NGINX only for forwarding to LAN

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

NGINX only for forwarding to LAN

adrian.hilt
Hi@all,

first of all a "hello" to the round. I am new here :-)

I want to set up NGINX on my firewall/router (IPFire). But only as reverse
proxy. There are no websites running on the IPFire.

The IP-Fire has a fixed IP on the WAN interface and can be reached from the
Internet.

[IPFire]
WAN: 10.20.30.40
LAN: 192.168.xx.254

Behind the firewall, i.e. in the LAN, there are several web servers each
running on the same port (80) but on different physical servers:

[Server1]
LAN: 192.168.xx.5

[Server2]
LAN: 192.168.xx.6

Furthermore I have an external, official domain (mydomain.de). On the
external root server I have created two subdomains which I redirect to the
IPFire's fixed IP:

gw.mydomain.com -> http://10.20.30.40
cloud.mydomain.com -> http://10.20.30.40

NGINX on the IPfire should now forward all requests directed to
gw.mydomain.de to the server 192.168.xx.5 (and turück)

and requests addressed to cloud.mydomain.com to LAN: 192.168.xx.6

As far as I know the header has to be rewritten so that the remote client
thinks it is communicating with xxxx.mydomain.de and not with 192.168.xx.y.

I tried for hours yesterday to get this with examples from the internet but
nothing worked.

Does this work at all? Can anyone help me?

best regards
pixel24

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286443,286443#msg-286443

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: NGINX only for forwarding to LAN

Francis Daly
On Wed, Dec 11, 2019 at 07:42:26AM -0500, pixel24 wrote:

Hi there,

> NGINX on the IPfire should now forward all requests directed to
> gw.mydomain.de to the server 192.168.xx.5 (and turück)
>
> and requests addressed to cloud.mydomain.com to LAN: 192.168.xx.6

Typed, rather than tested and copy-pasted, but the following looks like
it should work for the simple case:

  server {
    server_name gw.mydomain.com;
    location / {
      proxy_pass http://192.168.xx.5;
    }
  }
  server {
    server_name cloud.mydomain.com;
    location / {
      proxy_pass http://192.168.xx.6;
    }
  }

Depending on what the "upstream" (LAN) web servers do, you might need
some more directives there too.

If you can report a specific problem -- such as "when I do 'curl -i
http://gw.mydomain.com/dir', I get a 301 to http://192.168.xx.5/dir/
but I want a 301 to http://gw.mydomain.com/dir/", then someone may be
able to offer an improvement.

Good luck with it,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: NGINX only for forwarding to LAN

adrian.hilt
based on the default file, combined with your section, the file now looks
like this:

worker_processes  1;

events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;

    server {
        server_name gw.mydomain.com;
        location / {
                proxy_pass http://192.168.XX.5;
        }
    }

    server {
        server_name cloud.mydomain.com;
        location / {
                proxy_pass http://192.168.XX.6;
        }
    }
}


(domain name and IP changed).

However, NGINX does not start:

[root@ipfire nginx]# /etc/init.d/nginx restart
Stopping nginx Server...                                                    
                                                   [  OK  ]
Starting nginx Server...
nginx: [emerg] could not build server_names_hash, you should increase
server_names_hash_bucket_size: 32

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286443,286454#msg-286454

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: NGINX only for forwarding to LAN

adrian.hilt
the line:

server_names_hash_bucket_size 64;

in the http-section fix the start-problem but when I try from outside to
brwose to:

gw.mydomain.com

in the webbrowser firefox show me the status:

connect to: http://192.168.XX.5

that can't work, can it? This address is not available in inetrnet

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286443,286456#msg-286456

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: NGINX only for forwarding to LAN

Francis Daly
On Thu, Dec 12, 2019 at 11:22:10AM -0500, pixel24 wrote:

Hi there,

> in the webbrowser firefox show me the status:
>
> connect to: http://192.168.XX.5
>
> that can't work, can it? This address is not available in inetrnet

Quoting my previous message:

"""
If you can report a specific problem -- such as "when I do 'curl -i
http://gw.mydomain.com/dir', I get a 301 to http://192.168.xx.5/dir/
but I want a 301 to http://gw.mydomain.com/dir/", then someone may be
able to offer an improvement.
"""

Can you show the very specific request that you make, response that you
get, and response that you want instead?

Does your web service on http://192.168.XX.5 "just" serve files from
the filesystem, or does it try to do clever things with hostnames?

Depending on what else is happening, perhaps something like (again,
typed and untested):

  upstream gw.mydomain.com {
    server 192.168.XX.5;
  }
  upstream cloud.mydomain.com {
    server 192.168.XX.6;
  }
  server {
    server_name gw.mydomain.com;
    location / {
      proxy_pass http://gw.mydomain.com;
    }
  }
  server {
    server_name cloud.mydomain.com;
    location / {
      proxy_pass http://cloud.mydomain.com;
    }
  }

will get closer to what you want.

That is - using the hostname in proxy_pass means that the matching Host:
header will be sent to the upstream server; so if that server uses the
incoming name in a redirection, perhaps the right url will get back to
the client.

I think that it should not be necessary, because nginx's proxy_redirect
should have already handled it. But apparently it did not, in this case.

Cheers,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: NGINX only for forwarding to LAN

adrian.hilt
My mistake! On IPFire (running NGINX) port 80 was closed. Now I'm a little
closer. With:


worker_processes  1;
events {
    worker_connections  1024;
}

http {
    server_names_hash_bucket_size 64;
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;

    server {
        server_name gw.mydomain.com;
        location / {
                proxy_pass http://192.168.24.109;
        }
    }
}

I can connect from the outside to the web server :-) What surprises me
however is that in the address line of Firefox my external WAN-IP of the
firewall is located afterwards. Is this normal an ok?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286443,286463#msg-286463

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: NGINX only for forwarding to LAN

adrian.hilt
problem. I am not allowed to redirect the subdomain on the webserver:

gw.mydomain.com --> WAN-IP from IPFire

but must set an A-record in the DNA.

gw A [WAN-IP from IPfire]

now it works unencrypted. I will now get to the setup of LetsEncrypt. But
for this I open a new threat.

many thanks!

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286443,286465#msg-286465

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: NGINX only for forwarding to LAN

Francis Daly
In reply to this post by adrian.hilt
On Thu, Dec 12, 2019 at 01:12:52PM -0500, pixel24 wrote:

Hi there,

>     server {
>         server_name gw.mydomain.com;
>         location / {
>                 proxy_pass http://192.168.24.109;
>         }
>     }

> I can connect from the outside to the web server :-) What surprises me
> however is that in the address line of Firefox my external WAN-IP of the
> firewall is located afterwards. Is this normal an ok?

That indicates that something it wrong somewhere.

It will "work" fine when you are reverse-proxying for just one server
name; but things will break when you try to add the "cloud" name as well.

So you should find which part of your config (nginx, or the internal
"gw" server) is writing that WAN IP address, and make it stop.

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx