Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


frozenist

6 posts

Wannabe Geek


#279862 13-Nov-2020 10:14
Send private message

Hi everyone long time reader, first time poster...

 

 

 

I am running a HTPC built on Docker behind my Orcon fibre router with a reverse proxy. I can access the sites just fine from the internet (see jelly.taft.house) and the reverse proxy + SSL encryption works perfectly. However, from my LAN the router is directing me straight to my local resource so it misses the reverse proxy and Chrome blocks access to the site due to an invalid cert. 

 

 

 

Does anyone know the setting in the router to send LAN traffic out of the network to hit a DNS before coming back so the connection is properly encrypted? Thanks and feel free to move this to another thread if it belongs in a better home. 


Create new topic
guyl
108 posts

Master Geek

ID Verified

  #2603239 13-Nov-2020 11:22
Send private message

So somehow your router knows about the local site IP... Any idea how?

 

If you ping the name from your local PC, I assume it returns a local IP (like 192.168.x.x).

 

If your router's domain is set to taft.house, and the RP's name is jelly (And it's using the router as it's DNS), then that would be the way that it is resolving it.

 

Can you change the name or the RP? That may resolve it.

 

Or, you could manually change the DNS on your PC to use a different DNS server (like Google's 8.8.8.8).


Affiliate link
 
 
 

Affiliate link: LastPass securely stores your passwords and other personal data.

mdf

mdf
3075 posts

Uber Geek

Trusted
Subscriber

  #2603242 13-Nov-2020 11:29
Send private message

You need to turn on hairpin NAT (or NAT loopback). Not all routers support this though and no idea about Orcon routers.


deadlyllama
1153 posts

Uber Geek

Trusted

  #2603244 13-Nov-2020 11:34
Send private message

I would expect that either

 

     

  1. the router would do hairpin NAT -- and jelly.house.taft would resolve to the router's public address, and connections from within your LAN to that would be NATted to the internal host - the internal host would see a source IP of one of the router's addresses.
  2. the router wouldn't do hairpin NAT -- and jelly.house.taft would resolve to the router's public address, and connections to that from within your LAN would:

     

       

    1. fail
    2. or if you were especially unlucky, be answered by the router's internal webserver.

     

 

What you're describing sounds more like 2.2 above - the router's webserver responding, which of course won't have a certificate for jelly.house.taft.  If you're lucky you can change the router's web admin port and it supports hairpin NAT.  If you're unlucky, it doesn't support hairpin NAT.  The orcon router I had 6 years ago didn't support hairpin NAT.




frozenist

6 posts

Wannabe Geek


#2603297 13-Nov-2020 11:52
Send private message

Thanks, I remember seeing an option for Enable LAN Loopback inside the NAT - Virtual Server page. I'll try that tonight and see what happens. 

 

From the HTPC host, if I ping jelly.taft.house it looks to just hit the router rather than go out to my external DNS (8.8.8.8). 

 

I'm sure posting the IP address online is totally safe....  

 

Click to see full size


nztim
2331 posts

Uber Geek

ID Verified
Trusted
TEAMnetwork
Subscriber

  #2603531 13-Nov-2020 20:18
Send private message

Hairpin Nat rules are a pain, on a sonicWALL you have to define in/out X0 in the nat rule and its a completely separate one form your external NAT rule also if your IP is not static you will need to update the nat rule each time it change

 

Even better - only open https with IP locking to the likes of a cloud reverse proxy (cloud flare for example) this will protect your site from potential hackers

 

 

 

 





Any views expressed on these forums are my own and don't necessarily reflect those of my employer. 


frozenist

6 posts

Wannabe Geek


  #2604613 16-Nov-2020 11:32
Send private message

Thanks everyone for the help, there is a Loopback LAN setting in the virtual servers under NAT that fixed the issue. 

 

I agree, the security of this is making my skin crawl, I'm running behind a Cloudflare proxy but still relying on http authentication within each application. I think I'll see about spinning up OAuth so its harder to break into. 

 

 

 

 


michaelmurfy
/dev/ttys0
11021 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2604618 16-Nov-2020 11:38
Send private message

Have a look at Cloudflare Access: https://www.cloudflare.com/teams/access/

 

This will allow you to use Google Auth as an example for your apps you need additional security on. You can set rules based on URL.





Michael Murphy | https://murfy.nz | https://keybase.io/michaelmurfy - Referral Links: Sharesies | Electric Kiwi
Are you happy with what you get from Geekzone? Please consider supporting us by making a donation.




nzkc
1063 posts

Uber Geek


  #2604641 16-Nov-2020 12:04
Send private message

frozenist:

 

I think I'll see about spinning up OAuth so its harder to break into. 

 

 

I use this https://github.com/oauth2-proxy/oauth2-proxy as its pretty trivial to set up. Run it as a docker container from https://quay.io/repository/oauth2-proxy/oauth2-proxy. Its behind a nginx proxy that is doing the ssl termination.

