I have a gl-inet router on which I have an nginx config to send traffic to Nginx Proxy Manager and DDNS with cloudflare.
I’m trying to get some kind of local dns set up so that if I’m on the local network, traffic stays within the network. The problem that I’m running in to is SSL certificates. NPM (on the server) is handling those and I thought that what I could do is go into the AdGuard Home (on the gl-inet router) config and add a dns rewrite to point to the router and traffic would flow as it normally does.
This DOES work, technically. traceroute shows only one hop for any of my subdomains, ie files.mydomain.com.
But I cannot actually get access in a browser because the ssl certificates are not set up.
It seems like options are: manually copy certificates from the server to the router (not ideal), or don’t do it at all.
I notice that if I go to the service by ip address, it’ll change the address to the domain name. Eg going to 192.168.8.111:30027 -> files.mydomain.com.
This isn’t a HUGE deal, but it’s not preferable. How have you all solved this?
Edit: I solved the issue in probably the most hilarious way. I was trying to get the forwarding and everything set up and then borked my routers firewall so bad I couldn’t get to the outside at all, so I did a hard reset.
I then moved my admin UI ports up by one each (81/444), re-set up Goodcloud, ddns, Wireguard server on the router, then set up port forwarding for 80/443 on the router to 80/443 on the trunas server. I switched NPM to listen on those ports (since I moved the web UI to different ports), then added Adguard Home DNS rewrites. It’s now all working as expected.
Local traffic only has one hop and is accessible without SSL warnings, and same for WAN traffic. Thank you all for the help!
You don’t need 2 reverse proxies as others have said. What I did is just add a DNS rewrite entry in my adguardhome instance to point my domain.tld to the LAN IP of my reverse proxy.
Hmm, i may have to get my admin ui’s off of ports 80/443 and port forward with NPM on those ports instead. The reason I was using nginx on the router was so the server could keep the UI on the normal ports and Nginx elsewhere.
I think then I could remove the router Nginx entries and add the DNS rewrite
Do you actually need to move the admin ui off of port 80/443 if you are just forwarding ports? I don’t think you need to. That said I actually don’t know much about port forwarding since I use Tailscale because of CGNAT.
My understanding of port forwarding is that you are forwarding connections to your WAN IP/port to a LAN IP/port. Since the router admin ui is available only on LAN by default, you don’t need to change it’s port from 80/443.
I think so. One issue i ran in to is that trying to go anywhere would land on the ui page. If I put npm on ports 80/443, then the UI needs to be elsewhere so I can access it. It shouldn’t be too hard, I hope
If you are establishing a TLS connection to a server, the server will need a certificate. It sounds like you’re trying to have two instances of a reverse proxy - one on the server, and one on the router. It may be my ignorance of the particulars, but my immediate thought is that you should select one point in the network to do reverse proxying.
There’s an idea. I may play with it tomorrow.bill be back on the road, so I’m not keen on doing too much when I can’t fix it haha. But right now the router is DNS, so when I did traceroute there was only one stop. But it was the SSL termination that got me. I might be able to download the stream module for Nginx. I think if I wanted to be optimal I may have to totally restructure that part…
Edit: thank you for the feedback, you’ve given me something to think about
Well yes, it is one hop, because you’ve got the router doing TLS termination. Inside your network you point to the server that has the TLS certs. Outside of the network you do port forwarding, or use a tunnel with cloudflare agents.
Why is the router involved at all? It’s all local traffic. The external traffic comes through the cloud flare tunnel, right? Maybe I’m not understanding the architecture you’ve got.
So even if I remove the SSL cert lines from the router Nginx config, it seems to be applying the router’s SSL certificate. I commented out some lines to use a certificate for my root domain, but I’d rather NPM handle that, which doesn’t seem to be happening.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !selfhosted@lemmy.world
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.
Rules:
Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
selfh.st Newsletter and index of selfhosted software and apps
You don’t need 2 reverse proxies as others have said. What I did is just add a DNS rewrite entry in my adguardhome instance to point my domain.tld to the LAN IP of my reverse proxy.
Hmm, i may have to get my admin ui’s off of ports 80/443 and port forward with NPM on those ports instead. The reason I was using nginx on the router was so the server could keep the UI on the normal ports and Nginx elsewhere.
I think then I could remove the router Nginx entries and add the DNS rewrite
Do you actually need to move the admin ui off of port 80/443 if you are just forwarding ports? I don’t think you need to. That said I actually don’t know much about port forwarding since I use Tailscale because of CGNAT.
My understanding of port forwarding is that you are forwarding connections to your WAN IP/port to a LAN IP/port. Since the router admin ui is available only on LAN by default, you don’t need to change it’s port from 80/443.
I posted an edit to the post on how I i solved it. Your feedback was helpful in the solution!
I think so. One issue i ran in to is that trying to go anywhere would land on the ui page. If I put npm on ports 80/443, then the UI needs to be elsewhere so I can access it. It shouldn’t be too hard, I hope
I personally couldn’t even get ssl/tls working with NPM, reverse proxying worked but it really didn’t feel right.
Eventually learned about SWAG and had a much better experience setting it up. Now here I am on Traefik thriving.
If you are establishing a TLS connection to a server, the server will need a certificate. It sounds like you’re trying to have two instances of a reverse proxy - one on the server, and one on the router. It may be my ignorance of the particulars, but my immediate thought is that you should select one point in the network to do reverse proxying.
I think you might be right on that. I was originally not wanting to do any port forwarding on the router, but I may have to
It’s possible but it’s an extra pain in the butt.
Internally, have you tried pointing the DNS directly to the ngnix server, not the router? There’s no reason to have that extra hop (I don’t think).
There’s an idea. I may play with it tomorrow.bill be back on the road, so I’m not keen on doing too much when I can’t fix it haha. But right now the router is DNS, so when I did traceroute there was only one stop. But it was the SSL termination that got me. I might be able to download the stream module for Nginx. I think if I wanted to be optimal I may have to totally restructure that part…
Edit: thank you for the feedback, you’ve given me something to think about
Well yes, it is one hop, because you’ve got the router doing TLS termination. Inside your network you point to the server that has the TLS certs. Outside of the network you do port forwarding, or use a tunnel with cloudflare agents.
Why is the router involved at all? It’s all local traffic. The external traffic comes through the cloud flare tunnel, right? Maybe I’m not understanding the architecture you’ve got.
What exactly is the problem with the certs? It should be trivial to issue them for the correct name and trust them.
So even if I remove the SSL cert lines from the router Nginx config, it seems to be applying the router’s SSL certificate. I commented out some lines to use a certificate for my root domain, but I’d rather NPM handle that, which doesn’t seem to be happening.
Why is your router doing TLS termination? Stop that.
You got me on to something. It looks like Nginx can be configured for tls passthrough https://serversforhackers.com/c/tcp-load-balancing-with-nginx-ssl-pass-thru