I’ve tried everything and searched the web as much as I could and finally need some help. What I want to do is simple and I feel I could easily do it with Apache or NGINX but have not been successful. I have a localhost address for example, 192.168.1.50. The localhost has multiple web UIs on different ports.
Now, I want to allow access to these addresses publicly and I’m using cloudflare to forward the domain to my public address. As you all know, DNS is not responsible for redirecting towards a specific port only a public address such as an A record IPv4 address. I made attempts to do reverse proxy with NGINX and Apache2 but to no avail.
I’d like to forward these local addresses to a public domain like so in this example:
I’m not entirely sure if this is considered off-topic but I’m assuming I need to make some sort of modification to my Turris Mox firewall settings. I’ve always port forwarded which seems like an obvious answer but that did not work.
NOTE: I attempted to do reverse proxy through my local server and not the router.
#ProxyPass / http://localhost:8080/
<Location />
ProxyPreserveHost On
ProxyPass http://192.168.1.50:32400
ProxyPassReverse http://192.169.1.50:32400
</Location>
# Uncomment the line below if your site uses SSL.
# SSLProxyEngine On
</VirtualHost>
I attempted this on my local server and not on my Turris Mox router.
Hi
Since webx.example must have a fixed address, I would see the solution using the stateful firewall. There is a lot of documentation about the firewall and there can be no problem finding a specific solution. My english is not good but I think reason read DNAT and redirect the source ip (web.example) to the internal address and port.
EDIT: DNAT can’t do source ip. Solution postrouting snat.
The iptables rules are unlimited. Advanced setup is not easy. it will have to allow redirection to the internal site and then rewrite the addresses to the right ports “snat” also, I think some rule for outgoing traffic “dnat” .everything can be controlled by using the tcpdump filter. Details and exactly solutions , sorry but more like 12 years I don’t doing this.
This looks like correct approach I have similar setup :
What needs to be done : in DNS (on cloudflare) create A record for your domain - pointing to your router external address and add CNAME records for all your webX.example.com
In your firewall forward port 80 from WAN to your local server running apache2
Now in apache configuration - similar to your posted example – remove location tags and comment ServerAlias
You have to create Virtual host for each of your webservers - in your example you will have 5 VirtualHost sections in same file
You need to create link to your file to be available in /etc/apache2/sites-enabled (Apache do not look to sites-available folder)
Side note - you are using port 80 HTTP - this is quite unsecure. Better to get certificates for SSL for your domain and run everythink with HTTPS (port 443)
You can install letsencrypt which will create free certificates for your domains allowing you to use HTTPS and disable plain text communication.
Would you use Cloudflare’s proxy for SSL? I’m assuming it’d be best to just generate the SSL certificates myself like you suggested but I do not know the specific parameter that apache2 uses to grab the generated certificates. I’m now following your suggestion as I type this though.
EDIT: It seems to be working, however I receive a proxy error:
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request
Reason: DNS lookup failure for: 192.168.1.180:32400web
#ProxyPass / http://localhost:8080/
ProxyPreserveHost On
ProxyPass / http://192.168.1.180:32400
ProxyPassReverse / http://192.168.1.180:32400
# Uncomment the line below if your site uses SSL.
# SSLProxyEngine On
I use certbot (https://certbot.eff.org/) it generate certificates and update apache2 configuration automatically. You will also need to forward both 80 and 443 ports to be able pass through domain name validation. Certificates will be stored at your webserver and will need to be renewed periodically - this can be also automated by cron and correct certbot command.
