Homepage    |    GitHub    |    API    |    FAQ

Joplin Server and HTTPS

Hi All
I've recently setup a Joplin Server on a Linode instance. In order to get it to work I have to put it behind a Linode LB to translate the port request to 22300. This works great, sync time is rapid. This isn't ideal as the LB (node balancer) is $10 per month.

So now I'm looking to secure that I'm struggling to understand how to do it. I've read different posts about people using NGINX or Apache, but the whole process seems very messy and long.

I know enough to fumble my way around creating servers and have more of a networking background. Usually my involvement with certificates is adding them to an F5 load balancer but I don't generate them or configure the backend.

Maybe I should stick with OneDrive sync?

You may want to try caddy. It's very simple to set up. I haven't used it with Joplin but I suppose it's not much different.

I'm using Apache and it's quite simple actually. If you use Let's Encrypt certbot tool it does the whole TLS config for you.

But Linode maybe is not the right place to self-host if you need a load balancer just to translate a port. How about installing it on a regular VPS?

I host some services on Linode without a load balancer just fine.

Thanks Laurant.
I think it is running on a VPS. It's a an Ubuntu VM where I've installed docker and created the docker container. Would apache need to run natively on the host or within the docker container? I don't need the LB, all it's doing is translating the ports.

Apache would need to be out of the Docker container. I think it's bundled by default with Ubuntu Server or if not it's very easy to install and configure. You would basically need to add the ProxyPass directives to one of the default configurations, then run Certbot to enable TLS.

I am using NGINX as a front end for all my local web servers including Joplin.
I use certbot for LetsEncrypt SSL certificates and some additional configs to secure the site.

I use allowcountries as a nginx config using geoip to allow local IP addresses and also those in my country only but only permit this for non login to prevent admin access other than on my local network.

LetsEncrypt is dead easy with nginx -- install certbot and just enter certbot --nginx - it will then prompt you and add the certificate to the config file (if you use something like below remove the SSL elements as certbot will put that in for you)

server {
    listen 80;
    include /etc/nginx/allowcountries;
    server_name websitename; 

    location / {
        return 301 https://websitename;
    }
}
server {
    listen 443 ssl;
    server_name websitename;

    include /etc/nginx/allowcountries;

    location /login {
        include /etc/nginx/allowlocalonly;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Host $remote_addr;
        proxy_pass http://dockeripaddress:22300/login;
    }

    location / {
        client_max_body_size 50M;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Host $remote_addr;
        proxy_pass http://dockeripaddress:22300$request_uri;
    }    

    include /etc/nginx/proxy_errors;

    ssl_certificate /etc/letsencrypt/live/websitename/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/websitename/privkey.pem; # managed by Certbot
}