Lets Encrypt and Wildcard Certs

Le-logo Lets Encrypt now supports the use of a wildcard certificate.

What this mean is that rather than having to list all your sub domains in the SSL cert, you can now add *.mydomain.com. It also mean that if you add an additional sub domain you wont have to re-apply for new certificate.

So how does it work?

For this guide I will use LE64.exe - it's a Microsoft Windows command line app which fetches the cert for us. We just need to plug in some commands to get what we need.

This setup presumes you have access to your domain registrar and that you know how to add domain records, in this case a TXT record.

1. Download LE64 from - https://github.com/do-know/Crypt-LE/releases

2. Extract the zip to a working directory i.e. C:\LE64 and you should see a LE64.exe.

3. Create a bat file in the same folder, call it le64.bat

4. In the bat file we need to add the custom attributes or commands. Edit the bold italics below with your details.

le64.exe --key account.key --email "[email protected]" --csr domain.csr --csr-key domain.key --crt domain.crt --export-pfx mypfxpassword --domains "*.***mymedia.cf***" --generate-missing --handle-as dns --api 2 --unlink

This command will create the CSRs, CRT, Key and a PFX cert with a password.

Save the BAT file.

5. Run the le64.bat (its currently in test mode). A command window will open and after a few lines of text it will stop and ask you to add a DNS record with your Domain Registrar to verify you own the domain name.

enter image description here

6. Head over to your domain registrar. For this guide I will be using Cloudflare. Log in and head to DNS or DNS records.

enter image description here

  1. Add the TXT record with the text string from the command line window, should look something like the below when entered.

enter image description here

  1. You now have to wait a few minutes for the Records to propagate the internet. Can be up to 30mins or more in some cases.

To test the propagation, open a CMD prompt and enter the following

nslookup -q=txt _acme-challenge.mymedia.cf

Press enter and if the propagation was successfull it should return the txt value you entered. If it fails to find it, wait a little longer and try again. If the TXT doesnt match, re-enter it again with your Domain Registrar.

9. If the text records matched, hit enter on the le64.bat window to continue with fetching the certificates. You should now have FAKE Lets Encrypt certs. Reason they are fake is that this was it test mode. If all worked ok you now have to repeat from No.4 above but adding --live to the end of the BAT file. Like below-

le64.exe --key account.key --email "[email protected]" --csr domain.csr --csr-key domain.key --crt domain.crt --export-pfx mypfxpassword  --domains "*.mymedia.cf" --generate-missing --handle-as dns --api 2 --unlink --live

You will need to change the DNS TXT record as it will be different this time. Also once the above has completed and you have the certs, you can delete the TXT record with your domain registrar.

N.B.

Previously with DNS verification that the above uses, come renewal time you will have to re-verify your DNS. However I have tested it with le64, aslong as the CSR and CSR.key are kept in the same folder and that you renew your certificate with at least 30 days still left on the cert then you wont have to do the DNS verification again.

Sonos, Unifi, VLAN and Firewalls.

enter image description here

Carrying on from a previous post - Unifi & Sonos VLANs. If you are like me and you have your Sonos Devices segregated on an IoT VLAN and the Sonos Controllers (iPhone etc) on a different VLAN then you will probably need to do some firewalling.

A little Background

VLANs are used for many reasons, segregating networks, preventing multicast packets traversing networks, security amongst other reasons. In this case I wanted all my IoT devices on its own network (VLAN) as there are many security risks with IoT devices and the a separate VLAN for my main LAN. With this I wanted to block all communication from IoT_VLAN to Main_VLAN, however I wanted my Main_VLAN to still be able to communicate with some devices on the IoT_VLAN i.e. Sonos Speakers.

So following on from the previous post where we setup the VLANs and IGMP-Proxying, we will now look at the Unifi Firewalls.

Firewalls work on rules and the rules work in descending order, i.e. if data hits the firewall it will check the rules from the top downwards until it finds a matching rule.

Firewall

In Unifi there are various Rule headings, WAN, LAN and Guest and each has a IN, OUT and LOCAL. For this guide we will be working with LAN IN - the data is coming from the LAN INTO the USG.

Lets create some rules, these will be in order Top to Bottom.

