script, but it could be two scripts one acting as the reverse proxy or whatever, doesn't make a difference from the point of view of the client.

Lets Encrypt doesn't do anything in port 80/443 unless you're using the http challlenge AFAIK. And once you have the certs, they aren't really involved in the connection, thus that can't be the issue. Test by using curl against the script below, or your own infrastructure (each step/chain of it, the reverse proxy, the application ip, etc.)

But in short I think your reverse proxy configuration is just wrong, or you're accessing it the wrong way on the client side. For example, using https://example.com instead of https://example.com:5050.

# docker run --rm --net host -it ubuntu:24.04
# then install python3 and run this
import http.server
import ssl

PORT = 5201  # Change to your desired port
CERT_FILE = "/fullchain.pem"  # Path to your certificate file
KEY_FILE = "/key.pem"    # Path to your private key file

# Create a basic HTTP request handler
class SimpleHTTPRequestHandler(http.server.SimpleHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header("Content-type", "text/html")
        self.end_headers()
        self.wfile.write(b"<h1>Welcome to the secure static server!</h1>")

# Set up the HTTP server
httpd = http.server.HTTPServer(("0.0.0.0", PORT), SimpleHTTPRequestHandler)

# Set up SSL context
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
ssl_context.load_cert_chain(certfile=CERT_FILE, keyfile=KEY_FILE)

# Wrap the server socket with SSL
httpd.socket = ssl_context.wrap_socket(httpd.socket, server_side=True)

print(f"Serving HTTPS on port {PORT}")
httpd.serve_forever()

When I get the motivation again I will give this a try. A while ago I was wondering if a tool like this existed so it's nice to see it pop up now. Thank you for this.