URL to local IP

moserwi · August 14, 2021, 7:13am

I am fooling around for month's with rewrite, reverse proxy etc. but I still do not have a solution for this Problem:

I have a platform of Servers in 10.0.100.x
Access ist from a public IP to local net via 10.0.0.254 and apache proxy 10.0.0.250
(ispconfig) the customers network.

The platform is accessed via router 10.0.0.251 / 10.0.100.254 who redirects to nginx proxy 10.0.100.250

I am able to access all servers via http but NOT https as the SSL-Certificate shall be hosted at 10.0.100.250 as "director" for the backend servers.

So, a true passthrough at apache proxy 10.0.0.250 for http and https is required OR
the simple method would be an URL to IP pass like:

at router 10.0.0.254
http://mydomain.com/seafile 10.0.0.251
https://mydomain.com/seafile 10.0.0.251

at router 10.0.100.254 (SSL-Certificate Server)
http://mydomain.com/seafile 10.0.100.23
https://mydomain.com/seafile 10.0.100.23

Thank you all for ideas. I am sure mod_rewrite and its parameter passthrough
will not work.

And I am in darely hope for an OpenWrt module that solves it.

braian87b · August 14, 2021, 4:17pm

You need to handle both ports redirect 80 and 443 in order to work.
80 is http, 443 is https.

moserwi · August 14, 2021, 4:52pm

Yes but unfortunately it is not that easy. I managed it today by
ordering 2 letsencrypt certificates for the same domain.

One at proxy .0.250 and one at roxy .100.250 but for me this is a really stupid workaround.

A lean solution ought to be:

at router 10.0.0.254
http://mydomain.com/seafile 10.0.0.251
https://mydomain.com/seafile 10.0.0.251

at router 10.0.100.254 (SSL-Certificate Server)
http://mydomain.com/seafile 10.0.100.23
https://mydomain.com/seafile 10.0.100.23

braian87b · August 15, 2021, 3:04pm

Sorry unfortunately I misinterpret your question since it was somewhat unclear, so your problem is actually not related to OpenWrt, it is related to ssl-certificate.
You may need to find a solution to sync certificate, you should get only one per domain, and Eg. on cloud environments people usually push the cert to an s3 and later get them from other hosts, using a cronjob task or something, you may use rsync or scp for that, private key will remain the same so you can copy it once. since it is a small file you can even put it on your openwrt box, but having other hosts will be better to use push/pull from/to the main one (the one with the letsencrypt auto renewal script)

mk24 · August 15, 2021, 4:21pm

The whole point of this setup is that the certificate server is not directly reachable from the Internet so that it is harder to hack.

You can copy certificates around your LAN. The private key for the site should be online only on one machine, the certificate server.

moserwi · August 15, 2021, 4:22pm

Hmm yes it is soo easy to deny a feature request.
BUT! Think it over.

This really would be a cool feature.

The router catches the URL Request and opens the connection to the
local Server without any other features(that causes configuring to death)
Maybe as an addon to an SSO Server with maybe flask, nginx and acme

moserwi · August 15, 2021, 4:27pm

Yes , as I said I managed to use 2x certbot on both proxies to "create" or better download the certificate from letsencrypt. I will check if the auto-renewal will be on both servers.

But, as I said the other solution would be a really cool feature as the proxy configurations on nginx and apache2 are ... well only one possible word: horrible and bloody useless when the router enables trespassing with one single line of configuration.