The first rule is created because when the Controller on Main_VLAN creates a connection with the Speaker on IoT_VLAN we want the speaker to be able to talk back to the controller, hence we create a rule to allow established connections but do not allow it to open new connections.

Name - Allow Established
Enabled - On
Rule Applied - Before pre-defined rules
Action - Accept
IPv4 Protocol - All
States - Established and Related
Source - Address group - Any
Destination - Address group - Any

Next Rule is to allow Sonos Speakers to contact Main_VLAN

Name - SONOS_To_Main_VLAN
Enabled - On
Rule Applied - Before predefined rules
Action - Accept
IPv4 Protocol - All
Address Group - Create a group with all the Sonos Speaker IP addresses
Destination - Network - Main_VLAN

Final rule is to block all other data from IoT_VLAN to Main_VLAN

Name - Block IoT_VLAN to Main_VLAN
Enabled - On
Rule Applied - Before predefined rules
Action - Drop
IPv4 protocol - All
Source - Network - IoT_VLAN
Destination - Network - Main_VLAN

And that's it. With these rules devices on IoT_VLAN shouldnt be able to contact devices on Main_VLAN, however Main_VLAN can still contact the Sonos Speakers.

This is what the Rule Page looks like

firewall rule

NGINX Blacklist IPs and Subnets

The ideal way to blacklist is at the router or firewall level. However there is an option to whitelist or blacklist using NGINX.

I use the following site to get a list of dodgy IP's http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

Copy and Paste that txt file into Notepad++

We now need to change the formatting for NGINX.

In Notepad ++ press Ctrl + H - this will open the replace menu.

enter image description here

Enter the details above.

  • Find What - ^
  • Make sure to have a space after the 'DENY'.
  • Click 'Replace All'.

And then use the details below,

enter image description here

  • Find What - $
  • Replace with - ;
  • And then 'Replace All'

Save the file as blacklist.conf and save it in the NGINX Conf folder.

Finally add this to the NGINX.conf in the HTTP Block

include blacklist.conf;

Restart NGINX and now all the IPs and Subnets listed will be blocked. Anyone trying to access your server from a blocked IP will get a HTTP 403 error, Access forbidden.

NGINX & cloudflare forwarding IP

enter image description here

To get the Origin IP passed through Cloudflare to NGINX reverse proxy you need to add the following to the end of the HTTP Block.

        # Cloudflare IPs
set_real_ip_from 204.93.240.0/24;
set_real_ip_from 204.93.177.0/24;
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
real_ip_header     CF-Connecting-IP;

All IPs will then be logged in the access.log.

SSL Config For NGINX

ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate      E:\le64\Domain.crt;
ssl_certificate_key  E:\le64\Domain.key;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;


proxy_hide_header X-Powered-By;
add_header x-xss-protection 1;
proxy_hide_header X-Frame-Options;
add_header X-Content-Type-Options "nosniff"  always;
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
add_header 'Referrer-Policy' 'origin';
add_header Content-Security-Policy "frame-ancestors mydomain.media www.mydomain.media update.mydomain.media blog.mydomain.media cctv.mydomain.media emby.mydomain.media guest.mydomain.media htpc.mydomain.media nzb.mydomain.media plex.mydomain.media prtg.mydomain.media smartthings.mydomain.media sonarr.mydomain.media stats.mydomain.media heat.mydomain.media home.mydomain.media unifi.mydomain.media utorrent.mydomain.media radarr.mydomain.media ombi.mydomain.media requests.mydomain.media sophos.mydomain.media;";
add_header X-Frame-Options "ALLOW-FROM https://home.mydomain.media";

Unifi Firewall Logging with syslog

enter image description here

How to Enable syslogging of Unifi Firewall.

It's fairly easy to enable syslog in Unifi Controller, however to log blocked or dropped traffic at the firewall needs a few extra steps. By default anything blocked by the firewall isnt logged.

Unifi config.json.

The Unifi USG comes with pre-defined firewall rules. We need to edit these rules which can be done on the USG using command line and then also needs a json file to persist after a reboot or re-provision. We also need to create some new rules and enable syslog server.