 

 

 

However; michaelmurphy's Cloudfare suggestion is good too. I wasnt aware they offered this so might look into it.


frozenist

6 posts

Wannabe Geek


  #2605479 17-Nov-2020 14:05
Send private message

Thanks for the help, I setup Cloudflare Access in about an hour and I now have Google Auth running between my servers and the internet. I think there's a firewall rule to only allow connections to the Cloudflare IPs to really lock things down, then I should be all set. 


michaelmurfy
/dev/ttys0
11021 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #2605546 17-Nov-2020 14:53
Send private message

@frozenist Another little tip - to lock things down further:

 

1) Origin Certificates: https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-Cloudflare-Origin-CA-certificates
2) Authenticated Origin Pulls: https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls 

 

Also ensure that TLS 1.0 / 1.1 are disabled (set TLS 1.2 + 1.3 only) as well as add HSTS with a long expiry (I use 12mo + preload) - if you enable preload then submit to https://hstspreload.org/ also. This means all supported clients use HTTPS only.





Michael Murphy | https://murfy.nz | https://keybase.io/michaelmurfy - Referral Links: Sharesies | Electric Kiwi
Are you happy with what you get from Geekzone? Please consider supporting us by making a donation.


nztim
2331 posts

Uber Geek

ID Verified
Trusted
TEAMnetwork
Subscriber

  #2605568 17-Nov-2020 15:38
Send private message

frozenist:

 

Thanks for the help, I setup Cloudflare Access in about an hour and I now have Google Auth running between my servers and the internet. I think there's a firewall rule to only allow connections to the Cloudflare IPs to really lock things down, then I should be all set. 

 

 

Do you have a netcomm ?

 

 





Any views expressed on these forums are my own and don't necessarily reflect those of my employer. 


frozenist

6 posts

Wannabe Geek


  #2605854 18-Nov-2020 09:33
Send private message

nztim:

 

Do you have a netcomm ?

 

 

 

 

Yep a Netcomm NF4V (or something similar).


frozenist

6 posts

Wannabe Geek


  #2605856 18-Nov-2020 09:35
Send private message

michaelmurfy:

 

@frozenist Another little tip - to lock things down further:

 

1) Origin Certificates: https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-Cloudflare-Origin-CA-certificates
2) Authenticated Origin Pulls: https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls 

 

Also ensure that TLS 1.0 / 1.1 are disabled (set TLS 1.2 + 1.3 only) as well as add HSTS with a long expiry (I use 12mo + preload) - if you enable preload then submit to https://hstspreload.org/ also. This means all supported clients use HTTPS only.

 

 

 

 

Thanks, I'm new to Cloudflare, so I'll see I can also set up. I have a reverse proxy using Lets Encrypt on my server, so it would be interesting to see how these all work together. 

 

 


nztim
2331 posts

Uber Geek

ID Verified
Trusted
TEAMnetwork
Subscriber

  #2605860 18-Nov-2020 09:47
Send private message

frozenist:

 

nztim:

 

Do you have a netcomm ?

 

 

Yep a Netcomm NF4V (or something similar).

 

 

backup your config first

 

Advanced Setup > Security > Firewall

 

Add firewall, Interface Eth4.1, type in Action Drop

 

Then add rules to allow cloud fare in on https

 

cloud flare subnets here

 

https://www.cloudflare.com/ips/

 

 

 

 





Any views expressed on these forums are my own and don't necessarily reflect those of my employer. 


Create new topic





News and reviews »

Samsung Introducing Galaxy Z Flip4 and Galaxy Z Fold4
Posted 11-Aug-2022 01:00


Samsung Unveils Health Innovations with Galaxy Watch5 and Galaxy Watch5 Pro
Posted 11-Aug-2022 01:00


Google Bringing First Cloud Region to Aotearoa New Zealand
Posted 10-Aug-2022 08:51


ANZ To Move to FIS Modern Banking Platform
Posted 10-Aug-2022 08:28


GoPro Hero10 Black Review
Posted 8-Aug-2022 17:41


Amazon to Acquire iRobot
Posted 6-Aug-2022 11:41


Samsung x LIFE Picture Collection Brings Iconic Moments in History to The Frame
Posted 4-Aug-2022 17:04


Norton Consumer Cyber Safety Pulse Report: Phishing for New Bait on Social Media
Posted 4-Aug-2022 16:50


Microsoft Announces New Solutions for Threat Intelligence and Attack Surface Management
Posted 3-Aug-2022 21:54


Seagate Addresses Hyperscale Workloads with Enterprise-Class Nytro SSDs
Posted 3-Aug-2022 21:50


Visa Launching Eco-friendly Payment Solutions in New Zealand
Posted 3-Aug-2022 21:48


NCR Delivers Services to Run Bank of New Zealand ATM Network
Posted 30-Jul-2022 11:06


New HP Portfolio Supports New Era of Hybrid Work
Posted 28-Jul-2022 17:14


Harman Kardon Launches Citation MultiBeam 1100 Soundbar
Posted 28-Jul-2022 17:10


Nanogirl Labs Launches Creator Project
Posted 28-Jul-2022 17:05









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







GoodSync is the easiest file sync and backup for Windows and Mac