Nginx reverse proxy works only outside lan - nginx-reverse-proxy

I have a server which has multiple "app pages" running on it. (for example: Home Assitant, Cockpit etc.).
On the local network I can access them using like http://192.168.1.200:8123.
I used to use port forwarding but I didn't wanted to remember ports so I'm using Nginx Proxy Manager and a DuckDNS domain.
So now outside of the local network I can type https://ha.mydomain.duckdns.org, which works fine, but if I'm connected to the local network my browser throw a PR_END_OF_FILE_ERROR message.
I tried it with multiple devices, different applications, even on the home assistant app, and got the same result.
I'm using SSL certificates created in Nginx Proxy Manager, but when using http I get an 404 error.
After long searches I found that I probably need a custom local DNS (like pihole) running, and my router DNS has to point to it. I'm not sure if this would even solve my problem, but I would like to avoid this method, cause if my server shuts down or has any problem, it would cause problem on all the devices in my network.

Related

How to make browsers trust a local network wss:// connection?

I'm trying to upgrade a websocket connection ws:// to wss:// using a nginx reverse proxy https://github.com/nicokaiser/nginx-websocket-proxy/blob/master/simple-wss.conf
but I seem to be having trouble with the certificate part. My server is located on the same network as the client. So Ideally I would want my users to log in to "https://example.com" and then the client makes a connection to "wss://192.168.1.xxx:xxxx".
As of now the browsers are blocking it because of NET::ERR_CERT_COMMON_NAME_INVALID. I don't really know to produce a self signed certificate that the browsers will trust on the local network. Googling only gives me answers on how to do it if my server would be accessed using a domain name but I will always connect to a local network IP. Help is appreciated!
To anyone coming across this I managed to solve it using this post outlining the architecture https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections/
What ended up happening was that we set up a url pointing to a server running nginx which parsed the subdomain and redirected the connection to that url. For example: wss://192-168-1-142.mydomain.com redirects to ws://192.168.1.142 which makes the browser trust the connection
Does this work?
Your post is a year old now and browsers have become stricter since then. Usually, a browser will produce 'mixed content' errors if you access HTTP content from a HTTPS page, and the only way to get round this is to change the site settings to allow insecure content, which is scary for users in the face of a big warning message.
If accessing an HTTPS web address redirects to an HTTP local IP address, won't the browser still complain about mixed content?
I have a similar situation to you. I am writing a Progressive Web Application (PWA) to control network music players on a home network. The players only support HTTP but a PWA requires HTTPS for services workers to work and to allow the app to be 'installed'.
My solution is to run a local server on the home network which can talk to the players over HTTP. Then I can access this server over HTTPS from my browser so that the browser itself is not making any HTTP calls.
This works fine if the server is on localhost because localhost is a special case where security rules are relaxed. But if the server is on another machine, how can I create an SSL certificate since (1) it seems that local IP addresses are not allowed in the Subject Alternative Name (SAN) section of the certificate, and (2) I won't know in advance what the IP address of the server will be.
If your workaround works, then the local server can use HTTP instead so I won't need a certificate. The local server can register itself with a web server, and then the browser can connect over HTTPS to the web server, which would redirect to the IP address of the local server over HTTP.
But does this trick work?

cannot access website from within my network

A website prodecotech.com is hosted by Bluehost
Out of the blue last week my entire office could not access prodecotech.com the connection would time out.
However this is only the situation from one of our internet connections. If I switch over to a guest connection, or use a mobile connection, the website loads fine. The website also loads perfectly fine for ATT and BlueHost tech support.
Our network is configured as follows.
We have a 50MB Dedicated Fiber Connection from an ATT Managed Router. The managed router has 2 ports in use. 1 Port going to OUR router for Data traffic and 1 Port going to OUR switch for VOIP Traffic.
If I connect a laptop to OUR router managing data traffic and try to access prodecotech.com, I get the same results, the connection times out.
If I connect a laptop to the switch managing VOIP traffic, prodecotech.com loads fine.
If I use our guest wifi which is through Comcast, the website loads fine as well.
So the problem is isolated to the Data Portion of my network.
There has been no configuration changes on our router or the managed ATT router.
I thought perhaps somehow our IP got blacklisted by BlueHost, but BlueHost says this is not the case.
ATT support is able to reach the website through their managed router.
I'm utterly stumped.
Additionally, I also cannot access the FTP or CPANEL Server Status for this hosting, both time out as well.
TRACERT has been giving me the following results consistently:
Any Ideas?
In my case, it was due to the wrong MTU(maximum transmission unit) in the router's network configuration. When I changed MTU to 1452 it started working fine.
You should contact your service provider and ask for appropriate configuration settings.

