I'm trying to make a few web apps available to the public internet while I'm running the server on my computer but I'm not having any success despite the effort.
I tried to allow forwarding between wan to lan zones and adding two traffic rules to allow any traffic on ports 80 and 443 from any source on wan to my specific machine on lan, but it didn't work, so I revert back those changes. I have a custom domain pointing to my wan's public address and a tls certificate issued using acme.sh and DNS-01 challenge. I thought everything was already working because I can access my web app inside any devices in lan using the custom domain and be served correctly but nothing works when I use another upstream connection. I'm not sure if it's something related to my ISP and I don't know how to confirm that, so any help is welcome.
Ignoring the security risks for opening those ports, make sure that the WAN device has your public IP and not another like when being behind a CGNAT (192.xxx.xxx.xx range).
If your WAN device does have your public IP address (the one you could see on whatsmyip.com), maybe your ISP blocks port 80. Try with 8080 or something else and see if you can access your local device from the internet.
You can test it with your phone using mobile data.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
The two redirect rules need the destination of the lan firewall zone. Just add that and it should work. Don't forget to reboot the router to make sure the edits become active.
Post the updated firewall config if it still isn't working properly.
It doesn't work but I only deleted the two traffic rules I created today. The rest is all the same. That's what I asked, should I delete all the other traffic rules added by openwrt? or all the Xbox Live redirect rules?
If you don't need those rules, then yes, delete them. Otherwise they're probably fine. There is one, though, that seems unnecessary and possibly bad (unrelated to your current issue)... I would delete this one:
Back to your current issue:
How are you testing the port forward?
While connected to your lan, can you open a browser and reach https://192.168.1.100 and http://192.168.1.100?
I don't. If I can reach my web app I believe it's working.
My web browser will render a HTTP 503 error as nginx was configured to, for the default server, and a certificate error when accessing using https.
server {
server_name _; # This is just an invalid value which will never trigger on a real hostname.
server_tokens off;
access_log /var/log/nginx/access.log vhost;
http2 on;
listen 80;
listen [::]:80;
listen 443 ssl;
listen [::]:443 ssl;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# No default certificate found, so reject SSL handshake;
ssl_reject_handshake on;
location ^~ / {
return 503;
}
}
upstream myapp.example.com {
# Container: myapp
# networks:
# dev (reachable)
# IPv4 address: 172.18.0.8
# IPv6 address: (none usable)
# exposed ports (first ten): 5173/tcp 8000/tcp
# default port: 80
# using port: 8000
server 172.18.0.8:8000;
keepalive 2;
}
server {
server_name myapp.example.com;
access_log /var/log/nginx/access.log vhost;
listen 80 ;
listen [::]:80 ;
# Do not HTTPS redirect Let's Encrypt ACME challenge
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
auth_request off;
allow all;
root /usr/share/nginx/html;
try_files $uri =404;
break;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
server_name myapp.example.com;
access_log /var/log/nginx/access.log vhost;
http2 on;
listen 443 ssl ;
listen [::]:443 ssl ;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/myapp.example.com.crt;
ssl_certificate_key /etc/nginx/certs/myapp.example.com.key;
ssl_dhparam /etc/nginx/certs/myapp.example.com.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/myapp.example.com.chain.pem;
set $sts_header "";
if ($https) {
set $sts_header "max-age=31536000";
}
add_header Strict-Transport-Security $sts_header always;
location / {
proxy_pass http://myapp.example.com;
set $upstream_keepalive true;
}
}
So I have an web app myapp that is running inside a docker container and a nginx container listen on ports 80 and 433 on my machine (192.168.1.100) proxying all the traffic to the correct server (web apps). When I access myapp.example.com on my computer or phone everything works, but when I change my phone's connection, I can't access myapp.example.com anymore. So I think it's something to do with my router configuration or even my ISP blocking those ports. They could do this, couldn't they?
Since you're now dealing with more complex situations than just serving a basic website, I'd recommend that you go back to the simple case...
Setup a web server on a computer on your lan (a pi or similar would be perfect). Verify that it works when connecting locally, and then, point the port-forward to that host. Test to see if you can reach the server from outside your network. This simple case will be easier to test/debug than your web app proxy thing.
Ok. I stopped all docker containers and started a caddy container with port 80 published, so when I access 127.0.0.1 or localhost, the browser serves its default welcome page:
If I try to access it using the public address given by my ISP it should serve me the same page, but I get no response. If I run the same test in a cloud server like Oracle or AWS it works as expected. So it means the problem is my ISP or router configuration. Tried using port 8080 too and no response either.
