I have two sites on my router:
- Luci+uhttpd on 192.168.1.1 available only from LAN zone. Actually the uhttpd by default listens 0.0.0.0 but it rejects non private IPs (e.g. "internal firewall").
- Lighttpd with a WebDAV share available from internet e.g. WAN zone. It uses DDNS so it has some domain but the IP changes.
They both need for 80 port.
I can solve this simply by starting two separate webservers on different IPs e.g. 192.168.1.1 for Luci and <some ip> for Lighttpd.
But the IP is dynamic so I need to know it first and only then start the Lighttpd. If the internet connection lost then it won't be able to even start the webserver.
As a solution I can configure the Lighttpd to start on 0.0.0.0:8080 and then add a firewall rule to redirect incoming connections from WAN 80 to this device 8080. This solves the issue but also I can have a direct access to the Lighttpd from LAN by the 8080 port even when no Internet available. But the same 8080 port is again available directly from internet e.g. I can open my Lighttpd by this URLs:
It looks like it shouldn't be any issues. But for example the same trick won't work for Luci if I don't with to expose it to internet.
Now I thinking to go further: we have many IPs on loopback interface: 127.0.0.1, 127.0.0.2... 127.0.x.x. So what if I'll start the Luci on 127.0.0.1:80, and the Lighttpd on 127.0.1.1:80 and again make a forwarding rule like:
- LAN 80 port -> 127.0.0.1:80 for Luci
- WAN 80 port -> 127.0.1.1:80 for Lighttpd
Then I won't have the exposed additional ports on 0.0.0.0. it would be easier to change the LAN zone settings e.g. change a network mask 192.168.1.1 to 192.168.0.1. Also this allows to remove the "internal firewall" from the uhttpd.
So here is my questions:
- Overall, how do you feel about the idea? Maybe I'm missing something.
- I don't see a pre-configured zone for loopback and even the lo interface in the Luci UI. Is this fine? Can anybody share a firewall rule to redirect from WAN to lo IP.
I don't want to use a reverse proxy. The main reason is because this an additional point of failure. I can setup a separate instance of the Lighttpd with mod_proxy but it may broke and then I'll loose my Luci admin panel. Also this have a performance penalty which may be high when using the WebDAV for files backup.
Another one task I need to solve is to keep my WebDAV domain working even when no internet and the DDNS didn't worked. In this case I won't be able to resolve and access my example.duckdns.org domain even if it's on my router.
I think that it should be possible to configure the dnsmasq DHCP to return a LAN IP address 192.168.1.1 for the external domain example.duckdns.org.
In such case all internal devices will connect by the LAN addeess but when I traveling I will connect to an external IP.
Here again we need to distinguish when to show a Luci on port 80 or the Lighttpd because now they both are opened from LAN.
So maybe instead it may be created a separate intranet zone like INTRA with own network like 10.1.x.x.
Then Luci can be binded to the 10.1.1.1:80, Lighttpd binded to 10.1.1.2:80.
The dnsmasq DHCP/DNS for LAN will return this special address when the example.duckdns.org is requested.
Is it possible?