Subversion repository access from another computer

I have set up Subversion on my system. Without any changes its working fine on localhost. Now I want to access it from another network e.g outside my home network.
I tried to access it from global ip 116.128.**.**:3343/csvn/repository but nothing happens. And when I try to checkout in Eclipse it shows an error:
Target machine actively refused the connection.
I have also added the port no. in router.
As far as I see, the URL you've specified goes to your Subversion server's control panel, not repositories. I've found this:
By default, the Subversion Edge admin console listens for requests on
two ports:
3343 - This is the plain HTTP port
4434 - This is the SSL HTTPS port
To solve the issue you have to
Go to the Control Panel with your web browser and check what port your Subversion server listens to, e.g. 443/8443 for HTTPS and 80/8080 for plain HTTP.
Make sure that the port is properly forwarded on your router to the machine where the SVN server is installed.
Make sure that local firewall allows inbound connections to your Subversion server on the selected port.
It can be caused by a lot of different problems. One of the most common problems is, the server is having a firewall (or behind a firewall) which blocks incoming connection of unallowed port.

getting router confuguration page instead of my web home page of my website

I am trying to host a website from my local pc. For that i have installed apache server, registered a domain name and done the necessary settings.The problem is that when I am trying to access my homepage I am getting the router configuration page, same is happening when I am trying to access the website from other computer.Please help.
When hosting a website from a local PC behind a router you need to be careful to use the public IP that your service provider has given you. Beware this is often not a static address and may change frequently. To address this you can use some type of DynDNS service if your router supports it.
Second, you will need to add a rule in your router's firewall to allow the traffic from the public internet to reach the computer behind the router. This can be done either with a DMZ (less secure) or a port forwarding.
When you are trying to access the web page, type in the local ip of the computer you have setup the server on. This should take you to the apache server. You are likely just typing in the wrong IP. Try something like http://127.0.0.1/ (127.0.0.1 is the same as localhost) to make sure you get the apache server from the computer that is running the server.

apache on windows network - can't connect to external ip from in network

I created an AMP web application that was originally going to be served from a traditional 3rd party host.
As we finished up, the client decided to host it internally, on a server in their office network. The application is only meant to be available to staff members, but those staff members will often be off-site. I had no involvement in setting up their network, which uses at least one server running windows server 2003. The client machines I saw were XP.
I set up Apache, MySQL and PHP on the server 2003 machine, and installed the application. The application is built on the CodeIgniter framework, so I set the base_url to the internal IP (192.168...), and we tested from within the network. Everything worked fine.
Next, we asked their network guy to open port 80 for apache. I set the base_url to the external IP, and tested from my home (using the external IP as the web address), and it works fine.
However, when attempting to access the application using the external IP from within the network, they're unable to connect. I can reset the base_url to the network IP, and they can access it using the network IP, but then it the application fails when connecting externally (since the base_url, used throughout the application, is pointing to the internal IP).
It suppose I could let CodeIgniter determine the base_url (by leaving the variable as an empty string), but would rather figure out why the external IP fails in-network, and try to correct that.
The server we're using is not dedicated to the AMP stack (in fact, it has at least one other application broadcasting to the internet that must have been using IIS, as well as an FTP server used for office scanners), so I suppose there might be some conflicts there.
I know very little about windows networking. A quick search suggested this might be because of NAT, but didn't offer a work-around.
Their network guy has no suggestions, and said that everything should be fine.
Is it possible to have users inside the network access the Apache server using the external IP, and if so, what needs to happen to enable that?
TYIA
Your client's NAT router is configured to forward packets arriving on its external interface for its external IP with port 80 to the internal machine, port 80, after re-writing the source and destination IP addresses in the packets.
From within the network, attempts to connect to the external IP address will be routed to the default route on the machines, the router's internal interface. This interface is not configured to forward packets back into the network.
Configure the application to listen on all IP addresses. Make sure that the server knows that the clients know it under several hostnames -- the internal IP address and the external IP address.
You might be able to re-write the NAT firewall rules on the router to perform the port forwarding for the internal interface as well, but off-the-shell equipment common in homes and small businesses do not make this task easy. More expensive gear (or home-built *BSD/Linux router machines) can do this without much effort, but it would needlessly add traffic to the router.
This isn't Apache related, nor is it CI related. It's often impossible to reach the external IP address from within the network.
Frankly, I don't know exactly why that is. I do know that it's related to how NAT (Network Address Translation) works or at least how it's implemented.
For a detailed overview of why this is, you should ask this question on serverfault. If you're simply a programmer who has to deal with it, accept that NAT usually works only from inside to outside and outside to inside, but not inside to inside.
You already mentioned one of the solutions in your question - don't use base_url. You could also simply run the server on an external IP address (not your company IP, but let's say a datacenter or something).