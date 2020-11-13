Geekzone: technology news, blogs, forums
Forums Vocus (including Slingshot, Orcon, Flip, Stuff Fibre and CallPlus) Running a reverse proxy behind an Orcon router
frozenist

1 post

Wannabe Geek


#279862 13-Nov-2020 10:14
Send private message quote this post

Hi everyone long time reader, first time poster...

 

 

 

I am running a HTPC built on Docker behind my Orcon fibre router with a reverse proxy. I can access the sites just fine from the internet (see jelly.taft.house) and the reverse proxy + SSL encryption works perfectly. However, from my LAN the router is directing me straight to my local resource so it misses the reverse proxy and Chrome blocks access to the site due to an invalid cert. 

 

 

 

Does anyone know the setting in the router to send LAN traffic out of the network to hit a DNS before coming back so the connection is properly encrypted? Thanks and feel free to move this to another thread if it belongs in a better home. 

guyl
89 posts

Master Geek

Subscriber

  #2603239 13-Nov-2020 11:22
Send private message quote this post

So somehow your router knows about the local site IP... Any idea how?

 

If you ping the name from your local PC, I assume it returns a local IP (like 192.168.x.x).

 

If your router's domain is set to taft.house, and the RP's name is jelly (And it's using the router as it's DNS), then that would be the way that it is resolving it.

 

Can you change the name or the RP? That may resolve it.

 

Or, you could manually change the DNS on your PC to use a different DNS server (like Google's 8.8.8.8).

mdf

mdf
2689 posts

Uber Geek

Trusted
Subscriber

  #2603242 13-Nov-2020 11:29
Send private message quote this post

You need to turn on hairpin NAT (or NAT loopback). Not all routers support this though and no idea about Orcon routers.

 
 
 
 


deadlyllama
1025 posts

Uber Geek


  #2603244 13-Nov-2020 11:34
Send private message quote this post

I would expect that either

 

     

  1. the router would do hairpin NAT -- and jelly.house.taft would resolve to the router's public address, and connections from within your LAN to that would be NATted to the internal host - the internal host would see a source IP of one of the router's addresses.
  2. the router wouldn't do hairpin NAT -- and jelly.house.taft would resolve to the router's public address, and connections to that from within your LAN would:

     

       

    1. fail
    2. or if you were especially unlucky, be answered by the router's internal webserver.

     

 

What you're describing sounds more like 2.2 above - the router's webserver responding, which of course won't have a certificate for jelly.house.taft.  If you're lucky you can change the router's web admin port and it supports hairpin NAT.  If you're unlucky, it doesn't support hairpin NAT.  The orcon router I had 6 years ago didn't support hairpin NAT.

