How to access to my personnal web server

gibus · August 14, 2023, 3:51pm

Hello,

I'm a little bit lost in options I should enable in the Openwrt: firewall rules? Nginx settings?

My issue:
From the WAN side, I wish to access to several webservers (subdomain1.myname.com, subdomain2.myname.com, ...) that are host on different PC, but on Openwrt device. Those PC are on the LAN side. I order to do that, I installed a reverse proxy (Nginx). Even with one subdomain only, it doesn't work

I followed few topics :

Nginx webserver in order to configure Nginx
Reverse Proxy for hosting multiple servers behind single IP address
OpenWRT redirect incoming WAN traffic based on domain name for the Nginx configuration files.

I don't wish to use PAT like it is proposed Using domain name instead of ip:port.

My setup is:

I have a fix IPv6 address (with CGNAT for IPv4 as I understand).
A ping (from the WAN area) on all subdomainX.myname.com returns the public IPv6 address of my router OpenWrt 22.03.5.
Ports (80 and 443 towards my router) are opened on my ADSL box.
No ssl certificat.
LUCI interface is reachable on 8080, even from the WAN side.
On the LAN side, local server is reachable with name "subdomain1.myname.com" and local IP address both.

My "/etc/nginx/conf.d/subdomain1.myname.com.conf" is:

server {
        listen 80;
        listen [::]:80;
        server_name subdomain1.myname.com;
        include 'conf.d/subdomain1.myname.com.locations';

        access_log      /var/log/nginx/subdomain1.myname.com_access.log;
        error_log       /var/log/nginx/subdomain1.myname.com_error.log;
}

And my "subdomain1.myname.com.locations" is:

location subdomain1.myname.com {
        proxy_pass http://10.255.255.123/;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

What kind of rule I should to add to the firewall? Is this rule OK?

Or should I to point to "device" instead of "lan". And in this case, it is the job of the router to redirect the request to the local physical PC in the LAN.

Any help is greatly appreciate
Thanks in advance, BR.

AndrewZ · August 14, 2023, 3:59pm

If you have IPv6 working in your LAN then you can access your servers directly without using proxy.
When your router is not reachable over IPv4 (please confirm) there is no point in configuring IPv4 rules.
If you're lucky to have a public IPv4 address on your ADSL box, check if you can reconfigure it into a bridge mode. In either case you will need an Accept Input rule for TCP ports used (assuming you're running proxy on the router).

AvverbioPronome · August 14, 2023, 4:01pm

Your location block is not doing what you think.

replace

location subdomain1.myname.com {

with

location / {

nginx does SNI just fine when you put this line in the config. each site gets its own server block

gibus · August 14, 2023, 7:38pm

@AvverbioPronome , my new .conf file is the following. I also delete the .locations file. Unfortunately, it doesn't work.

server {
        listen 80;
        listen [::]:80;
        server_name subdomain1.myname.com;

        access_log      /var/log/nginx/subdomain1.myname.com_access.log;
        error_log       /var/log/nginx/subdomain1.myname.com_error.log;

        location / {
                proxy_pass http://10.255.255.123:80;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
}

mk24 · August 14, 2023, 8:13pm

The nginix process running on your router receives all web requests, then forwards them by opening a userspace connection to one of the servers on the LAN. So the firewall rule needs to be an input from wan rule, not a forward.

Testing must be done from a separate Internet connection. Reaching your own public IP from inside the LAN is not the same.

AvverbioPronome · August 14, 2023, 8:40pm

This config looks fine. You need to check if you can reach that port 80, tho.

gibus · August 14, 2023, 8:42pm

@AndrewZ Yes, I have IPv6 in my LAN, and yes, it should be reachable in theories (if the configuration of my OpenWrt is OK :))
My router isn't reachable in IPv4, just CGNAT (with few ports opened that I don't know the range); maybe it is to be compliant with IPv4 flow? The ADSL box can't be used as a bridge. It is a proprietary box with the minimal features; one useful feature is that I can place my router in a DMZ.