First we need to find a syslog server. For this example I will use kiwi syslog which is free.

enter image description here

Download here

Install to an easy to find location and run the console, we will come back to configure it later.

Login to your Unifi controller and go to settings and enable remote logging and enter the IP of where the kiwi syslog server is and normally the default port is 514.

enter image description here

Now go to Routing and Firewall and select firewall.

We need to create 2 new rules, both identical, 1 in WAN_LOCAL and the other in WAN_IN

New Rule

Name - LAST - default drop and log
Enabled - ON
After pre-defined rules
Drop
All
Advanced - Enable Logging
Tick New, Established, Relate, Invalid
Dont match on ipsec
Leave rest default

enter image description here

So we should have something like this

enter image description here

enter image description here

Next we need to change the pre-defined firewall rules on the USG.

SSH onto your USG and login

configure
set firewall name WAN_LOCAL rule 3002 log enable
set firewall name WAN_IN rule 3002 log enable
commit
save

Next we need to configure Kiwi to capture the logs.

More to come soon

The next part is optional. The syslog logs in kiwi contain alot of information but this doesnt really mean much to us. I recommend using something like sumologic to collect parse and visualize the data.

Below is a screenshot of my dashboard. It displays the number of blocked connections by their geo-location. A list of top 10 blocked IPs, the total number of blocked requests over 24 hours and finally a graph of the number of blocked connections in 30 min increments. These numbers come from the firewall rule [WAN_LOCAL-4000-D].

enter image description here

Head over to the next Guide "Syslog to SumoLogic" to setup the visualization of the logs.

Unifi Sonos and VLANs

enter image description here

For the security consious out there you may have split your home network up into VLANs. If you've found this page by searching then you probably already know what a VLAN is and its purpose.

At home I have split my network into 4 VLANs.

VLAN1 - Main data VLAN for all my devices VLAN40 - VLAN for guests to use VLAN60 - Security VLAN, CCTV, alarms etc VLAN80 - IOT devices, internet of things, zwave, zigbee, sonos and home automation etc.

The idea of keeping IOT devices on a seperate VLAN to other devices is mainly for security. Most IOT devices are easily hackable and if this does happen they will only be able to access devices on VLAN80 and not my other devices.

Anyway this post will explain how to get the Sonos devices on VLAN80 to communicate with the controllers (iPhone, iPad, PC) on VLAN1.

With Unifi we need to enable igmp-proxy. To set it we need to SSH onto the USG.

and enter the following commands

configure
edit protocols igmp-proxy
set interface eth1.80 role downstream
set interface eth1.80 threshold 1
set interface eth1.80 alt-subnet 0.0.0.0/0
set interface eth1 role upstream
set interface eth1 threshold 1
set interface eth1 alt-subnet 0.0.0.0/0
exit
commit
save

eth1.80 = the VLAN of the sonos devices (IOT) eth1 = VLAN1 the main data VLAN with the Sonos controllers on.

I recommend restarting the igmp-proxy service on the USG. To do so enter the command

restart igmp-proxy

Now it is set, you will have to re-configure the Sonos Device with the controller.

With Unifi, the CLI commands arent persistent with a re-provision. To make the changes stick we need to use a config.gateway.json file

Its location is

C:\users\%username%\Ubiquiti Unifi\data\sites\default\

Edit the config.gateway.json file and enter the below

     {
"protocols": {
        "igmp-proxy": {
            "interface": {
                "eth1": {
                    "role": "upstream",
                    "threshold": "1",
                    "alt-subnet": "0.0.0.0/0"
                },
                "eth1.80": {
                    "role": "downstream",
                    "threshold": "1",
                    "alt-subnet": "0.0.0.0/0"
                }
            }
        }
    }
}

Obviously changing the VLAN numbers to what ever yours are.

Troubleshooting Ok well this didnt really work straight away for me.

To check that igmp is working you can issue the following commands

show ip multicast mfc

and

show ip multicast interfaces 

This should show any multicast data its source and where it is going. For example

enter image description here

On the top half you can see see the source and that some data is going from eth1 to eth1.80. However with the command Show IP multicast interfaces you can see that no multicast data is coming into eth1.80 interface, it seems to be going out on eth1 and into eth1.60. To resolve this I had to issue the restart igmp-proxy command to restart the service. A USG re-provision didnt work.

