Skip to content

Instantly share code, notes, and snippets.

@gilangvperdana
Last active Sep 27, 2022
Embed
What would you like to do?
Teleport behind Nginx Reverse Proxy

General Teleport

If you want to make a cluster for jump host/bastion to your server, you can install Teleport. on this guide, will be guided to install then expose with NGINX Reverse proxy.

Prerequisites

  • Ubuntu 20.04LTS
  • 1 GB RAM
  • 1 VCPU
  • 20 GB Storage

Installation Teleport

sudo curl https://apt.releases.teleport.dev/gpg \
  -o /usr/share/keyrings/teleport-archive-keyring.asc
source /etc/os-release
echo "deb [signed-by=/usr/share/keyrings/teleport-archive-keyring.asc] \
  https://apt.releases.teleport.dev/${ID?} ${VERSION_CODENAME?} stable/v10" \
| sudo tee /etc/apt/sources.list.d/teleport.list > /dev/null

sudo apt-get update
sudo apt-get install teleport

Init Teleport Installation

cd /var/lib/teleport/ 

## OPTIONAL, if you dont have SSL lets generate self-signed
openssl genrsa -out ca.key 2048 
openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt 
openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=teleport.domain.com" -out server.csr 
openssl x509 -req -extfile <(printf "subjectAltName=DNS:teleport.domain.com,DNS:teleport.domain.com") -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
mv server.crt server.pem 
mv server.key server-key.pem 


## If you have ssl lets copy crt & key (.pem) to /var/lib/teleport
cp server.pem /var/lib/teleport
cp server-key.pem /var/lib/teleport

## Installation Init
teleport configure -o /etc/teleport.yaml  \
--cluster-name=teleport.domain.com \
--public-addr=teleport.domain.com:4443 \
--cert-file=/var/lib/teleport/server.pem \
--key-file=/var/lib/teleport/server-key.pem

sudo systemctl enable teleport 
sudo systemctl start teleport 
sudo systemctl status teleport 

Create User on Teleport

sudo tctl users add gilang --roles=editor,access --logins=root,ubuntu 

Turn off 2FA (OPTIONAL)

nano /etc/teleport.yaml
auth_service: 
  authentication: 
    second_factor: off 
systemctl restart teleport

Reverse it with Nginx

  • Define on /etc/hosts
nano /etc/hosts
localhost teleport.domain.com
  • Create conf
nano /etc/nginx/conf.d/teleport.conf
server {
    listen                   443 ssl;

    server_name              teleport.domain.com *.teleport.domain.com;
    ssl_certificate          /etc/letsencrypt/live/teleport.domain.com/fullchain.pem;
    ssl_certificate_key      /etc/letsencrypt/live/teleport.domain.com/privkey.pem;

    location / {

        proxy_buffering      off;
        proxy_set_header     Host $host;
        proxy_set_header     X-Real-IP $remote_addr;
        proxy_set_header     X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header     X-Forwarded-Proto "https";

        # WebSocket support
        proxy_http_version   1.1;
        proxy_set_header     Upgrade $http_upgrade;
        proxy_set_header     Connection "upgrade";
        proxy_read_timeout   86400;

        proxy_pass           https://teleport.domain.com:4443;
    }
}   
nginx -t
service nginx reload

Reference

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment