Befuddled port forwarding... Off-NAS reverse proxy confusion

[Telos]

I've been toying with nginx (docker) on a Raspberry Pi, but when I forward 443 to the RPi on the same network, things don't go as I hoped.

Some background... Typically, 443 is forwarded to the NAS (443>443) and the NAS internal reverse proxy works as expected. But when I edited the router 443 forwarding to the RPi IP, I get no connection. BTW, I'm using a Synology DDNS domain.

When I enter:

https://123.secret.synology.me

The URL automagically changes to:

https://123.secret.synology.me:9876 (where 9876 is my NAS' HTTPS port). How that port appears, I cannot imagine.

Initially I thought I had wrongly set up the RPi RP, so I changed the router's port 443 forward to the RPi to 4433>443, and then entered:

https://123.secret.synology.me:4433, and the RPi nginx loaded the page I was expecting.

For some reason, 443>443 doesn't work when pointed to the RPi IP.

I suspect some shenanigan with the Synology DDNS, since the URL is somehow picking up the NAS default HTTPS port, even though 443 (WAN) should be headed to the RPi as if the NAS did not exist.

Any thoughts here?

-- post merged: 9. Dec 2021 --

I tried another DDNS, and I sense now that the issue is somehow related to the Synology DDNS cert I imported. Using a separate DDNS, I was able to reach the RPi nginx with 443>443 forwarding. I don't understand why the Synology DDNS would not connect with the RPi. So I'll move onto a private domain.

 

[Akira]

I can only think you've got UPnP enabled and the NAS is overwriting it?

 

[Rusty]

somehow related to the Synology DDNS cert

Hmm, not sure why it would do that. DDNS is just to land your request to the correct destination (router in this case) and from there it's all about port forward.

Interesting that it "works" with a different ddns. I also use a custom domain name, but still use ddns from syno to get outside request to my router, so this problem in your case is a bit odd to say the least. Tbh, I do work with my custom domain and a valid custom cert, not a ddns cert, but again, not sure why that would have anything to do with traffic redirection.

 

[fredbert]

Have you tried https://123.secret.synology.me:443 ? Explicitly adding the ':443'. Try another browser to be sure that it's not auto-completing from history. Reboot the router.

Other than that, what you're seeing makes no sense. I use wildcard Synology.me DDNS certificates that I create and load up the SAN with extra subdomains of my personal domains. True that I haven't tried pointing 443 to a non-Synology device but why would a router's port forwarding force 443 to go back to a device that could possibly no longer exist?

 

[Telos]

Have you tried https://123.secret.synology.me:443 ? Explicitly adding the ':443'. Try another browser to be sure that it's not auto-completing from history.

Yes. I tried those. I even changed the subdomain to ensure cache was not an issue. Later today, I will delete the Synology DDNS cert from nginx to see if that has an effect.

Hmm, not sure why it would do that. DDNS is just to land your request to the correct destination (router in this case) and from there it's all about port forward.

I equally confused.

I can only think you've got UPnP enabled and the NAS is overwriting it?

UPnP is disabled on the router (I just rechecked it to be certain).

It's odd that HTTPS port appears. Coincidentally, the default HTTPS port is forwarded to the NAS, so I may delete that to see the effect.

 

[fredbert]

UPnP is disabled on the router (I just rechecked it to be certain).

That would've been a minor embarrassment if it was on, given your normal reply to firewalls with UPnP

 

[Telos]

That would've been a minor embarrassment if it was on, given your normal reply to firewalls with UPnP

So true. That's why I rechecked my settings

 

[jeyare]

first, try to flush DNS in your computer
Q: is there Pihole attached somewhere? Include resolver?

Check NAT in your router:

iptables -t nat -L -n -v

For the strange 443 port forwarding behavior check tcpdump in router:

tcpdump port 443 -n src <your comp IP>

 

[Telos]

I think this is attributable to noobie error... That danged Cloudflare "proxied" setting seems to be the culprit.. Discovered accidentally watching dbtech's video on OMV/nginx. #fingerscrossed

I'll post back if I get singed setting up other proxies