For creating Firewalls, see this post - Sonos, Unifi, Firewalls & VLANS

Unifi Portal - Responsive Design

enter image description here By Default the Unifi Guest/Hotspot portal is a fixed webpage. Todays standards call for a responsive webpage design and with a little tweaking we can achieve it.

First we need to browse to the location of our Unifi Controller.

for Windows OS, normally located

C:\Users\Swynol\Ubiquiti UniFi

Head deeper into the folder at the path below

C:\Users\Swynol\Ubiquiti UniFi\data\sites\default\app-unifi-hotspot-portal

we now need to add a new css file

Open notepad or notepad++ and paste the following contents

    html {
  background: url(/guest/s/default/portalfile/58b4ac1420c21de2551c3c24?portalfile=true) no-repeat center center fixed;
  -webkit-background-size: cover;
  -moz-background-size: cover;
  -o-background-size: cover;
  background-size: cover;
}

Save it and call the document 'background.css' save it to the CSS folder in the above location.

We now need to edit the index.html file (right click open with notepad)

We need to add the line below to the header section of the file

<link href="css/background.css" rel="stylesheet"> 

it should now look like this

    <!DOCTYPE html>
<html lang="en" ng-controller="MainController as mainCtrl">
  <head>
    <meta charset="utf-8">
    <title unifi-portal-custom-title></title>
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="apple-touch-icon-precomposed" href="images/favicons/favicon-152.png">
    <meta name="msapplication-TileColor" content="#0193d7">
    <meta name="msapplication-TileImage" content="images/favicons/favicon-144.png">
    <link rel="apple-touch-icon-precomposed" sizes="152x152" href="images/favicons/favicon-152.png">
    <link rel="apple-touch-icon-precomposed" sizes="144x144" href="images/favicons/favicon-144.png">
    <link rel="apple-touch-icon-precomposed" sizes="120x120" href="images/favicons/favicon-120.png">
    <link rel="apple-touch-icon-precomposed" sizes="72x72" href="images/favicons/favicon-72.png">
    <link rel="apple-touch-icon-precomposed" href="images/favicons/favicon-57.png">
    <link rel="icon" href="images/favicons/favicon-32.png" sizes="32x32">
    <link href="fonts/1.3.2/lato/style.css" rel="stylesheet">
    <link href="fonts/1.3.2/ubnt-icon/style.css" rel="stylesheet">
    <link href="css/app.css?v=1.3.2" rel="stylesheet">
    <link href="css/background.css" rel="stylesheet"> 
    <script src="config/config.js?v=1.3.2"></script>
    <script src="js/vendor.js?v=1.3.2"></script>
    <script src="js/components.js?v=1.3.2"></script>
    <script src="js/main.js?v=1.3.2"></script>
  </head>

Save it.

And that's it. all done

NGINX Config

worker_processes  2;


events {
    worker_connections  8192;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;

    gzip on;
    gzip_disable "msie6";

    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
    text/plain
    text/css
    text/js
    text/xml
    text/javascript
    application/javascript
    application/x-javascript
    application/json
    application/xml
    application/rss+xml
    image/svg+xml;

    tcp_nodelay on;

    sendfile        off;

    server_names_hash_bucket_size 128;
    map_hash_bucket_size 64;

## Start: Timeouts ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     30;
    send_timeout          10;
    keepalive_requests    10;
## End: Timeouts ##



## Default Listening ##

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;

      return 301 https://$host$request_uri;
}   

## Organizr ##

    server {

    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name home.mydomain.media mydomain.media;

    include ssl.conf;

            location ^~ /.well-known/acme-challenge/ {
                }

            location / {
            root html\Organizr;
            index index.php index.html index.htm;
                }

            location ~ \.php$ {
            root           html\Organizr;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  E:/NGINX/html$fastcgi_script_name;
            include        fastcgi_params;
            fastcgi_param REMOTE_ADDR $http_x_real_ip;
            }

}



##EMBY Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name emby.mydomain.media; 

    include ssl.conf;

     location / {
        proxy_pass http://127.0.0.1:8096;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_buffering off;
        }
                location ^~ /.well-known/acme-challenge/ {
}


