I have a question regarding the “Location Filter” and firewall rule.
I have a VM running on my router that hosts NextCloud. For NextCloud I have manually renewed the certificate from Let’s Encrypt every 3 months. Now I want to automate this and use the “acme.sh” which does this by itself.
But now I have activated the Location FIlter on my router and only Germany is allowed, and I have deactivated the incoming port 80.
When I had always manually extended the certificate, I activated the firewall rule for the forwarding of port 80 and switched off the location filter. After the renewal, I reset the original status.
How can I automate this via command from my VM?
Before starting acme.sh, the rule for port 80 should be automatically activated from the VM and the location filter should be set to inactive or the corresponding region where the Let’s Encrypt servers are located (could be US) should be released.
Does anyone have a similar problem or a solution even to whare the security and still get the certificate automatically?
Since you use acme.sh to renew it you have to use cronjob to execute the script. This will probably be done once or twice a week. I do not think more often is neccessary.
There you configure when the renew process will be done like every Friday beginning at 1:05 am at night.
Then you define three rules.
You cannot use the GeoIP Block anymore because it is in front of everything else. As statet in privious posts (I cannot cite it now) GeoIP Block is to reduce Logging. But you can use it to block out certain countries you believe letsencrypt will never have an endpoint server there.
First rule but in Ranking at third position: Block every country except germany.
Second rule in Ranking at second position: Allow port 80 to the nextcloud server in timeframe which matches the cronjob setting (like Friday 1:00 am until 1:15 am)
Third rule but in Ranking at first position: Allow every country to nextcloud server in timeframe which matches the cronjob setting (like Friday 1:00 am until 1:15 am)
I think basically you updated your letsencrypt certificate doing this steps manually (or disable/go around ipfire)
If you need more hints feel free to ask.
EDIT:
It is best to use Groups when defining Rules. This can be done for GeoIP too.
I am not sure. It seems you will have a problem with the second rule cause the package will not originate from RED Interface.
I checked with my configuration:
I use only one (not two) rule for this.
I made a Service group which consits of HTTP/HTTPS .
In Protokoll Section use this Service Group (HTTP —> Port 80 / HTTPs —> Port 443) so I do not need to worry about these two in this timeframe)
Please test the rule (without Time Constraints) if everything works before relying on it (and then check once in a while too )
I have also just tested the rules once and it works.
Now I just have to set up acme.sh on my Nextcloud server and test it with prior adjustment of the time window, of course.
One last thing you should alter the second rule Destination to Any Network.
With this configuration you only block “GeoIP - unzulässige Regionen” if they are going to Orange.
I would expect that “GeoIP - unzulässige Regionen” should not be allowed to try to connect to GREEN either or BLUE if you have it in your setup.
)