github-repos/acme.sh
1
0
Fork 0
mirror of https://github.com/acmesh-official/acme.sh.git synced 2025-03-26 19:00:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

Updated Usage on Tomato routers (markdown)

Martinique 2021-07-17 15:49:39 +03:00
parent 8ef5f25c33
commit a7db17d18f
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Usage-on-Tomato-routers.md

@ -1,6 +1,6 @@
This article describes using a router with Linux-based [Tomato firmware](https://en.wikipedia.org/wiki/Tomato_(firmware)) to run name-based HTTPS [reverse proxies](https://en.wikipedia.org/wiki/Reverse_proxy) with [Let's Encrypt](https://letsencrypt.org/) certificates, using [acme.sh](https://github.com/acmesh-official/acme.sh), providing encrypted access to home or small business LAN services from outside (untrusted) networks, such as your mobile devices.
Traffic to HTTPS port(s) (the usual 443 or whatever you use) in your public IP address will be forwarded to plain HTTP services on your LAN hosts with your Tomato router functioning as a reverse proxy. This way you can have multiple (sub)domains in a single public port pointed to several LAN servers with Tomato handling all the HTTPS stuff, which is not possible with simple port forwarding. A configuration example is provided.
Traffic to HTTPS port(s) (the usual 443 or whatever you use) in your public IP address will be forwarded to plain HTTP services on your LAN hosts with your Tomato router functioning as a reverse proxy. This way you can have multiple (sub)domains in a single public port pointed to several LAN servers with Tomato handling all the HTTPS work, which is not possible with simple port forwarding. A configuration example is provided.
Much of the setup is done through SSH, but you'll also need Tomato's web interface, marked in this guide as **Menu→Submenu**.
@ -9,7 +9,7 @@ Much of the setup is done through SSH, but you'll also need Tomato's web interfa
- Unless you happen to have a static public IP, you need a dynamic DNS (**Basic→DDNS**) service configured in Tomato. Some [DNS services](https://community.letsencrypt.org/t/dns-providers-who-easily-integrate-with-lets-encrypt-dns-validation/86438) also provide API control, enabling [DNS mode](https://github.com/acmesh-official/acme.sh/wiki/dnsapi) for acme.sh. You can point additional regular CNAME records to the DDNS hostname, so not all your hostnames need to be dynamic. In this guide _tomato.example.com_ and _www.tomato.example.com_ are used as examples.
- At least one plain HTTP web service or site running on either a LAN host or Tomato itself. It's a good idea to assign static IP addresses for servers (**Basic→Static DHCP/ARP/IPT**).
If you're going to [issue certificates](https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert) using webroot mode, Tomato's web server must be running in port 80, so make sure your service provider doesn't block that port and that the web admin service is not using the same port.
If you're going to [issue certificates](https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert) using webroot mode, Tomato's web server must be running in port 80, so make sure your service provider doesn't block that port and that the web admin service (**Administration→Admin Access**) is not using the same port.
**Standalone modes won't work**, as there's no `socat` in Tomato (without [entware](https://github.com/Entware/Entware/wiki)).
@ -58,7 +58,7 @@ Go to **Web Server→Basic Settings** and set it up like this:
- **Web Server Port**: 80
- **Server Root Path**: `/tmp/mnt/flash/www`
Save the settings and then create the directory for webroot challenges:
Save the settings. If the web server isn't running, click "Start now". Then create the directory for webroot challenges:
```sh
mkdir -p /tmp/mnt/flash/www/.well-known/acme-challenge
```
@ -89,7 +89,7 @@ acme.sh --install-cert -d tomato.example.com \
```
Note that Tomato has a funny typo, internally calling nginx "enginex".
Since nginx runs as user "nobody" you need to make the chain and key files readable by it. Change their owner group to nobody and allow group read permissions:
Since nginx runs as user "nobody" you need to make the chain and key files readable by it. Change their owner group to "nobody" and allow group read permissions:
```
chown root:nobody /tmp/mnt/flash/cert/tomato.example.com/*
chmod 0640 /tmp/mnt/flash/cert/tomato.example.com/*
@ -102,7 +102,7 @@ Modify the below example to match your new hostname(s), certificate path and LAN
If the server is Tomato itself, set `proxy_pass` to _http\://127.0.0.1:80_ (match the port number with web server setting).
You can add as many proxy server configurations as you wish, but note that they take up precious NVRAM, unless you move the whole nginx configuration to a file, disabling GUI settings. In many cases you can leave out the `proxy_set_header` lines, as they only provide connection info for logging etc.
You can add as many proxy server configurations as you wish, but note that they take up precious NVRAM, unless you move the whole nginx configuration to a file, disabling GUI settings (hint: `nginx -T`). In many cases you can leave out the `proxy_set_header` lines, as they only provide connection info for logging etc.
```nginx
server {
listen 443 ssl;