}

##Sophos UTM##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name sophos.mydomain.media; 

       include ssl.conf;

     location / {
        proxy_pass https://192.168.10.8:4444;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
                        location ^~ /.well-known/acme-challenge/ {
}

}


##Sonarr Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name sonarr.mydomain.media; 

    include ssl.conf;

     location / {
        proxy_pass http://127.0.0.1:8989;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
                        location ^~ /.well-known/acme-challenge/ {
}
}

##Radarr Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name radarr.mydomain.media; 

    include ssl.conf;

     location / {
        proxy_pass http://127.0.0.1:7878;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
}
        location ^~ /.well-known/acme-challenge/ {
}
}

##NZB Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name nzb.mydomain.media; 

    include ssl.conf;

        location / {
        proxy_pass http://127.0.0.1:6792;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
}
        location ^~ /.well-known/acme-challenge/ {
}
}



##Plex Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name plex.mydomain.media; 

    include ssl.conf;

     location / {
        proxy_pass http://127.0.0.1:32400;  
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_buffering off;
        }
        location ^~ /.well-known/acme-challenge/ {
}
}

##Unifi Server##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name unifi.mydomain.media; 

    include ssl.conf;

     location / {
        proxy_pass https://127.0.0.1:8443;  

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    location /inform/ {
        proxy_pass https://127.0.0.1:8080;  

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
        location ^~ /.well-known/acme-challenge/ {
}
}

##Unifi Guest Portal##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name guest.mydomain.media; 

include ssl.conf;

     location / {
        proxy_pass https://127.0.0.1:8843;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_hide_header X-Powered-By;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        add_header Content-Security-Policy "frame-ancestors mydomain.media www.mydomain.media update.mydomain.media blog.mydomain.media cctv.mydomain.media emby.mydomain.media guest.mydomain.media htpc.mydomain.media nzb.mydomain.media plex.mydomain.media prtg.mydomain.media smartthings.mydomain.media sonarr.mydomain.media stats.mydomain.media heat.mydomain.media home.mydomain.media unifi.mydomain.media utorrent.mydomain.media radarr.mydomain.media ombi.mydomain.media requests.mydomain.media sophos.mydomain.media;";

    }
     location /ws/ {
                        proxy_pass https://127.0.0.1:8843/ws/;
                        proxy_http_version 1.1;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "upgrade";
                        add_header X-Xss-Protection "1; mode=block" always;
                        add_header X-Content-Type-Options "nosniff" always;
                        add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
                        add_header X-Frame-Options "SAMEORIGIN" always;
                        add_header 'Referrer-Policy' 'no-referrer';
                        add_header Content-Security-Policy "frame-ancestors mydomain.media www.mydomain.media update.mydomain.media blog.mydomain.media cctv.mydomain.media emby.mydomain.media guest.mydomain.media htpc.mydomain.media nzb.mydomain.media plex.mydomain.media prtg.mydomain.media smartthings.mydomain.media sonarr.mydomain.media stats.mydomain.media heat.mydomain.media home.mydomain.media unifi.mydomain.media utorrent.mydomain.media radarr.mydomain.media ombi.mydomain.media requests.mydomain.media sophos.mydomain.media;";
                    }
        location ^~ /.well-known/acme-challenge/ {
}
}



##CCTV Server##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name cctv.mydomain.media; 

        ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate      E:\le64\Domain.crt;
ssl_certificate_key  E:\le64\Domain.key;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;


     location / {
        proxy_pass http://192.168.60.10:8099;  
        ##proxy_pass http://192.168.60.10:8099/ui3beta/ui3.htm; ##
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 }
        location ^~ /.well-known/acme-challenge/ {
}
}



##Heating##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name heat.mydomain.media; 

    include ssl.conf;

     location / {
        proxy_pass http://192.168.80.9:80;  

    proxy_set_header Range $http_range;
    proxy_set_header If-Range $http_if_range;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
        location ^~ /.well-known/acme-challenge/ {
}
}

##uTorrent##

    server {
        listen [::]:443 ssl;
        listen 443 ssl;
        server_name utorrent.mydomain.media; 

            include ssl.conf;

    location / {
        proxy_pass http://127.0.0.1:7070/;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";  
        proxy_redirect  off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass_header Set-Cookie;
        proxy_pass_header P3P;
        }
    location ^~ /.well-known/acme-challenge/ {
}

