Virtual Private Server
When hosting servers on-premise, IP address exposure presents security risks such as targeted attacks or doxing. VPS (Virtual Private Server) hosting at data centers mitigates these risks. The connection flow routes through the VPS to external servers.
DNS
CloudFlare serves as the domain registrar and DNS provider, offering DDoS protection and domain pointing services. DNS configuration directs the A record to the VPS server, along with www and wildcard subdomains. Proxying can be disabled if routing issues occur.
VPS
On the VPS server, we install NginX Proxy Manager. This is our reverse proxy in order to route our address to different servers. To ensure we get ports working, we have to open the following ports:
- 80 (http)
- 443 (https)
- 81 (Nginx Proxy Manager UI)
Nginx Proxy Manager
Follow the directions but essentially, we run this through Docker-Compose as discussed here
Once we have Nginx Proxy Manager set up, we then create an API token on Cloudflare with the ability to edit DNS. We take this token to configure Let's Encrypt and generate an SSL certificate. Two must be made, one with the domain so for ours it's ardencharts.com and another wildcard which is *.ardencharts.com.
Now before we can configure our proxy hosts, we need an important part of the equation which is Tailscale. Tailscale can help up route our exposed addressed to our servers through WireGuard. To do this, we install tailscale on our servers and then on our VPS server. We can also install HAProxy on our VPS server if we want to route to multiple destinations or locations.
When you run tailscale on the VPS, make sure to run
tailscale up --accept-routes
On the server you are connecting to on your server, you can run
tailscale up --advertise-routes=192.168.1.1/24 (Whatever your ip address are, comma separated)