I will try to test an access to my personal webserver with IPv6 protocol only. That wasn't my plan because eveytime I changed my provider, I should have to re-configure my local network

I have a question about the firewall rules. How to configure it in order to have an access to local server? Is it with the configuration "rule.png" or "rule1.png" on this first screenshot
(Sorry, I can send only one picture):

In the first case, the flow comes from the "wan" towards the "lan". In the second case, the flow comes from the "wan" towards the "device". Note that the firewall is configured with default settings (default.png.png)

gibus · August 14, 2023, 8:48pm

What do you mean? At the time being, I just write subdomain1.myname.com in Firefox without success. Nevertheless, as explained, I can reach my router on port 8080.

And to answer to @mk24 , I test the connection with my laptop (inside my LAN) and with my mobile too (outside my network).

AndrewZ · August 14, 2023, 8:50pm

Correct your rule1 - remove IPv6 and don't specify the port in From. Assuming .123 is your WAN IP.

gibus · August 14, 2023, 9:16pm

I am not sure to understand! I can't remove IPv6 because my router is reachable through IPv6.
".123" isn't my WAN IP, it is the LAN IP of my server.
I just understand to remove the port in "From".

gibus · August 14, 2023, 9:33pm

I have now a configuration that seems to work thanks to your all exchanges. Nevertheless, I don't know if it is through Nginx engine or thanks to IPv6 route.
I will check deeply and provide you my feedback before to close the topic.
Thank you all

AvverbioPronome · August 14, 2023, 9:34pm

I mean, before fighting nginx to make sure SNI works (and it does, it's nearly impossible to break), make sure you can actually reach that port (from outside), follow @mk24's instructions.

martindholmes · August 14, 2023, 11:37pm

This may be way off-base, but when you're accessing it from the WAN side, what DNS server is providing the ip address pointing at your home network? Or have you hard-coded the IP in the hosts file on your PC?

gibus · August 15, 2023, 7:14am

@AvverbioPronome , yes and mainly, it should be thanks to instructions provided by @mk24 that I can now reach my webserver. I will test few changes and with a reboot of the box and router both, and I will provide you what I think is a "solution". Maybe not the best but something that works at least
But because I made few changes in the firewall's setting, I will appreciate a feedback of experts because we speak about security . If I open everything, that have no sense!

gibus · August 15, 2023, 7:19am

@martindholmes This is a great detail I forget to mention

I buy my FQDN (myname.com in my example) and set the server's address in the interface they provide me. The full name of my server (subdomain1.myname.com) is written in the files "/etc/hosts" of my Linux laptop.

AvverbioPronome · August 15, 2023, 10:27am

That doesn't sound safe. The IP is still exposed to the internet, a missing DNS record isn't going to protect your website.

If you want to be the only one who can access, use wireguard/tinc or another VPN.

gibus · August 15, 2023, 12:42pm

That is the cost to have an access to my website that is in fact a website that hosts my personal notes. For other webservers, maybe I will set-up a VPN if I am on the WAN side.

AvverbioPronome · August 15, 2023, 2:03pm

No, no. You can make it properly. With TLS and proper hardening. Even fail2ban if you so desire.

Hiding the IP address and hoping isn't a form of security. It doesn't take that long to portscan the entire IPv4 space (think hours/days).

gibus · August 15, 2023, 2:07pm

After few tests including actions below:

box and router rebooted both
access from the LAN (laptop) and from the WAN (mobile phone outside the network) both

I conclude that a full configuration to access to my personal webserver and using Nginx is:

A proper .conf file as per @AvverbioPronome 's recommandations (thank you!): location / { ... }. That implies this bloc is set in the .conf file otherwise Nginx detect a conflict:

server {
        listen 80;
        listen [::]:80;
        server_name subdomain1.myname.com;

        access_log      /var/log/nginx/subdomain1.myname.com_access.log;
        error_log       /var/log/nginx/subdomain1.myname.com_error.log;

        location / {
                proxy_pass http://10.255.255.123:80;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
}

An authorisation to allow firewall to accept "input" packet in "General settings" (thank you @AndrewZ, after to read you, it is now obvious):

firewall940×700 41.7 KB
a rule to accept packet on port 80 toward the device, not the lan (thank you @mk24):

access_80940×82 9.17 KB

When a check the Nginx's log access, I can read an access to my webserver.

And that's all!

gibus · August 15, 2023, 2:13pm

I will learn the TLS and proper hardening later I will finished an installation that allow to access to my personal webserver. I will also install fail2ban on my router, but not now because I am afraid to ban myself