}


#PRTG Stats Map##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name stats.mydomain.media; 

            include ssl.conf;

  location / {
        proxy_pass http://127.0.0.1:8081;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

      location /public/stats {
        proxy_pass http://127.0.0.1:8081/public/mapshow.htm?id=2069&mapid=1;
    }
      location /public/status {
        proxy_pass http://127.0.0.1:8081/public/mapshow.htm?id=2155&mapid=1EC016F4-43DC-44FD-A4F1-E10033FBD0CB;
    }
    location /public/topology {
        proxy_pass http://127.0.0.1:8081/public/mapshow.htm?id=2283&mapid=73F695B6-6CDE-4CD5-BB34-BD40DCD6192D;
    }

    ##HDD TEMPs##
    location /hdd/ {
        proxy_pass http://127.0.0.1:8929/status;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
        location ^~ /.well-known/acme-challenge/ {
}

    ##NGINX Status##
    location /nginx_status {
        # Turn on stats
        stub_status on;
        access_log   off;
   }

}

##Webpage##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name www.mydomain.media; 

            include ssl.conf;

    location / {
         root   html\AwelSwynol;
            index  index.html index.htm;

            proxy_set_header Range $http_range;
            proxy_set_header If-Range $http_if_range;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            }
                    location ^~ /.well-known/acme-challenge/ {
}


}

## Blog ##

    server {

    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name blog.mydomain.media;

    index index.php;

        include ssl.conf;

        location ^~ /.well-known/acme-challenge/ {

}

        location ~ /config/ {
        root html\Blog;
        deny all;
            }

        location / {
        root html\Blog;
        try_files $uri $uri/ /index.php?$args;
            }

        location ~ \.php$ {
        root html\Blog;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME   E:/NGINX/html$fastcgi_script_name;
        include        fastcgi_params;
        fastcgi_param REMOTE_ADDR $http_x_real_ip;
  }

}


##HA-Bridge##

    server {
        listen [::]:443 ssl;
        listen 443 ssl;
        server_name smartthings.mydomain.media; 

            include ssl.conf;

            location / {
        proxy_pass http://192.168.10.10:82;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
                location ^~ /.well-known/acme-challenge/ {
}
        }

##Ombi##

    server {
        listen [::]:443 ssl;
        listen 443 ssl;
        server_name ombi.mydomain.media;

        include ssl.conf;

            location / {
        proxy_pass http://127.0.0.1:5000;

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header X-Forwarded-Host $server_name;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_read_timeout  90;
        proxy_redirect http:/127.0.0.1:5000 https://$host;
        proxy_set_header X-Forwarded-Proto $scheme;
        }
                location ^~ /.well-known/acme-challenge/ {
}

        }

#404 ERROR##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name update.mydomain.media requests.mydomain.media esxi.mydomain.media; 

            include ssl.conf;

    location ^~ /.well-known/acme-challenge/ {
}

    location / {
            index  50x.html 50x.htm;

            proxy_set_header Range $http_range;
            proxy_set_header If-Range $http_if_range;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            }
}


}

NSSM - Non Sucking Service Manager

enter image description here

NSSM is the Non-Sucking_Service-Manager.

It allows you to install any application as a Windows Service.

  1. Download NSSM from https://nssm.cc/download
  2. Extract the downloaded file. You should see the folder structure below NSSM folder
  3. Depending on which version of Windows you are using (x32 or x64) open the relevent folder which revels NSSM.exe.
  4. Copy NSSM.exe to C:\Windows\System32
  5. Open up a command prompt (start > CMD.exe) as an administrator
  6. Type NSSM install "servicename" like the image below NSSM service
  7. Fill in the details, example above shows CCleaner.
  8. Click "Install Service"
  9. To start the service, you can go back to your CMD prompt and type "nssm start ccleaner"

  10. alternatively you can start the service through the GUI, you can do so by going to "start" > Services > Ccleaner >right click > start Start Service

  11. To uninstall the service, run CMD again this time type nssm remove ccleaner