I'm wanting to use nginx on device as a reverse proxy, so that the device points to the internal LAN resource based on the URL/URI.
I've got Luci w/ nginx installed. Ideally, I'd like it to serve port 80/443 on br-lan and have the reverse proxy on the wan interface to act as the forwarding agent from outside->in.
Where does it go wrong? I'm going to give a couple of shots in the dark here in case it helps.
1- Is the issue that you can't listen on 80/443 as the ports are taken by luci? If so, make sure you only bind to the interface/IP address that you want to serve content on. so Luci would listen on your lan IP and nginx on your wan IP
2- Is the issue with your nginx config? If so, are you able to serve the default nginx page to the outside world? once you have that you can change your server{} section to do a location redirect to your internal luci (using the IP address it's now bound to from the change in 1 above)
3- If you can serve a simple page from nginx but that's only accessible locally, check your firewall settings.
I'm running the stock nginx configuration that loads default with the luci package.
config main global
option uci_enable 'true'
config server '_lan'
list listen '443 ssl default_server'
list listen '[::]:443 ssl default_server'
option server_name '_lan'
list include 'restrict_locally'
list include 'conf.d/*.locations'
option uci_manage_ssl 'self-signed'
option ssl_certificate '/etc/nginx/conf.d/_lan.crt'
option ssl_certificate_key '/etc/nginx/conf.d/_lan.key'
option ssl_session_cache 'shared:SSL:32k'
option ssl_session_timeout '64m'
option access_log 'off; # logd openwrt'
config server '_redirect2ssl'
list listen '80'
list listen '[::]:80'
option server_name '_redirect2ssl'
option return '302 https://$host$request_uri'
The issue is that I'm simply don't know nginx
I've looked up documentation and they reference front-end and back-end sections, which don't seem to fit in this format? or am I just being especially dense with it?
I see, I haven't used nginx on openwrt yet so wasn't aware that the luci-nginx package does the heavy lifting that I mentioned in my first post. (I've now read the nginx section here)
Sorry, I still don't really understand what you are missing or what is failing for you...
If you want a specific domain to also work and point to your luci, you can add a server section in UCI or a new .conf file in /etc/nginx/conf.d (see here).
You can think of an nginx "server" as a section that handles a specific subset of the whole picture (eg. the _redirect2ssl server listens on port 80 and sends a 302 to redirect all traffic to https - the next client request will hit the _lan server on 443 and server whatever is configured there - currently luci)
The idea with backend / frontend is that you typically run the web services locally on ports that are not accessible from the outside world (eg. 4000 in your stackoveflow post), these are called backend. And then you use a "server" in nginx to listen on a publicly accessible port (eg. 443), these are called frontend. So in your setup, luci is the "backend" and the two servers in your nginx are the "frontend".
Now, will the device's DNS prefer the internal connected IP for bitwarden.example.com even though the Public DNS sent it to the WAN port in the first place? or will it just loop?
I can't test this myself because until I get this working, I can't uncouple my public DNS from the hosting provider to move it local. I'd rather have it working before killing it
I'm currently using "bitwarden.example.com" on the LAN side, but "bitwarden.example.cc" on the public side, so I need to know how the router will handle a request coming in for bitwarden.example.com where that URL have both a public and a private (on device) DNS entry.
Edit: Also, is there a $remote_addr type thing I can put in there for the WAN IP?
I've got a new issue you might be willing to help me with
BitWarden generates it's own TLS certs via Acme through LE. If I Port Forward (80/443) via the Firewall to the machine, there are no issues. If I use nginx to reverse-proxy, it breaks the certs. I'm assuming the Openwrt device is playing MITM and causing issues.
I expect you're going to have to bring the certificate to your nginx as well and/or possibly manage to tell the connection where to get it from the host that has it.
well, we've reached the limits of how much I can think of without doing a similar setup. I'd track the requests browser and server side to see where things are going, but I'm out of ideas. Good luck!
In my opinion, running Nginx on openWRT depends from configuration...
I use openvpn client on the openwrt (to a commercial VPN provider) and exposing my router I am not sure is a good idea or if imply difficult configuration.
HOWEVER, I do use NGINX on my network to serve several services that I want to expose in a better secure way,....
What I did is to use a raspberry pi and configured docker and docker-compose. Installed Portainer and installed Nginx on it.
I therefore exposed ONLY one rasperry pi to the wild!
I think is a bit more secure and it is effective.
Nginx run really well on a raspberry pi.
I must admit I did not explore the openwrt version of Nginx. I got confused by the many Nginx version there.
And again, I would have to run Nginx on WAN.. but since I have the VPN always on, I am not sure i can use Policy-Based Routing rules on an oinstalled software in openwrt..
I hope that can help you with an alternative suggestion. (its easy to deply even if it sounds complex)