I have a website (apache2) running on raspberry pi on port 443 (https)
A ddns domain name is mapped the IPv6 address of my raspberry pi.
I have another dual-stack cloud VPS with nginx configured to forward requests to above ddns domain name.
I want to restrict incoming calls to the website only via above nginx (the main domain name is pointed to the VPS) and not directly by accessing the ddns domain name mapped to the IPv6 address of raspberry pi.
So I configured openwrt firewall rules as below, Is is the correct way?
config rule
option name 'rpi-website-443'
option src 'wan'
option dest 'lan'
option dest_port '443'
option target 'ACCEPT'
option family 'ipv6'
list dest_ip '::06/-64'
list proto 'tcp'
list src_ip '<IPv6 address of VPS>'
list src_ip '<Public IPv4 adderss of VPS>'
Actually website is being hosted on my LAN in the raspberry pi.
VPS is just acting as reverse proxy as well IPv4 to IPv6 address translator (as I only have IPv6 address which is accessible from internet. My IPv4 is CGNATd)
Ok. I'm sure you have your reasons for the two domain names, but the most secure method to ensure access to the website only occurs via the VPS is to use a VPN between your network and the VPS.
But yeah, the rule you've put in your first post should work
You are suggesting, I establish always on VPN between my openwrt router and VPS with wireguard. And then in the VPS nginx configuration I forward the traffic to the local LAN ip address of raspberry pi?
By this way, the second domain name is not needed?
If the sole purpose of the second domain name is to keep track of the IP of the Pi (so the website can be accessed) then yes. Why mess around with DDNS when you can just use static internal addresses?
I also have headscale setup, where I can make this VPS part and raspberry pi part of (install tailscale client on it and configure it to connect to my headscale server).
By that way, both nginx vps and raspberry can talk each other via 100.64.XX.XX address.
In that case I can configure the nginx to forward traffic to the 100.64.XX.XX ip of raspberry pi.
By this way, I don't need to have second domain name, firewall rules etc.?
It's still a VPN. The security considerations are up to you, but if you have it set up so the VPN tunnel exits into a 'trusted' openwrt firewall zone (such as lan) then the only firewall between external traffic to the VPS and your internal network will be the VPS firewall.
I think , that is to allow iptables everything? As equal to no firewall?
Then we have oracle clouds' security groups, where I have some control on incoming and outgoing traffic to the VPS.
Are you referring to setting up firewall zones/rules at openwrt level?
I have no experience with this so couldn't comment.
Yes. If I were to have a VPN between my internal network and a VPS I would have the VPN interface at my end in it's own firewall zone in openwrt and just appropriate rules to allow the necessary traffic into my LAN.
That isn't to say you can't have a suitably secure firewall on the VPS (and when I had a similar setup I did run a firewall on the firewall to block all but http/HTTPS traffic), but as I didn't have complete (or exclusive) control over the VPS I didn't want to rely solely on it's firewall.
